Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'audit.b28' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b28' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] audit: AUDIT_PERM support
[PATCH] audit: more syscall classes added
[PATCH] syscall classes hookup for ppc and s390
[PATCH] update audit rule change messages
[PATCH] sanity check audit_buffer
[PATCH] fix ppid bug in 2.6.18 kernel
+483
-6
+28
arch/i386/kernel/audit.c
+28
arch/i386/kernel/audit.c
···
8
8
~0U
9
9
};
10
10
11
+
static unsigned read_class[] = {
12
+
#include <asm-generic/audit_read.h>
13
+
~0U
14
+
};
15
+
16
+
static unsigned write_class[] = {
17
+
#include <asm-generic/audit_write.h>
18
+
~0U
19
+
};
20
+
11
21
static unsigned chattr_class[] = {
12
22
#include <asm-generic/audit_change_attr.h>
13
23
~0U
14
24
};
15
25
26
+
int audit_classify_syscall(int abi, unsigned syscall)
27
+
{
28
+
switch(syscall) {
29
+
case __NR_open:
30
+
return 2;
31
+
case __NR_openat:
32
+
return 3;
33
+
case __NR_socketcall:
34
+
return 4;
35
+
case __NR_execve:
36
+
return 5;
37
+
default:
38
+
return 0;
39
+
}
40
+
}
41
+
16
42
static int __init audit_classes_init(void)
17
43
{
44
+
audit_register_class(AUDIT_CLASS_WRITE, write_class);
45
+
audit_register_class(AUDIT_CLASS_READ, read_class);
18
46
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
19
47
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
20
48
return 0;
+26
arch/ia64/ia32/audit.c
+26
arch/ia64/ia32/audit.c
···
9
9
#include <asm-generic/audit_change_attr.h>
10
10
~0U
11
11
};
12
+
13
+
unsigned ia32_write_class[] = {
14
+
#include <asm-generic/audit_write.h>
15
+
~0U
16
+
};
17
+
18
+
unsigned ia32_read_class[] = {
19
+
#include <asm-generic/audit_read.h>
20
+
~0U
21
+
};
22
+
23
+
int ia32_classify_syscall(unsigned syscall)
24
+
{
25
+
switch(syscall) {
26
+
case __NR_open:
27
+
return 2;
28
+
case __NR_openat:
29
+
return 3;
30
+
case __NR_socketcall:
31
+
return 4;
32
+
case __NR_execve:
33
+
return 5;
34
+
default:
35
+
return 1;
36
+
}
37
+
}
+35
arch/ia64/kernel/audit.c
+35
arch/ia64/kernel/audit.c
···
8
8
~0U
9
9
};
10
10
11
+
static unsigned read_class[] = {
12
+
#include <asm-generic/audit_read.h>
13
+
~0U
14
+
};
15
+
16
+
static unsigned write_class[] = {
17
+
#include <asm-generic/audit_write.h>
18
+
~0U
19
+
};
20
+
11
21
static unsigned chattr_class[] = {
12
22
#include <asm-generic/audit_change_attr.h>
13
23
~0U
14
24
};
15
25
26
+
int audit_classify_syscall(int abi, unsigned syscall)
27
+
{
28
+
#ifdef CONFIG_IA32_SUPPORT
29
+
extern int ia32_classify_syscall(unsigned);
30
+
if (abi == AUDIT_ARCH_I386)
31
+
return ia32_classify_syscall(syscall);
32
+
#endif
33
+
switch(syscall) {
34
+
case __NR_open:
35
+
return 2;
36
+
case __NR_openat:
37
+
return 3;
38
+
case __NR_execve:
39
+
return 5;
40
+
default:
41
+
return 0;
42
+
}
43
+
}
44
+
16
45
static int __init audit_classes_init(void)
17
46
{
18
47
#ifdef CONFIG_IA32_SUPPORT
19
48
extern __u32 ia32_dir_class[];
49
+
extern __u32 ia32_write_class[];
50
+
extern __u32 ia32_read_class[];
20
51
extern __u32 ia32_chattr_class[];
52
+
audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class);
53
+
audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class);
21
54
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class);
22
55
audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class);
23
56
#endif
57
+
audit_register_class(AUDIT_CLASS_WRITE, write_class);
58
+
audit_register_class(AUDIT_CLASS_READ, read_class);
24
59
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
25
60
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
26
61
return 0;
+2
arch/powerpc/kernel/Makefile
+2
arch/powerpc/kernel/Makefile
···
70
70
kexec-$(CONFIG_PPC64) := machine_kexec_64.o
71
71
kexec-$(CONFIG_PPC32) := machine_kexec_32.o
72
72
obj-$(CONFIG_KEXEC) += machine_kexec.o crash.o $(kexec-y)
73
+
obj-$(CONFIG_AUDIT) += audit.o
74
+
obj64-$(CONFIG_AUDIT) += compat_audit.o
73
75
74
76
ifeq ($(CONFIG_PPC_ISERIES),y)
75
77
$(obj)/head_64.o: $(obj)/lparmap.s
+66
arch/powerpc/kernel/audit.c
+66
arch/powerpc/kernel/audit.c
···
1
+
#include <linux/init.h>
2
+
#include <linux/types.h>
3
+
#include <linux/audit.h>
4
+
#include <asm/unistd.h>
5
+
6
+
static unsigned dir_class[] = {
7
+
#include <asm-generic/audit_dir_write.h>
8
+
~0U
9
+
};
10
+
11
+
static unsigned read_class[] = {
12
+
#include <asm-generic/audit_read.h>
13
+
~0U
14
+
};
15
+
16
+
static unsigned write_class[] = {
17
+
#include <asm-generic/audit_write.h>
18
+
~0U
19
+
};
20
+
21
+
static unsigned chattr_class[] = {
22
+
#include <asm-generic/audit_change_attr.h>
23
+
~0U
24
+
};
25
+
26
+
int audit_classify_syscall(int abi, unsigned syscall)
27
+
{
28
+
#ifdef CONFIG_PPC64
29
+
extern int ppc32_classify_syscall(unsigned);
30
+
if (abi == AUDIT_ARCH_PPC)
31
+
return ppc32_classify_syscall(syscall);
32
+
#endif
33
+
switch(syscall) {
34
+
case __NR_open:
35
+
return 2;
36
+
case __NR_openat:
37
+
return 3;
38
+
case __NR_socketcall:
39
+
return 4;
40
+
case __NR_execve:
41
+
return 5;
42
+
default:
43
+
return 0;
44
+
}
45
+
}
46
+
47
+
static int __init audit_classes_init(void)
48
+
{
49
+
#ifdef CONFIG_PPC64
50
+
extern __u32 ppc32_dir_class[];
51
+
extern __u32 ppc32_write_class[];
52
+
extern __u32 ppc32_read_class[];
53
+
extern __u32 ppc32_chattr_class[];
54
+
audit_register_class(AUDIT_CLASS_WRITE_32, ppc32_write_class);
55
+
audit_register_class(AUDIT_CLASS_READ_32, ppc32_read_class);
56
+
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ppc32_dir_class);
57
+
audit_register_class(AUDIT_CLASS_CHATTR_32, ppc32_chattr_class);
58
+
#endif
59
+
audit_register_class(AUDIT_CLASS_WRITE, write_class);
60
+
audit_register_class(AUDIT_CLASS_READ, read_class);
61
+
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
62
+
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
63
+
return 0;
64
+
}
65
+
66
+
__initcall(audit_classes_init);
+38
arch/powerpc/kernel/compat_audit.c
+38
arch/powerpc/kernel/compat_audit.c
···
1
+
#undef __powerpc64__
2
+
#include <asm/unistd.h>
3
+
4
+
unsigned ppc32_dir_class[] = {
5
+
#include <asm-generic/audit_dir_write.h>
6
+
~0U
7
+
};
8
+
9
+
unsigned ppc32_chattr_class[] = {
10
+
#include <asm-generic/audit_change_attr.h>
11
+
~0U
12
+
};
13
+
14
+
unsigned ppc32_write_class[] = {
15
+
#include <asm-generic/audit_write.h>
16
+
~0U
17
+
};
18
+
19
+
unsigned ppc32_read_class[] = {
20
+
#include <asm-generic/audit_read.h>
21
+
~0U
22
+
};
23
+
24
+
int ppc32_classify_syscall(unsigned syscall)
25
+
{
26
+
switch(syscall) {
27
+
case __NR_open:
28
+
return 2;
29
+
case __NR_openat:
30
+
return 3;
31
+
case __NR_socketcall:
32
+
return 4;
33
+
case __NR_execve:
34
+
return 5;
35
+
default:
36
+
return 1;
37
+
}
38
+
}
+3
-1
arch/s390/kernel/Makefile
+3
-1
arch/s390/kernel/Makefile
···
16
16
obj-$(CONFIG_MODULES) += s390_ksyms.o module.o
17
17
obj-$(CONFIG_SMP) += smp.o
18
18
19
+
obj-$(CONFIG_AUDIT) += audit.o
20
+
compat-obj-$(CONFIG_AUDIT) += compat_audit.o
19
21
obj-$(CONFIG_COMPAT) += compat_linux.o compat_signal.o \
20
22
compat_wrapper.o compat_exec_domain.o \
21
-
binfmt_elf32.o
23
+
binfmt_elf32.o $(compat-obj-y)
22
24
23
25
obj-$(CONFIG_VIRT_TIMER) += vtime.o
24
26
obj-$(CONFIG_STACKTRACE) += stacktrace.o
+66
arch/s390/kernel/audit.c
+66
arch/s390/kernel/audit.c
···
1
+
#include <linux/init.h>
2
+
#include <linux/types.h>
3
+
#include <linux/audit.h>
4
+
#include <asm/unistd.h>
5
+
6
+
static unsigned dir_class[] = {
7
+
#include <asm-generic/audit_dir_write.h>
8
+
~0U
9
+
};
10
+
11
+
static unsigned read_class[] = {
12
+
#include <asm-generic/audit_read.h>
13
+
~0U
14
+
};
15
+
16
+
static unsigned write_class[] = {
17
+
#include <asm-generic/audit_write.h>
18
+
~0U
19
+
};
20
+
21
+
static unsigned chattr_class[] = {
22
+
#include <asm-generic/audit_change_attr.h>
23
+
~0U
24
+
};
25
+
26
+
int audit_classify_syscall(int abi, unsigned syscall)
27
+
{
28
+
#ifdef CONFIG_COMPAT
29
+
extern int s390_classify_syscall(unsigned);
30
+
if (abi == AUDIT_ARCH_S390)
31
+
return s390_classify_syscall(syscall);
32
+
#endif
33
+
switch(syscall) {
34
+
case __NR_open:
35
+
return 2;
36
+
case __NR_openat:
37
+
return 3;
38
+
case __NR_socketcall:
39
+
return 4;
40
+
case __NR_execve:
41
+
return 5;
42
+
default:
43
+
return 0;
44
+
}
45
+
}
46
+
47
+
static int __init audit_classes_init(void)
48
+
{
49
+
#ifdef CONFIG_COMPAT
50
+
extern __u32 s390_dir_class[];
51
+
extern __u32 s390_write_class[];
52
+
extern __u32 s390_read_class[];
53
+
extern __u32 s390_chattr_class[];
54
+
audit_register_class(AUDIT_CLASS_WRITE_32, s390_write_class);
55
+
audit_register_class(AUDIT_CLASS_READ_32, s390_read_class);
56
+
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, s390_dir_class);
57
+
audit_register_class(AUDIT_CLASS_CHATTR_32, s390_chattr_class);
58
+
#endif
59
+
audit_register_class(AUDIT_CLASS_WRITE, write_class);
60
+
audit_register_class(AUDIT_CLASS_READ, read_class);
61
+
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
62
+
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
63
+
return 0;
64
+
}
65
+
66
+
__initcall(audit_classes_init);
+38
arch/s390/kernel/compat_audit.c
+38
arch/s390/kernel/compat_audit.c
···
1
+
#undef __s390x__
2
+
#include <asm/unistd.h>
3
+
4
+
unsigned s390_dir_class[] = {
5
+
#include <asm-generic/audit_dir_write.h>
6
+
~0U
7
+
};
8
+
9
+
unsigned s390_chattr_class[] = {
10
+
#include <asm-generic/audit_change_attr.h>
11
+
~0U
12
+
};
13
+
14
+
unsigned s390_write_class[] = {
15
+
#include <asm-generic/audit_write.h>
16
+
~0U
17
+
};
18
+
19
+
unsigned s390_read_class[] = {
20
+
#include <asm-generic/audit_read.h>
21
+
~0U
22
+
};
23
+
24
+
int s390_classify_syscall(unsigned syscall)
25
+
{
26
+
switch(syscall) {
27
+
case __NR_open:
28
+
return 2;
29
+
case __NR_openat:
30
+
return 3;
31
+
case __NR_socketcall:
32
+
return 4;
33
+
case __NR_execve:
34
+
return 5;
35
+
default:
36
+
return 1;
37
+
}
38
+
}
+26
arch/x86_64/ia32/audit.c
+26
arch/x86_64/ia32/audit.c
···
9
9
#include <asm-generic/audit_change_attr.h>
10
10
~0U
11
11
};
12
+
13
+
unsigned ia32_write_class[] = {
14
+
#include <asm-generic/audit_write.h>
15
+
~0U
16
+
};
17
+
18
+
unsigned ia32_read_class[] = {
19
+
#include <asm-generic/audit_read.h>
20
+
~0U
21
+
};
22
+
23
+
int ia32_classify_syscall(unsigned syscall)
24
+
{
25
+
switch(syscall) {
26
+
case __NR_open:
27
+
return 2;
28
+
case __NR_openat:
29
+
return 3;
30
+
case __NR_socketcall:
31
+
return 4;
32
+
case __NR_execve:
33
+
return 5;
34
+
default:
35
+
return 1;
36
+
}
37
+
}
+35
arch/x86_64/kernel/audit.c
+35
arch/x86_64/kernel/audit.c
···
8
8
~0U
9
9
};
10
10
11
+
static unsigned read_class[] = {
12
+
#include <asm-generic/audit_read.h>
13
+
~0U
14
+
};
15
+
16
+
static unsigned write_class[] = {
17
+
#include <asm-generic/audit_write.h>
18
+
~0U
19
+
};
20
+
11
21
static unsigned chattr_class[] = {
12
22
#include <asm-generic/audit_change_attr.h>
13
23
~0U
14
24
};
15
25
26
+
int audit_classify_syscall(int abi, unsigned syscall)
27
+
{
28
+
#ifdef CONFIG_IA32_EMULATION
29
+
extern int ia32_classify_syscall(unsigned);
30
+
if (abi == AUDIT_ARCH_I386)
31
+
return ia32_classify_syscall(syscall);
32
+
#endif
33
+
switch(syscall) {
34
+
case __NR_open:
35
+
return 2;
36
+
case __NR_openat:
37
+
return 3;
38
+
case __NR_execve:
39
+
return 5;
40
+
default:
41
+
return 0;
42
+
}
43
+
}
44
+
16
45
static int __init audit_classes_init(void)
17
46
{
18
47
#ifdef CONFIG_IA32_EMULATION
19
48
extern __u32 ia32_dir_class[];
49
+
extern __u32 ia32_write_class[];
50
+
extern __u32 ia32_read_class[];
20
51
extern __u32 ia32_chattr_class[];
52
+
audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class);
53
+
audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class);
21
54
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class);
22
55
audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class);
23
56
#endif
57
+
audit_register_class(AUDIT_CLASS_WRITE, write_class);
58
+
audit_register_class(AUDIT_CLASS_READ, read_class);
24
59
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
25
60
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
26
61
return 0;
+8
include/asm-generic/audit_read.h
+8
include/asm-generic/audit_read.h
+11
include/asm-generic/audit_write.h
+11
include/asm-generic/audit_write.h
+11
include/linux/audit.h
+11
include/linux/audit.h
···
132
132
#define AUDIT_CLASS_DIR_WRITE_32 1
133
133
#define AUDIT_CLASS_CHATTR 2
134
134
#define AUDIT_CLASS_CHATTR_32 3
135
+
#define AUDIT_CLASS_READ 4
136
+
#define AUDIT_CLASS_READ_32 5
137
+
#define AUDIT_CLASS_WRITE 6
138
+
#define AUDIT_CLASS_WRITE_32 7
135
139
136
140
/* This bitmask is used to validate user input. It represents all bits that
137
141
* are currently used in an audit field constant understood by the kernel.
···
181
177
#define AUDIT_EXIT 103
182
178
#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
183
179
#define AUDIT_WATCH 105
180
+
#define AUDIT_PERM 106
184
181
185
182
#define AUDIT_ARG0 200
186
183
#define AUDIT_ARG1 (AUDIT_ARG0+1)
···
257
252
#define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE)
258
253
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
259
254
255
+
#define AUDIT_PERM_EXEC 1
256
+
#define AUDIT_PERM_WRITE 2
257
+
#define AUDIT_PERM_READ 4
258
+
#define AUDIT_PERM_ATTR 8
259
+
260
260
struct audit_status {
261
261
__u32 mask; /* Bit mask for valid entries */
262
262
__u32 enabled; /* 1 = enabled, 0 = disabled */
···
324
314
#define AUDITSC_FAILURE 2
325
315
#define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS )
326
316
extern int __init audit_register_class(int class, unsigned *list);
317
+
extern int audit_classify_syscall(int abi, unsigned syscall);
327
318
#ifdef CONFIG_AUDITSYSCALL
328
319
/* These are defined in auditsc.c */
329
320
/* Public API */
+6
kernel/audit.c
+6
kernel/audit.c
···
1028
1028
struct sk_buff *skb;
1029
1029
static const unsigned char *hex = "0123456789ABCDEF";
1030
1030
1031
+
if (!ab)
1032
+
return;
1033
+
1031
1034
BUG_ON(!ab->skb);
1032
1035
skb = ab->skb;
1033
1036
avail = skb_tailroom(skb);
···
1062
1059
int avail, new_len;
1063
1060
unsigned char *ptr;
1064
1061
struct sk_buff *skb;
1062
+
1063
+
if (!ab)
1064
+
return;
1065
1065
1066
1066
BUG_ON(!ab->skb);
1067
1067
skb = ab->skb;
+1
kernel/audit.h
+1
kernel/audit.h
···
104
104
return (ino & (AUDIT_INODE_BUCKETS-1));
105
105
}
106
106
107
+
extern int audit_match_class(int class, unsigned syscall);
107
108
extern int audit_comparator(const u32 left, const u32 op, const u32 right);
108
109
extern int audit_compare_dname_path(const char *dname, const char *path,
109
110
int *dirlen);
+32
-5
kernel/auditfilter.c
+32
-5
kernel/auditfilter.c
···
302
302
return 0;
303
303
}
304
304
305
+
int audit_match_class(int class, unsigned syscall)
306
+
{
307
+
if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
308
+
return 0;
309
+
if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
310
+
return 0;
311
+
return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
312
+
}
313
+
305
314
/* Common user-space to kernel rule translation. */
306
315
static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
307
316
{
···
413
404
case AUDIT_PERS:
414
405
case AUDIT_ARCH:
415
406
case AUDIT_MSGTYPE:
407
+
case AUDIT_PPID:
416
408
case AUDIT_DEVMAJOR:
417
409
case AUDIT_DEVMINOR:
418
410
case AUDIT_EXIT:
···
422
412
case AUDIT_ARG1:
423
413
case AUDIT_ARG2:
424
414
case AUDIT_ARG3:
415
+
break;
416
+
case AUDIT_PERM:
417
+
if (f->val & ~15)
418
+
goto exit_free;
425
419
break;
426
420
case AUDIT_INODE:
427
421
err = audit_to_inode(&entry->rule, f);
···
580
566
goto exit_free;
581
567
entry->rule.buflen += f->val;
582
568
entry->rule.filterkey = str;
569
+
break;
570
+
case AUDIT_PERM:
571
+
if (f->val & ~15)
572
+
goto exit_free;
583
573
break;
584
574
default:
585
575
goto exit_free;
···
931
913
}
932
914
933
915
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
934
-
audit_log_format(ab, "audit updated rules specifying watch=");
916
+
audit_log_format(ab, "audit updated rules specifying path=");
935
917
audit_log_untrustedstring(ab, owatch->path);
936
918
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
937
919
audit_log_end(ab);
···
954
936
struct audit_watch *w, *nextw;
955
937
struct audit_krule *r, *nextr;
956
938
struct audit_entry *e;
939
+
struct audit_buffer *ab;
957
940
958
941
mutex_lock(&audit_filter_mutex);
959
942
parent->flags |= AUDIT_PARENT_INVALID;
960
943
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
961
944
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
962
945
e = container_of(r, struct audit_entry, rule);
946
+
947
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
948
+
audit_log_format(ab, "audit implicitly removed rule path=");
949
+
audit_log_untrustedstring(ab, w->path);
950
+
if (r->filterkey) {
951
+
audit_log_format(ab, " key=");
952
+
audit_log_untrustedstring(ab, r->filterkey);
953
+
} else
954
+
audit_log_format(ab, " key=(null)");
955
+
audit_log_format(ab, " list=%d", r->listnr);
956
+
audit_log_end(ab);
957
+
963
958
list_del(&r->rlist);
964
959
list_del_rcu(&e->list);
965
960
call_rcu(&e->rcu, audit_free_rule_rcu);
966
-
967
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
968
-
"audit implicitly removed rule from list=%d\n",
969
-
AUDIT_FILTER_EXIT);
970
961
}
971
962
audit_remove_watch(w);
972
963
}
+51
kernel/auditsc.c
+51
kernel/auditsc.c
···
209
209
#endif
210
210
};
211
211
212
+
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
213
+
static inline int open_arg(int flags, int mask)
214
+
{
215
+
int n = ACC_MODE(flags);
216
+
if (flags & (O_TRUNC | O_CREAT))
217
+
n |= AUDIT_PERM_WRITE;
218
+
return n & mask;
219
+
}
220
+
221
+
static int audit_match_perm(struct audit_context *ctx, int mask)
222
+
{
223
+
unsigned n = ctx->major;
224
+
switch (audit_classify_syscall(ctx->arch, n)) {
225
+
case 0: /* native */
226
+
if ((mask & AUDIT_PERM_WRITE) &&
227
+
audit_match_class(AUDIT_CLASS_WRITE, n))
228
+
return 1;
229
+
if ((mask & AUDIT_PERM_READ) &&
230
+
audit_match_class(AUDIT_CLASS_READ, n))
231
+
return 1;
232
+
if ((mask & AUDIT_PERM_ATTR) &&
233
+
audit_match_class(AUDIT_CLASS_CHATTR, n))
234
+
return 1;
235
+
return 0;
236
+
case 1: /* 32bit on biarch */
237
+
if ((mask & AUDIT_PERM_WRITE) &&
238
+
audit_match_class(AUDIT_CLASS_WRITE_32, n))
239
+
return 1;
240
+
if ((mask & AUDIT_PERM_READ) &&
241
+
audit_match_class(AUDIT_CLASS_READ_32, n))
242
+
return 1;
243
+
if ((mask & AUDIT_PERM_ATTR) &&
244
+
audit_match_class(AUDIT_CLASS_CHATTR_32, n))
245
+
return 1;
246
+
return 0;
247
+
case 2: /* open */
248
+
return mask & ACC_MODE(ctx->argv[1]);
249
+
case 3: /* openat */
250
+
return mask & ACC_MODE(ctx->argv[2]);
251
+
case 4: /* socketcall */
252
+
return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
253
+
case 5: /* execve */
254
+
return mask & AUDIT_PERM_EXEC;
255
+
default:
256
+
return 0;
257
+
}
258
+
}
259
+
212
260
/* Determine if any context name data matches a rule's watch data */
213
261
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
214
262
* otherwise. */
···
444
396
case AUDIT_FILTERKEY:
445
397
/* ignore this field for filtering */
446
398
result = 1;
399
+
break;
400
+
case AUDIT_PERM:
401
+
result = audit_match_perm(ctx, f->val);
447
402
break;
448
403
}
449
404