mirror of
https://github.com/Fishwaldo/Star64_linux.git
synced 2025-07-23 07:12:09 +00:00
audit: allow interfield comparison in audit rules
We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris
Al Viro
parent
29ef73b7a8
commit
02d86a568c
3 changed files with 37 additions and 2 deletions
|
|
@ -182,7 +182,10 @@
|
|||
* AUDIT_UNUSED_BITS is updated if need be. */
|
||||
#define AUDIT_UNUSED_BITS 0x07FFFC00
|
||||
|
||||
/* AUDIT_FIELD_COMPARE rule list */
|
||||
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
|
||||
|
||||
#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_UID_TO_OBJ_UID
|
||||
/* Rule fields */
|
||||
/* These are useful when checking the
|
||||
* task structure at task creation time
|
||||
|
|
@ -225,6 +228,7 @@
|
|||
#define AUDIT_FILETYPE 108
|
||||
#define AUDIT_OBJ_UID 109
|
||||
#define AUDIT_OBJ_GID 110
|
||||
#define AUDIT_FIELD_COMPARE 111
|
||||
|
||||
#define AUDIT_ARG0 200
|
||||
#define AUDIT_ARG1 (AUDIT_ARG0+1)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue