Commit efaffd6e authored by Eric Paris's avatar Eric Paris Committed by Al Viro

audit: allow matching on obj_uid

Allow syscall exit filter matching based on the uid of the owner of an
inode used in a syscall.  aka:

auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 6422e78d
......@@ -223,6 +223,7 @@
#define AUDIT_PERM 106
#define AUDIT_DIR 107
#define AUDIT_FILETYPE 108
#define AUDIT_OBJ_UID 109
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
......
......@@ -461,6 +461,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
case AUDIT_ARG1:
case AUDIT_ARG2:
case AUDIT_ARG3:
case AUDIT_OBJ_UID:
break;
case AUDIT_ARCH:
entry->rule.arch_f = f;
......
......@@ -586,6 +586,18 @@ static int audit_filter_rules(struct task_struct *tsk,
}
}
break;
case AUDIT_OBJ_UID:
if (name) {
result = audit_comparator(name->uid, f->op, f->val);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
if (audit_comparator(n->uid, f->op, f->val)) {
++result;
break;
}
}
}
break;
case AUDIT_WATCH:
if (name)
result = audit_watch_compare(rule->watch, name->ino, name->dev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment