Commit d29be158 authored by Miloslav Trmac's avatar Miloslav Trmac Committed by Al Viro

Audit: add support to match lsm labels on user audit messages

Add support for matching by security label (e.g. SELinux context) of
the sender of an user-space audit record.

The audit filter code already allows user space to configure such
filters, but they were ignored during evaluation.  This patch implements
evaluation of these filters.

For example, after application of this patch, PAM authentication logs
caused by cron can be disabled using
	auditctl -a user,never -F subj_type=crond_t
Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 2d10d873
...@@ -1252,6 +1252,18 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb, ...@@ -1252,6 +1252,18 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
case AUDIT_LOGINUID: case AUDIT_LOGINUID:
result = audit_comparator(cb->loginuid, f->op, f->val); result = audit_comparator(cb->loginuid, f->op, f->val);
break; break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
if (f->lsm_rule)
result = security_audit_rule_match(cb->sid,
f->type,
f->op,
f->lsm_rule,
NULL);
break;
} }
if (!result) if (!result)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment