This adds the ability audit the actions of a not-yet-running process, as well as the children of a not-yet-running process.
Signed-off-by: Peter Moody <[email protected]> --- include/linux/audit.h | 2 ++ kernel/auditfilter.c | 6 ++++++ kernel/auditsc.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 0 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 22f292a..5506cb1 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -260,6 +260,8 @@ #define AUDIT_OBJ_UID 109 #define AUDIT_OBJ_GID 110 #define AUDIT_FIELD_COMPARE 111 +#define AUDIT_EXE 112 +#define AUDIT_EXE_CHILDREN 113 #define AUDIT_ARG0 200 #define AUDIT_ARG1 (AUDIT_ARG0+1) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a6c3f1a..1e6c571 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -546,6 +546,12 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (f->val > AUDIT_MAX_FIELD_COMPARE) goto exit_free; break; + case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: + if (f->op != Audit_equal) { + goto exit_free; + } + break; default: goto exit_free; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4b96415..9cebe95 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -46,6 +46,7 @@ #include <asm/types.h> #include <linux/atomic.h> #include <linux/fs.h> +#include <linux/dcache.h> #include <linux/namei.h> #include <linux/mm.h> #include <linux/export.h> @@ -68,6 +69,7 @@ #include <linux/capability.h> #include <linux/fs_struct.h> #include <linux/compat.h> +#include <linux/sched.h> #include "audit.h" @@ -592,6 +594,35 @@ static int audit_field_compare(struct task_struct *tsk, return 0; } +int audit_match_exe(struct task_struct *tsk, struct audit_field *f) +{ + int result = 0; + struct mm_struct *mm; + struct vm_area_struct *vma; + + if (!tsk) + goto out; + + mm = tsk->mm; + if (!mm) + goto out; + + down_read(&mm->mmap_sem); + vma = mm->mmap; + while (vma) { + if ((vma->vm_flags & VM_EXECUTABLE) && + vma->vm_file) { + struct inode *ino = vma->vm_file->f_path.dentry->d_inode; + result = audit_comparator(ino->i_ino, f->op, f->val); + break; + } + vma = vma->vm_next; + } + up_read(&mm->mmap_sem); +out: + return result; +} + /* Determine if any context name data matches a rule's watch data */ /* Compare a task_struct with an audit_rule. Return 1 on match, 0 * otherwise. @@ -629,6 +660,22 @@ static int audit_filter_rules(struct task_struct *tsk, result = audit_comparator(ctx->ppid, f->op, f->val); } break; + case AUDIT_EXE: + result = audit_match_exe(tsk, f); + break; + case AUDIT_EXE_CHILDREN: + { + struct task_struct *ptsk; + for (ptsk = tsk; + ptsk->parent->pid > 0; + ptsk = find_task_by_vpid(ptsk->parent->pid)) { + if (audit_match_exe(ptsk, f)) { + ++result; + break; + } + } + } + break; case AUDIT_UID: result = audit_comparator(cred->uid, f->op, f->val); break; -- 1.7.7.3 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
