linux-toradex.git/include/linux/audit.h, branch v3.3.5 Linux kernel for Apalis and Colibri modules audit: comparison on interprocess fields 2012-01-17T21:17:03+00:00 Peter Moody pmoody@google.com 2012-01-04T20:24:31+00:00 10d68360871657204885371cdf2594412675d2f9 This allows audit to specify rules in which we compare two fields of a process. Such as is the running process uid != to the running process euid? Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> 
This allows audit to specify rules in which we compare two fields of a
process.  Such as is the running process uid != to the running process
euid?

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
audit: implement all object interfield comparisons 2012-01-17T21:17:02+00:00 Peter Moody pmoody@google.com 2011-12-14T00:17:51+00:00 4a6633ed08af5ba67790b4d1adcdeb8ceb55677e This completes the matrix of interfield comparisons between uid/gid information for the current task and the uid/gid information for inodes. aka I can audit based on differences between the euid of the process and the uid of fs objects. Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> 
This completes the matrix of interfield comparisons between uid/gid
information for the current task and the uid/gid information for inodes.
aka I can audit based on differences between the euid of the process and
the uid of fs objects.

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow interfield comparison between gid and ogid 2012-01-17T21:17:02+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:08+00:00 c9fe685f7a17a0ee8bf3fbe51e40b1c8b8e65896 Allow audit rules to compare the gid of the running task to the gid of the inode in question. Signed-off-by: Eric Paris <eparis@redhat.com> 
Allow audit rules to compare the gid of the running task to the gid of the
inode in question.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow interfield comparison in audit rules 2012-01-17T21:17:01+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:08+00:00 02d86a568c6d2d335256864451ac8ce781bc5652 We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com> 
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0.  Or vice versa.  This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared.  At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: remove task argument to audit_set_loginuid 2012-01-17T21:17:00+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:08+00:00 0a300be6d5be8f66cd96609334710c268d0bfdce The function always deals with current. Don't expose an option pretending one can use it for something. You can't. Signed-off-by: Eric Paris <eparis@redhat.com> 
The function always deals with current.  Don't expose an option
pretending one can use it for something.  You can't.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow audit matching on inode gid 2012-01-17T21:16:59+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 54d3218b31aee5bc9c859ae60fbde933d922448b Much like the ability to filter audit on the uid of an inode collected, we should be able to filter on the gid of the inode. Signed-off-by: Eric Paris <eparis@redhat.com> 
Much like the ability to filter audit on the uid of an inode collected, we
should be able to filter on the gid of the inode.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow matching on obj_uid 2012-01-17T21:16:59+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 efaffd6e4417860c67576ac760dd6e8bbd15f006 Allow syscall exit filter matching based on the uid of the owner of an inode used in a syscall. aka: auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa Signed-off-by: Eric Paris <eparis@redhat.com> 
Allow syscall exit filter matching based on the uid of the owner of an
inode used in a syscall.  aka:

auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: remove audit_finish_fork as it can't be called 2012-01-17T21:16:59+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 6422e78de6880c66a82af512d9bd0c85eb62e661 Audit entry,always rules are not allowed and are automatically changed in exit,always rules in userspace. The kernel refuses to load such rules. Thus a task in the middle of a syscall (and thus in audit_finish_fork()) can only be in one of two states: AUDIT_BUILD_CONTEXT or AUDIT_DISABLED. Since the current task cannot be in AUDIT_RECORD_CONTEXT we aren't every going to actually use the code in audit_finish_fork() since it will return without doing anything. Thus drop the code. Signed-off-by: Eric Paris <eparis@redhat.com> 
Audit entry,always rules are not allowed and are automatically changed in
exit,always rules in userspace.  The kernel refuses to load such rules.

Thus a task in the middle of a syscall (and thus in audit_finish_fork())
can only be in one of two states: AUDIT_BUILD_CONTEXT or AUDIT_DISABLED.
Since the current task cannot be in AUDIT_RECORD_CONTEXT we aren't every
going to actually use the code in audit_finish_fork() since it will
return without doing anything.  Thus drop the code.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: inline audit_free to simplify the look of generic code 2012-01-17T21:16:58+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 a4ff8dba7d8ce5ceb43fb27df66292251cc73bdc make the conditional a static inline instead of doing it in generic code. Signed-off-by: Eric Paris <eparis@redhat.com> 
make the conditional a static inline instead of doing it in generic code.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: drop audit_set_macxattr as it doesn't do anything 2012-01-17T21:16:58+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 38cdce53daa0408a61fe6d86fe48f31515c9b840 unused. deleted. Signed-off-by: Eric Paris <eparis@redhat.com> 
unused.  deleted.

Signed-off-by: Eric Paris <eparis@redhat.com>