audit: Make testing for a valid loginuid explicit. (780a7654) · Commits · 戴 / test

include/linux/audit.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -391,6 +391,11 @@ static inline void audit_ptrace(struct task_struct *t)
		#define audit_signals 0
		#endif /* CONFIG_AUDITSYSCALL */

		static inline bool audit_loginuid_set(struct task_struct *tsk)
		{
		return uid_valid(audit_get_loginuid(tsk));
		}

		#ifdef CONFIG_AUDIT
		/* These are defined in audit.c */
		/* Public API */

+1 −0

Original line number	Diff line number	Diff line
		@@ -246,6 +246,7 @@
		#define AUDIT_OBJ_TYPE 21
		#define AUDIT_OBJ_LEV_LOW 22
		#define AUDIT_OBJ_LEV_HIGH 23
		#define AUDIT_LOGINUID_SET 24

		/* These are ONLY useful when checking
		* at syscall exit time (AUDIT_AT_EXIT). */

+15 −2

Original line number	Diff line number	Diff line
		@@ -365,7 +365,10 @@ static int audit_field_valid(struct audit_entry entry, struct audit_field f)
		case AUDIT_DIR:
		case AUDIT_FILTERKEY:
		break;
		/* arch is only allowed to be = or != */
		case AUDIT_LOGINUID_SET:
		if ((f->val != 0) && (f->val != 1))
		return -EINVAL;
		/* FALL THROUGH */
		case AUDIT_ARCH:
		if (f->op != Audit_not_equal && f->op != Audit_equal)
		return -EINVAL;
		@@ -419,17 +422,23 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
		f->lsm_str = NULL;
		f->lsm_rule = NULL;

		/* Support legacy tests for a valid loginuid */
		if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295)) {
		f->type = AUDIT_LOGINUID_SET;
		f->val = 0;
		}

		err = audit_field_valid(entry, f);
		if (err)
		goto exit_free;

		err = -EINVAL;
		switch (f->type) {
		case AUDIT_LOGINUID:
		case AUDIT_UID:
		case AUDIT_EUID:
		case AUDIT_SUID:
		case AUDIT_FSUID:
		case AUDIT_LOGINUID:
		case AUDIT_OBJ_UID:
		f->uid = make_kuid(current_user_ns(), f->val);
		if (!uid_valid(f->uid))
		@@ -1222,6 +1231,10 @@ static int audit_filter_user_rules(struct audit_krule *rule, int type,
		result = audit_uid_comparator(audit_get_loginuid(current),
		f->op, f->uid);
		break;
		case AUDIT_LOGINUID_SET:
		result = audit_comparator(audit_loginuid_set(current),
		f->op, f->val);
		break;
		case AUDIT_MSGTYPE:
		result = audit_comparator(type, f->op, f->val);
		break;

+4 −1

Original line number	Diff line number	Diff line
		@@ -613,6 +613,9 @@ static int audit_filter_rules(struct task_struct *tsk,
		if (ctx)
		result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
		break;
		case AUDIT_LOGINUID_SET:
		result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
		break;
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		@@ -1970,7 +1973,7 @@ int audit_set_loginuid(kuid_t loginuid)
		unsigned int sessionid;

		#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
		if (uid_valid(task->loginuid))
		if (audit_loginuid_set(task))
		return -EPERM;
		#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
		if (!capable(CAP_AUDIT_CONTROL))