[PATCH] Inter-field comparisons between uid/euid and gid/egid

Peter Moody pmoody at google.com
Sun Dec 11 19:04:24 UTC 2011 

Not sure if this is the right way to go about this, but I've got a couple
of patches I'd like to be considered for inclusion.

This builds off of Eric's patches from November. Specifically the following
patches:

[01/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00019.html)
[02/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00020.html)
[16/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00034.html)
[17/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00035.html)
[18/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00036.html)
[19/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00037.html)
[20/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00038.html)


Signed-off-by: Peter Moody <pmoody at google.com>
---
 include/linux/audit.h |    4 +++-
 kernel/auditsc.c      |   18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4c5437f..cce8f35 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -182,8 +182,10 @@
 /* AUDIT_FIELD_COMPARE rule list */
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
 #define AUDIT_COMPARE_GID_TO_OBJ_GID   2
+#define AUDIT_COMPARE_UID_TO_EUID      3
+#define AUDIT_COMPARE_GID_TO_EGID      4

-#define AUDIT_MAX_FIELD_COMPARE        AUDIT_COMPARE_GID_TO_OBJ_GID
+#define AUDIT_MAX_FIELD_COMPARE        AUDIT_COMPARE_GID_TO_EGID
 /* Rule fields */
  /* These are useful when checking the
  * task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2be8bf3..08c8736 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -514,6 +514,24 @@ static int audit_field_compare(struct task_struct *tsk,
        return audit_compare_id(cred, offsetof(struct cred, gid),
        name, offsetof(struct audit_names, gid),
        f, ctx);
+ case AUDIT_COMPARE_UID_TO_EUID:
+ if(name)
+ return audit_comparator(cred->euid, f->op, cred->uid);
+ else if(ctx) {
+ struct audit_names *n;
+ list_for_each_entry(n, &ctx->names_list, list)
+ return audit_comparator(cred->euid, f->op, cred->uid);
+ }
+ break;
+ case AUDIT_COMPARE_GID_TO_EGID:
+ if(name)
+ return audit_comparator(cred->egid, f->op, cred->gid);
+ else if(ctx) {
+ struct audit_names *n;
+ list_for_each_entry(n, &ctx->names_list, list)
+ return audit_comparator(cred->egid, f->op, cred->gid);
+ }
+ break;
  default:
  return 0;
  }
-- 
1.7.3.1


-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20111211/f49101ee/attachment.htm>

More information about the Linux-audit mailing list