Audit: add support to match lsm labels on user audit messages
authorMiloslav Trmac <mitr@redhat.com>
Thu, 16 Sep 2010 22:14:11 +0000 (18:14 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Sat, 30 Oct 2010 05:41:57 +0000 (01:41 -0400)
Add support for matching by security label (e.g. SELinux context) of
the sender of an user-space audit record.

The audit filter code already allows user space to configure such
filters, but they were ignored during evaluation.  This patch implements
evaluation of these filters.

For example, after application of this patch, PAM authentication logs
caused by cron can be disabled using
auditctl -a user,never -F subj_type=crond_t

Signed-off-by: Miloslav Trmac <mitr@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
kernel/auditfilter.c

index eb7675499fb5de7e59058478efbe221fa6f054f6..add2819af71bb2a050907a49c2d228fbf0c1d00d 100644 (file)
@@ -1252,6 +1252,18 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
                case AUDIT_LOGINUID:
                        result = audit_comparator(cb->loginuid, f->op, f->val);
                        break;
+               case AUDIT_SUBJ_USER:
+               case AUDIT_SUBJ_ROLE:
+               case AUDIT_SUBJ_TYPE:
+               case AUDIT_SUBJ_SEN:
+               case AUDIT_SUBJ_CLR:
+                       if (f->lsm_rule)
+                               result = security_audit_rule_match(cb->sid,
+                                                                  f->type,
+                                                                  f->op,
+                                                                  f->lsm_rule,
+                                                                  NULL);
+                       break;
                }
 
                if (!result)