[PATCH] allow audit filtering on bit & operations

Right now the audit filter can match on = != > < >= blah blah blah.
This allow the filter to also look at bitwise AND operations, &

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8ca7ca0b47f0ebecd6be51ad1c2ed4529cd12bc7..a35859ab2fdbf518e2457736005a9dfbd3617538 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -161,7 +161,7 @@
  * are currently used in an audit field constant understood by the kernel.
  * If you are adding a new #define AUDIT_<whatever>, please ensure that
  * AUDIT_UNUSED_BITS is updated if need be. */
-#define AUDIT_UNUSED_BITS      0x0FFFFC00
+#define AUDIT_UNUSED_BITS      0x07FFFC00
 
 
 /* Rule fields */
@@ -213,25 +213,29 @@
 #define AUDIT_NEGATE                   0x80000000
 
 /* These are the supported operators.
- *     4  2  1
- *     =  >  <
- *     -------
- *     0  0  0         0       nonsense
- *     0  0  1         1       <
- *     0  1  0         2       >
- *     0  1  1         3       !=
- *     1  0  0         4       =
- *     1  0  1         5       <=
- *     1  1  0         6       >=
- *     1  1  1         7       all operators
+ *     4  2  1  8
+ *     =  >  <  ?
+ *     ----------
+ *     0  0  0  0      00      nonsense
+ *     0  0  0  1      08      &  bit mask
+ *     0  0  1  0      10      <
+ *     0  1  0  0      20      >
+ *     0  1  1  0      30      !=
+ *     1  0  0  0      40      =
+ *     1  0  0  1      48      &=  bit test
+ *     1  0  1  0      50      <=
+ *     1  1  0  0      60      >=
+ *     1  1  1  1      78      all operators
  */
+#define AUDIT_BIT_MASK                 0x08000000
 #define AUDIT_LESS_THAN                        0x10000000
 #define AUDIT_GREATER_THAN             0x20000000
 #define AUDIT_NOT_EQUAL                        0x30000000
 #define AUDIT_EQUAL                    0x40000000
+#define AUDIT_BIT_TEST                 (AUDIT_BIT_MASK|AUDIT_EQUAL)
 #define AUDIT_LESS_THAN_OR_EQUAL       (AUDIT_LESS_THAN|AUDIT_EQUAL)
 #define AUDIT_GREATER_THAN_OR_EQUAL    (AUDIT_GREATER_THAN|AUDIT_EQUAL)
-#define AUDIT_OPERATORS                        (AUDIT_EQUAL|AUDIT_NOT_EQUAL)
+#define AUDIT_OPERATORS                        (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
 
 /* Status symbols */
                                /* Mask values */

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 0ea96bab91cced251de1b00e733f46c0e8c2e6d8..359645cff5b2cd662ea209458203eef6b1e96976 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -456,6 +456,13 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_DEVMINOR:
                case AUDIT_EXIT:
                case AUDIT_SUCCESS:
+                       /* bit ops are only useful on syscall args */
+                       if (f->op == AUDIT_BIT_MASK ||
+                                               f->op == AUDIT_BIT_TEST) {
+                               err = -EINVAL;
+                               goto exit_free;
+                       }
+                       break;
                case AUDIT_ARG0:
                case AUDIT_ARG1:
                case AUDIT_ARG2:
@@ -1566,6 +1573,10 @@ int audit_comparator(const u32 left, const u32 op, const u32 right)
                return (left > right);
        case AUDIT_GREATER_THAN_OR_EQUAL:
                return (left >= right);
+       case AUDIT_BIT_MASK:
+               return (left & right);
+       case AUDIT_BIT_TEST:
+               return ((left & right) == right);
        }
        BUG();
        return 0;