audit: check current inode and containing object when filtering on major and minor
The audit system has the ability to filter on the major and minor number of the device containing the inode being operated upon. Lets say that /dev/sda1 has major,minor 8,1 and that we mount /dev/sda1 on /boot. Now lets say we add a watch with a filter on 8,1. If we proceed to open an inode inside /boot, such as /vboot/vmlinuz, we will match the major,minor filter. Lets instead assume that one were to use a tool like debugfs and were to open /dev/sda1 directly and to modify it's contents. We might hope that this would also be logged, but it isn't. The rules will check the major,minor of the device containing /dev/sda1. In other words the rule would match on the major/minor of the tmpfs mounted at /dev. I believe these rules should trigger on either device. The man page is devoid of useful information about the intended semantics. It only seems logical that if you want to know everything that happened on a major,minor that would include things that happened to the device itself... Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
3035c51e8a
commit
16c174bd95
1 changed files with 14 additions and 10 deletions
|
@ -540,12 +540,14 @@ static int audit_filter_rules(struct task_struct *tsk,
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case AUDIT_DEVMAJOR:
|
case AUDIT_DEVMAJOR:
|
||||||
if (name)
|
if (name) {
|
||||||
result = audit_comparator(MAJOR(name->dev),
|
if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
|
||||||
f->op, f->val);
|
audit_comparator(MAJOR(name->rdev), f->op, f->val))
|
||||||
else if (ctx) {
|
++result;
|
||||||
|
} else if (ctx) {
|
||||||
list_for_each_entry(n, &ctx->names_list, list) {
|
list_for_each_entry(n, &ctx->names_list, list) {
|
||||||
if (audit_comparator(MAJOR(n->dev), f->op, f->val)) {
|
if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
|
||||||
|
audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
|
||||||
++result;
|
++result;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -553,12 +555,14 @@ static int audit_filter_rules(struct task_struct *tsk,
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case AUDIT_DEVMINOR:
|
case AUDIT_DEVMINOR:
|
||||||
if (name)
|
if (name) {
|
||||||
result = audit_comparator(MINOR(name->dev),
|
if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
|
||||||
f->op, f->val);
|
audit_comparator(MINOR(name->rdev), f->op, f->val))
|
||||||
else if (ctx) {
|
++result;
|
||||||
|
} else if (ctx) {
|
||||||
list_for_each_entry(n, &ctx->names_list, list) {
|
list_for_each_entry(n, &ctx->names_list, list) {
|
||||||
if (audit_comparator(MINOR(n->dev), f->op, f->val)) {
|
if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
|
||||||
|
audit_comparator(MINOR(n->rdev), f->op, f->val)) {
|
||||||
++result;
|
++result;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue