audit: allow matching on obj_uid

Allow syscall exit filter matching based on the uid of the owner of an
inode used in a syscall.  aka:

auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa

Signed-off-by: Eric Paris <eparis@redhat.com>

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 67b66c37a254375f2e5a6fd95bb4994de3e8faa5..55cb3daaf474172192ab85ec55daf08a9e6004bc 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -223,6 +223,7 @@
 #define AUDIT_PERM     106
 #define AUDIT_DIR      107
 #define AUDIT_FILETYPE 108
+#define AUDIT_OBJ_UID  109
 
 #define AUDIT_ARG0      200
 #define AUDIT_ARG1      (AUDIT_ARG0+1)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 903caa269b5c5172d4df23bc559ac7152ff5a9d2..13e997423dcd85d43af5741098b51a8f70fce4cb 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -461,6 +461,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                case AUDIT_ARG1:
                case AUDIT_ARG2:
                case AUDIT_ARG3:
+               case AUDIT_OBJ_UID:
                        break;
                case AUDIT_ARCH:
                        entry->rule.arch_f = f;

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4d8920f5ab88d1891c60ae5a5293c5819cbe34c4..5cf3ecc015176162481d13b257c3efc603c5a7a6 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -586,6 +586,18 @@ static int audit_filter_rules(struct task_struct *tsk,
                                }
                        }
                        break;
+               case AUDIT_OBJ_UID:
+                       if (name) {
+                               result = audit_comparator(name->uid, f->op, f->val);
+                       } else if (ctx) {
+                               list_for_each_entry(n, &ctx->names_list, list) {
+                                       if (audit_comparator(n->uid, f->op, f->val)) {
+                                               ++result;
+                                               break;
+                                       }
+                               }
+                       }
+                       break;
                case AUDIT_WATCH:
                        if (name)
                                result = audit_watch_compare(rule->watch, name->ino, name->dev);