Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754217AbbHEUaV (ORCPT ); Wed, 5 Aug 2015 16:30:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59341 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752763AbbHEUaU (ORCPT ); Wed, 5 Aug 2015 16:30:20 -0400 From: Richard Guy Briggs To: linux-audit@redhat.com, linux-kernel@vger.kernel.org Cc: Richard Guy Briggs , sgrubb@redhat.com, pmoore@redhat.com, eparis@redhat.com, peter@hda3.com Subject: [PATCH V9 3/3] audit: add audit by children of executable path Date: Wed, 5 Aug 2015 16:29:38 -0400 Message-Id: In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3324 Lines: 101 This adds the ability to audit the actions of children of a not-yet-running process. This is a split-out of a heavily modified version of a patch originally submitted by Eric Paris with some ideas from Peter Moody. Cc: Peter Moody Cc: Eric Paris Signed-off-by: Richard Guy Briggs --- include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 5 +++++ kernel/auditsc.c | 11 +++++++++++ 3 files changed, 17 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index e2ca600..55a8dec 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -267,6 +267,7 @@ #define AUDIT_OBJ_GID 110 #define AUDIT_FIELD_COMPARE 111 #define AUDIT_EXE 112 +#define AUDIT_EXE_CHILDREN 113 #define AUDIT_ARG0 200 #define AUDIT_ARG1 (AUDIT_ARG0+1) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c662638..802f0cc 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) return -EINVAL; break; case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: if (f->op != Audit_equal) return -EINVAL; if (entry->rule.listnr != AUDIT_FILTER_EXIT) @@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.filterkey = str; break; case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: if (entry->rule.exe || f->val > PATH_MAX) goto exit_free; str = audit_unpack_string(&bufp, &remain, f->val); @@ -643,6 +645,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp, krule->filterkey); break; case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: data->buflen += data->values[i] = audit_pack_string(&bufp, audit_mark_path(krule->exe)); break; @@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) return 1; break; case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: /* both paths exist based on above type compare */ if (strcmp(audit_mark_path(a->exe), audit_mark_path(b->exe))) @@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) new->filterkey = fk; break; case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: err = audit_dupe_exe(new, old); break; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e9bac2b..4f2b515 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -469,6 +469,17 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_EXE: result = audit_exe_compare(tsk, rule->exe); break; + case AUDIT_EXE_CHILDREN: + { + struct task_struct *ptsk; + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk = find_task_by_vpid(ptsk->parent->pid)) { + if (audit_exe_compare(ptsk, rule->exe)) { + ++result; + break; + } + } + } + break; case AUDIT_UID: result = audit_uid_comparator(cred->uid, f->op, f->uid); break; -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/