audit: allow matching on obj_uid

Allow syscall exit filter matching based on the uid of the owner of an
inode used in a syscall.  aka:

auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa

Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris 2012-01-03 14:23:07 -05:00 committed by Al Viro
parent 6422e78de6
commit efaffd6e44
3 changed files with 14 additions and 0 deletions

View file

@ -223,6 +223,7 @@
#define AUDIT_PERM 106
#define AUDIT_DIR 107
#define AUDIT_FILETYPE 108
#define AUDIT_OBJ_UID 109
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)

View file

@ -461,6 +461,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
case AUDIT_ARG1:
case AUDIT_ARG2:
case AUDIT_ARG3:
case AUDIT_OBJ_UID:
break;
case AUDIT_ARCH:
entry->rule.arch_f = f;

View file

@ -586,6 +586,18 @@ static int audit_filter_rules(struct task_struct *tsk,
}
}
break;
case AUDIT_OBJ_UID:
if (name) {
result = audit_comparator(name->uid, f->op, f->val);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
if (audit_comparator(n->uid, f->op, f->val)) {
++result;
break;
}
}
}
break;
case AUDIT_WATCH:
if (name)
result = audit_watch_compare(rule->watch, name->ino, name->dev);