Commit 16c174bd authored by Eric Paris's avatar Eric Paris Committed by Al Viro
Browse files

audit: check current inode and containing object when filtering on major and minor 



The audit system has the ability to filter on the major and minor number of
the device containing the inode being operated upon.  Lets say that
/dev/sda1 has major,minor 8,1 and that we mount /dev/sda1 on /boot.  Now lets
say we add a watch with a filter on 8,1.  If we proceed to open an inode
inside /boot, such as /vboot/vmlinuz, we will match the major,minor filter.

Lets instead assume that one were to use a tool like debugfs and were to
open /dev/sda1 directly and to modify it's contents.  We might hope that
this would also be logged, but it isn't.  The rules will check the
major,minor of the device containing /dev/sda1.  In other words the rule
would match on the major/minor of the tmpfs mounted at /dev.

I believe these rules should trigger on either device.  The man page is
devoid of useful information about the intended semantics.  It only seems
logical that if you want to know everything that happened on a major,minor
that would include things that happened to the device itself...

Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 3035c51e

kernel/auditsc.c

+14 −10
Original line number Diff line number Diff line
@@ -540,12 +540,14 @@ static int audit_filter_rules(struct task_struct *tsk, 
			}

			break;

		case AUDIT_DEVMAJOR:

			if (name)

				result = audit_comparator(MAJOR(name->dev),

							  f->op, f->val);

			else if (ctx) {

			if (name) {

				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||

				    audit_comparator(MAJOR(name->rdev), f->op, f->val))

					++result;

			} else if (ctx) {

				list_for_each_entry(n, &ctx->names_list, list) {

					if (audit_comparator(MAJOR(n->dev), f->op, f->val)) {

					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||

					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {

						++result;

						break;

					}
@@ -553,12 +555,14 @@ static int audit_filter_rules(struct task_struct *tsk, 
			}

			break;

		case AUDIT_DEVMINOR:

			if (name)

				result = audit_comparator(MINOR(name->dev),

							  f->op, f->val);

			else if (ctx) {

			if (name) {

				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||

				    audit_comparator(MINOR(name->rdev), f->op, f->val))

					++result;

			} else if (ctx) {

				list_for_each_entry(n, &ctx->names_list, list) {

					if (audit_comparator(MINOR(n->dev), f->op, f->val)) {

					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||

					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {

						++result;

						break;

					}

CRA Git | Maintained and supported by SUSTech CRA and CCSE