[PATCH] audit: AUDIT_PERM support

add support for AUDIT_PERM predicate Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

[PATCH] audit: AUDIT_PERM support
add support for AUDIT_PERM predicate Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro
1 parent dc104fb323
Showing 13 changed files with 236 additions and 0 deletions Side-by-side Diff
arch/i386/kernel/audit.c
arch/ia64/ia32/audit.c
arch/ia64/kernel/audit.c
arch/powerpc/kernel/audit.c
arch/powerpc/kernel/compat_audit.c
arch/s390/kernel/audit.c
arch/s390/kernel/compat_audit.c
arch/x86_64/ia32/audit.c
arch/x86_64/kernel/audit.c
include/linux/audit.h
kernel/audit.h
kernel/auditfilter.c
kernel/auditsc.c
@@ -23,6 +23,22 @@
 ~0U
 };
  
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0;
+	}
+}
+
 static int __init audit_classes_init(void)
 {
 	audit_register_class(AUDIT_CLASS_WRITE, write_class);
@@ -19,4 +19,20 @@
 #include <asm-generic/audit_read.h>
 ~0U
 };
+
+int ia32_classify_syscall(unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 1;
+	}
+}
@@ -23,6 +23,25 @@
 ~0U
 };
  
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+#ifdef CONFIG_IA32_SUPPORT
+	extern int ia32_classify_syscall(unsigned);
+	if (abi == AUDIT_ARCH_I386)
+		return ia32_classify_syscall(syscall);
+#endif
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0;
+	}
+}
+
 static int __init audit_classes_init(void)
 {
 #ifdef CONFIG_IA32_SUPPORT
@@ -23,6 +23,27 @@
 ~0U
 };
  
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+#ifdef CONFIG_PPC64
+	extern int ppc32_classify_syscall(unsigned);
+	if (abi == AUDIT_ARCH_PPC)
+		return ppc32_classify_syscall(syscall);
+#endif
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0;
+	}
+}
+
 static int __init audit_classes_init(void)
 {
 #ifdef CONFIG_PPC64
@@ -20,4 +20,20 @@
 #include <asm-generic/audit_read.h>
 ~0U
 };
+
+int ppc32_classify_syscall(unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 1;
+	}
+}
@@ -23,6 +23,27 @@
 ~0U
 };
  
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+#ifdef CONFIG_COMPAT
+	extern int s390_classify_syscall(unsigned);
+	if (abi == AUDIT_ARCH_S390)
+		return s390_classify_syscall(syscall);
+#endif
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0;
+	}
+}
+
 static int __init audit_classes_init(void)
 {
 #ifdef CONFIG_COMPAT
@@ -20,4 +20,20 @@
 #include <asm-generic/audit_read.h>
 ~0U
 };
+
+int s390_classify_syscall(unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 1;
+	}
+}
@@ -19,4 +19,20 @@
 #include <asm-generic/audit_read.h>
 ~0U
 };
+
+int ia32_classify_syscall(unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_socketcall:
+		return 4;
+	case __NR_execve:
+		return 5;
+	default:
+		return 1;
+	}
+}
@@ -23,6 +23,25 @@
 ~0U
 };
  
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+#ifdef CONFIG_IA32_EMULATION
+	extern int ia32_classify_syscall(unsigned);
+	if (abi == AUDIT_ARCH_I386)
+		return ia32_classify_syscall(syscall);
+#endif
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0;
+	}
+}
+
 static int __init audit_classes_init(void)
 {
 #ifdef CONFIG_IA32_EMULATION
@@ -181,6 +181,7 @@
 #define AUDIT_EXIT	103
 #define AUDIT_SUCCESS   104	/* exit >= 0; value ignored */
 #define AUDIT_WATCH	105
+#define AUDIT_PERM	106
  
 #define AUDIT_ARG0      200
 #define AUDIT_ARG1      (AUDIT_ARG0+1)
@@ -256,6 +257,11 @@
 #define AUDIT_ARCH_V850		(EM_V850|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_X86_64	(EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  
+#define AUDIT_PERM_EXEC		1
+#define AUDIT_PERM_WRITE	2
+#define AUDIT_PERM_READ		4
+#define AUDIT_PERM_ATTR		8
+
 struct audit_status {
 	__u32		mask;		/* Bit mask for valid entries */
 	__u32		enabled;	/* 1 = enabled, 0 = disabled */
@@ -318,6 +324,7 @@
 #define AUDITSC_FAILURE 2
 #define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS )
 extern int __init audit_register_class(int class, unsigned *list);
+extern int audit_classify_syscall(int abi, unsigned syscall);
 #ifdef CONFIG_AUDITSYSCALL
 /* These are defined in auditsc.c */
 				/* Public API */
@@ -104,6 +104,7 @@
 	return (ino & (AUDIT_INODE_BUCKETS-1));
 }
  
+extern int audit_match_class(int class, unsigned syscall);
 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
 extern int audit_compare_dname_path(const char *dname, const char *path,
 				    int *dirlen);
@@ -302,6 +302,15 @@
 	return 0;
 }
  
+int audit_match_class(int class, unsigned syscall)
+{
+	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
+		return 0;
+	if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
+		return 0;
+	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
+}
+
 /* Common user-space to kernel rule translation. */
 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 {
@@ -414,6 +423,10 @@
 		case AUDIT_ARG2:
 		case AUDIT_ARG3:
 			break;
+		case AUDIT_PERM:
+			if (f->val & ~15)
+				goto exit_free;
+			break;
 		case AUDIT_INODE:
 			err = audit_to_inode(&entry->rule, f);
 			if (err)
@@ -567,6 +580,10 @@
 				goto exit_free;
 			entry->rule.buflen += f->val;
 			entry->rule.filterkey = str;
+			break;
+		case AUDIT_PERM:
+			if (f->val & ~15)
+				goto exit_free;
 			break;
 		default:
 			goto exit_free;
@@ -209,6 +209,54 @@
 #endif
 };
  
+#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
+static inline int open_arg(int flags, int mask)
+{
+	int n = ACC_MODE(flags);
+	if (flags & (O_TRUNC | O_CREAT))
+		n |= AUDIT_PERM_WRITE;
+	return n & mask;
+}
+
+static int audit_match_perm(struct audit_context *ctx, int mask)
+{
+	unsigned n = ctx->major;
+	switch (audit_classify_syscall(ctx->arch, n)) {
+	case 0:	/* native */
+		if ((mask & AUDIT_PERM_WRITE) &&
+		     audit_match_class(AUDIT_CLASS_WRITE, n))
+			return 1;
+		if ((mask & AUDIT_PERM_READ) &&
+		     audit_match_class(AUDIT_CLASS_READ, n))
+			return 1;
+		if ((mask & AUDIT_PERM_ATTR) &&
+		     audit_match_class(AUDIT_CLASS_CHATTR, n))
+			return 1;
+		return 0;
+	case 1: /* 32bit on biarch */
+		if ((mask & AUDIT_PERM_WRITE) &&
+		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
+			return 1;
+		if ((mask & AUDIT_PERM_READ) &&
+		     audit_match_class(AUDIT_CLASS_READ_32, n))
+			return 1;
+		if ((mask & AUDIT_PERM_ATTR) &&
+		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
+			return 1;
+		return 0;
+	case 2: /* open */
+		return mask & ACC_MODE(ctx->argv[1]);
+	case 3: /* openat */
+		return mask & ACC_MODE(ctx->argv[2]);
+	case 4: /* socketcall */
+		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
+	case 5: /* execve */
+		return mask & AUDIT_PERM_EXEC;
+	default:
+		return 0;
+	}
+}
+
 /* Determine if any context name data matches a rule's watch data */
 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
  * otherwise. */
@@ -396,6 +444,9 @@
 		case AUDIT_FILTERKEY:
 			/* ignore this field for filtering */
 			result = 1;
+			break;
+		case AUDIT_PERM:
+			result = audit_match_perm(ctx, f->val);
 			break;
 		}
...	...	@@ -23,6 +23,22 @@
23	23	~0U
24	24	};
25	25
	26	+int audit_classify_syscall(int abi, unsigned syscall)
	27	+{
	28	+ switch(syscall) {
	29	+ case __NR_open:
	30	+ return 2;
	31	+ case __NR_openat:
	32	+ return 3;
	33	+ case __NR_socketcall:
	34	+ return 4;
	35	+ case __NR_execve:
	36	+ return 5;
	37	+ default:
	38	+ return 0;
	39	+ }
	40	+}
	41	+
26	42	static int __init audit_classes_init(void)
27	43	{
28	44	audit_register_class(AUDIT_CLASS_WRITE, write_class);
...	...	@@ -19,4 +19,20 @@
19	19	#include <asm-generic/audit_read.h>
20	20	~0U
21	21	};
	22	+
	23	+int ia32_classify_syscall(unsigned syscall)
	24	+{
	25	+ switch(syscall) {
	26	+ case __NR_open:
	27	+ return 2;
	28	+ case __NR_openat:
	29	+ return 3;
	30	+ case __NR_socketcall:
	31	+ return 4;
	32	+ case __NR_execve:
	33	+ return 5;
	34	+ default:
	35	+ return 1;
	36	+ }
	37	+}
...	...	@@ -23,6 +23,25 @@
23	23	~0U
24	24	};
25	25
	26	+int audit_classify_syscall(int abi, unsigned syscall)
	27	+{
	28	+#ifdef CONFIG_IA32_SUPPORT
	29	+ extern int ia32_classify_syscall(unsigned);
	30	+ if (abi == AUDIT_ARCH_I386)
	31	+ return ia32_classify_syscall(syscall);
	32	+#endif
	33	+ switch(syscall) {
	34	+ case __NR_open:
	35	+ return 2;
	36	+ case __NR_openat:
	37	+ return 3;
	38	+ case __NR_execve:
	39	+ return 5;
	40	+ default:
	41	+ return 0;
	42	+ }
	43	+}
	44	+
26	45	static int __init audit_classes_init(void)
27	46	{
28	47	#ifdef CONFIG_IA32_SUPPORT
...	...	@@ -23,6 +23,27 @@
23	23	~0U
24	24	};
25	25
	26	+int audit_classify_syscall(int abi, unsigned syscall)
	27	+{
	28	+#ifdef CONFIG_PPC64
	29	+ extern int ppc32_classify_syscall(unsigned);
	30	+ if (abi == AUDIT_ARCH_PPC)
	31	+ return ppc32_classify_syscall(syscall);
	32	+#endif
	33	+ switch(syscall) {
	34	+ case __NR_open:
	35	+ return 2;
	36	+ case __NR_openat:
	37	+ return 3;
	38	+ case __NR_socketcall:
	39	+ return 4;
	40	+ case __NR_execve:
	41	+ return 5;
	42	+ default:
	43	+ return 0;
	44	+ }
	45	+}
	46	+
26	47	static int __init audit_classes_init(void)
27	48	{
28	49	#ifdef CONFIG_PPC64
...	...	@@ -20,4 +20,20 @@
20	20	#include <asm-generic/audit_read.h>
21	21	~0U
22	22	};
	23	+
	24	+int ppc32_classify_syscall(unsigned syscall)
	25	+{
	26	+ switch(syscall) {
	27	+ case __NR_open:
	28	+ return 2;
	29	+ case __NR_openat:
	30	+ return 3;
	31	+ case __NR_socketcall:
	32	+ return 4;
	33	+ case __NR_execve:
	34	+ return 5;
	35	+ default:
	36	+ return 1;
	37	+ }
	38	+}
...	...	@@ -23,6 +23,27 @@
23	23	~0U
24	24	};
25	25
	26	+int audit_classify_syscall(int abi, unsigned syscall)
	27	+{
	28	+#ifdef CONFIG_COMPAT
	29	+ extern int s390_classify_syscall(unsigned);
	30	+ if (abi == AUDIT_ARCH_S390)
	31	+ return s390_classify_syscall(syscall);
	32	+#endif
	33	+ switch(syscall) {
	34	+ case __NR_open:
	35	+ return 2;
	36	+ case __NR_openat:
	37	+ return 3;
	38	+ case __NR_socketcall:
	39	+ return 4;
	40	+ case __NR_execve:
	41	+ return 5;
	42	+ default:
	43	+ return 0;
	44	+ }
	45	+}
	46	+
26	47	static int __init audit_classes_init(void)
27	48	{
28	49	#ifdef CONFIG_COMPAT
...	...	@@ -20,4 +20,20 @@
20	20	#include <asm-generic/audit_read.h>
21	21	~0U
22	22	};
	23	+
	24	+int s390_classify_syscall(unsigned syscall)
	25	+{
	26	+ switch(syscall) {
	27	+ case __NR_open:
	28	+ return 2;
	29	+ case __NR_openat:
	30	+ return 3;
	31	+ case __NR_socketcall:
	32	+ return 4;
	33	+ case __NR_execve:
	34	+ return 5;
	35	+ default:
	36	+ return 1;
	37	+ }
	38	+}
...	...	@@ -23,6 +23,25 @@
23	23	~0U
24	24	};
25	25
	26	+int audit_classify_syscall(int abi, unsigned syscall)
	27	+{
	28	+#ifdef CONFIG_IA32_EMULATION
	29	+ extern int ia32_classify_syscall(unsigned);
	30	+ if (abi == AUDIT_ARCH_I386)
	31	+ return ia32_classify_syscall(syscall);
	32	+#endif
	33	+ switch(syscall) {
	34	+ case __NR_open:
	35	+ return 2;
	36	+ case __NR_openat:
	37	+ return 3;
	38	+ case __NR_execve:
	39	+ return 5;
	40	+ default:
	41	+ return 0;
	42	+ }
	43	+}
	44	+
26	45	static int __init audit_classes_init(void)
27	46	{
28	47	#ifdef CONFIG_IA32_EMULATION
...	...	@@ -181,6 +181,7 @@
181	181	#define AUDIT_EXIT 103
182	182	#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
183	183	#define AUDIT_WATCH 105
	184	+#define AUDIT_PERM 106
184	185
185	186	#define AUDIT_ARG0 200
186	187	#define AUDIT_ARG1 (AUDIT_ARG0+1)
...	...	@@ -256,6 +257,11 @@
256	257	#define AUDIT_ARCH_V850 (EM_V850\|__AUDIT_ARCH_LE)
257	258	#define AUDIT_ARCH_X86_64 (EM_X86_64\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)
258	259
	260	+#define AUDIT_PERM_EXEC 1
	261	+#define AUDIT_PERM_WRITE 2
	262	+#define AUDIT_PERM_READ 4
	263	+#define AUDIT_PERM_ATTR 8
	264	+
259	265	struct audit_status {
260	266	__u32 mask; /* Bit mask for valid entries */
261	267	__u32 enabled; /* 1 = enabled, 0 = disabled */
...	...	@@ -318,6 +324,7 @@
318	324	#define AUDITSC_FAILURE 2
319	325	#define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS )
320	326	extern int __init audit_register_class(int class, unsigned *list);
	327	+extern int audit_classify_syscall(int abi, unsigned syscall);
321	328	#ifdef CONFIG_AUDITSYSCALL
322	329	/* These are defined in auditsc.c */
323	330	/* Public API */
...	...	@@ -104,6 +104,7 @@
104	104	return (ino & (AUDIT_INODE_BUCKETS-1));
105	105	}
106	106
	107	+extern int audit_match_class(int class, unsigned syscall);
107	108	extern int audit_comparator(const u32 left, const u32 op, const u32 right);
108	109	extern int audit_compare_dname_path(const char dname, const char path,
109	110	int *dirlen);