key in syscall audit rules.
David Woodhouse
dwmw2 at infradead.org
Tue May 17 17:06:08 UTC 2005
I'm building an audit.40 with this in. Steve, does it look OK to you?
--- linux-2.6.9/include/linux/audit.h~ 2005-05-17 14:43:57.000000000 +0100
+++ linux-2.6.9/include/linux/audit.h 2005-05-17 15:10:33.000000000 +0100
@@ -128,6 +128,8 @@ struct atomic_t;
#define AUDIT_ARG2 (AUDIT_ARG0+2)
#define AUDIT_ARG3 (AUDIT_ARG0+3)
+#define AUDIT_KEY 0x1000 /* Identifying key for rule */
+
#define AUDIT_NEGATE 0x80000000
--- linux-2.6.9/kernel/auditsc.c~ 2005-05-17 15:17:40.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-05-17 15:15:11.000000000 +0100
@@ -140,6 +140,7 @@ struct audit_context {
unsigned int serial; /* serial number for record */
struct timespec ctime; /* time of syscall entry */
uid_t loginuid; /* login uid (identity) */
+ uint32_t key; /* Key of rule which triggered auditing */
int major; /* syscall number */
unsigned long argv[4]; /* syscall arguments */
int return_valid; /* return code is valid */
@@ -334,9 +335,11 @@ int audit_receive_filter(int type, int p
static int audit_filter_rules(struct task_struct *tsk,
struct audit_rule *rule,
struct audit_context *ctx,
- enum audit_state *state)
+ enum audit_state *state,
+ uint32_t *key)
{
int i, j;
+ uint32_t localkey = 0;
for (i = 0; i < rule->field_count; i++) {
u32 field = rule->fields[i] & ~AUDIT_NEGATE;
@@ -429,8 +432,9 @@ static int audit_filter_rules(struct tas
if (ctx)
result = (ctx->argv[field-AUDIT_ARG0]==value);
break;
+ case AUDIT_KEY:
+ localkey = value;
}
-
if (rule->fields[i] & AUDIT_NEGATE)
result = !result;
if (!result)
@@ -441,6 +445,8 @@ static int audit_filter_rules(struct tas
case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
}
+ if (key)
+ *key = localkey;
return 1;
}
@@ -451,11 +457,11 @@ static int audit_filter_rules(struct tas
static enum audit_state audit_filter_task(struct task_struct *tsk)
{
struct audit_entry *e;
- enum audit_state state;
+ enum audit_state state;
rcu_read_lock();
list_for_each_entry_rcu(e, &audit_tsklist, list) {
- if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
+ if (audit_filter_rules(tsk, &e->rule, NULL, &state, NULL)) {
rcu_read_unlock();
return state;
}
@@ -475,13 +481,13 @@ static enum audit_state audit_filter_sys
{
struct audit_entry *e;
enum audit_state state;
- int word = AUDIT_WORD(ctx->major);
- int bit = AUDIT_BIT(ctx->major);
+ int word = AUDIT_WORD(ctx->major);
+ int bit = AUDIT_BIT(ctx->major);
rcu_read_lock();
list_for_each_entry_rcu(e, list, list) {
if ((e->rule.mask[word] & bit) == bit
- && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
+ && audit_filter_rules(tsk, &e->rule, ctx, &state, &ctx->key)) {
rcu_read_unlock();
return state;
}
@@ -677,6 +683,8 @@ static void audit_log_exit(struct audit_
if (!ab)
return; /* audit_panic has been called */
audit_log_format(ab, "syscall=%d", context->major);
+ if (context->key)
+ audit_log_format(ab, " key=%x", context->key);
if (context->personality != PER_LINUX)
audit_log_format(ab, " per=%lx", context->personality);
audit_log_format(ab, " arch=%x", context->arch);
--
dwmw2
More information about the Linux-audit
mailing list