It is useful to extend GID/EGID comparation logic to be able to match not only the exact EID/EGID values but the group/egroup also.
Signed-off-by: Matvejchikov Ilya <[email protected]> --- kernel/auditsc.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 47b7fc1..a233faf 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -491,9 +491,23 @@ static int audit_filter_rules(struct task_struct *tsk, break; case AUDIT_GID: result = audit_comparator(cred->gid, f->op, f->val); + if (f->op == Audit_equal) { + if (!result) + result = in_group_p((gid_t)f->val); + } else if (f->op == Audit_not_equal) { + if (result) + result = !in_group_p((gid_t)f->val); + } break; case AUDIT_EGID: result = audit_comparator(cred->egid, f->op, f->val); + if (f->op == Audit_equal) { + if (!result) + result = in_egroup_p((gid_t)f->val); + } else if (f->op == Audit_not_equal) { + if (result) + result = !in_egroup_p((gid_t)f->val); + } break; case AUDIT_SGID: result = audit_comparator(cred->sgid, f->op, f->val); -- 1.7.3.4 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
