[userspace PATCH v2 0/2] add support for more fields to the exclude filter

[userspace PATCH v2 0/2] add support for more fields to the exclude filter

[Richard Guy Briggs]

Add userspace support for the exclude filter extension of subject
credentials, including detection of the feature in the kernel.

This set should be added after loginuid_set support and before sessionID
user filter support to avoid merge conflicts.

Richard Guy Briggs (2):
  exclude filter: add support for user filter fields
  Check exclude filter cred extension fields available in kernel

 trunk/docs/auditctl.8 |    2 +-
 trunk/lib/errormsg.h  |    4 ++--
 trunk/lib/libaudit.c  |   29 +++++++++++++++++++++++++----
 trunk/lib/libaudit.h  |    3 +++
 4 files changed, 31 insertions(+), 7 deletions(-)

[userspace PATCH v2 1/2] exclude filter: add support for user filter fields

[Richard Guy Briggs]

RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5

Enable the exclude filter to additionally filter on PID, UID, GID, AUID,
LOGINUID_SET, SUBJ_*.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/docs/auditctl.8 |    2 +-
 trunk/lib/errormsg.h  |    2 +-
 trunk/lib/libaudit.c  |   24 ++++++++++++++++++++----
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
index ceb6c40..540ff70 100644
--- a/trunk/docs/auditctl.8
+++ b/trunk/docs/auditctl.8
@@ -76,7 +76,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c
 Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
 .TP
 .B exclude
-Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. 
+Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that.  Events can be excluded by process ID, user ID, group ID, login user ID, login user ID set, message type or subject context.
 .RE
 
 The following describes the valid \fIactions\fP for the rule:
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index c678315..84bfdb3 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -66,7 +66,7 @@ static const struct msg_tab err_msgtab[] = {
     { -28,    2,    "Too many fields in rule:" },
     { -29,    1,    "only takes = operator" },
     { -30,    2,    "Field option not supported by kernel:" },
-    { -31,    1,    "can only be used with exit and user filter lists" },
+    { -31,    1,    "can only be used with exit, user and exclude filter lists" },
     { -32,    2,    "-F value should be boolean 0 or 1 for" },
 };
 #endif
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 236f8bc..798b3c8 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,9 +1400,24 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 	if ((field = audit_name_to_field(f)) < 0) 
 		return -2;
 
-	/* Exclude filter can be used only with MSGTYPE field */
-	if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE)
-		return -12; 
+	/* Exclude filter can be used only with MSGTYPE and cred fields */
+	if (flags == AUDIT_FILTER_EXCLUDE)
+		switch(field) {
+			case AUDIT_PID:
+			case AUDIT_UID:
+			case AUDIT_GID:
+			case AUDIT_LOGINUID:
+			case AUDIT_LOGINUID_SET:
+			case AUDIT_MSGTYPE:
+			case AUDIT_SUBJ_USER:
+			case AUDIT_SUBJ_ROLE:
+			case AUDIT_SUBJ_TYPE:
+			case AUDIT_SUBJ_SEN:
+			case AUDIT_SUBJ_CLR:
+				break;
+			default:
+				return -12;
+		}
 
 	rule->fields[rule->field_count] = field;
 	rule->fieldflags[rule->field_count] = op;
@@ -1630,7 +1645,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		case AUDIT_LOGINUID_SET:
 			if(!features)
 				return -30;
-			if (flags != AUDIT_FILTER_USER &&
+			if (flags != AUDIT_FILTER_EXCLUDE &&
+			    flags != AUDIT_FILTER_USER &&
 			    flags != AUDIT_FILTER_EXIT)
 				return -31;
 			if (isdigit((char)*(v))) {
-- 
1.7.1

[userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel

[Richard Guy Briggs]

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/errormsg.h |    2 +-
 trunk/lib/libaudit.c |   39 ++++++++++++++++++++++-----------------
 trunk/lib/libaudit.h |    3 +++
 3 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 84bfdb3..4a897be 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = {
     { -9,    0,    "msgtype field can only be used with exclude filter list" },
     { -10,    0,    "Failed upgrading rule" },
     { -11,    0,    "String value too long" },
-    { -12,    0,    "Only msgtype field can be used with exclude filter" },
+    { -12,    0,    "Only msgtype, uid, gid, auid*, subj* fields can be used with exclude filter" },
     { -13,    1,    "only takes = or != operators" },
     { -14,    0,    "Permission can only contain  \'rwxa\'" },
     { -15,    2,    "-F unknown errno -"},
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 798b3c8..5ffc38c 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		return -2;
 
 	/* Exclude filter can be used only with MSGTYPE and cred fields */
-	if (flags == AUDIT_FILTER_EXCLUDE)
-		switch(field) {
-			case AUDIT_PID:
-			case AUDIT_UID:
-			case AUDIT_GID:
-			case AUDIT_LOGINUID:
-			case AUDIT_LOGINUID_SET:
-			case AUDIT_MSGTYPE:
-			case AUDIT_SUBJ_USER:
-			case AUDIT_SUBJ_ROLE:
-			case AUDIT_SUBJ_TYPE:
-			case AUDIT_SUBJ_SEN:
-			case AUDIT_SUBJ_CLR:
-				break;
-			default:
-				return -12;
-		}
+	if (flags == AUDIT_FILTER_EXCLUDE) {
+		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
+			if (field != AUDIT_MSGTYPE)
+				return -30;
+		} else
+			switch(field) {
+				case AUDIT_PID:
+				case AUDIT_UID:
+				case AUDIT_GID:
+				case AUDIT_LOGINUID:
+				case AUDIT_LOGINUID_SET:
+				case AUDIT_MSGTYPE:
+				case AUDIT_SUBJ_USER:
+				case AUDIT_SUBJ_ROLE:
+				case AUDIT_SUBJ_TYPE:
+				case AUDIT_SUBJ_SEN:
+				case AUDIT_SUBJ_CLR:
+					break;
+				default:
+					return -12;
+			}
+	}
 
 	rule->fields[rule->field_count] = field;
 	rule->fieldflags[rule->field_count] = op;
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 0852bcc..f77691f 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -278,6 +278,9 @@ extern "C" {
 #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
 #endif
+#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
+#endif
 
 /* Defines for interfield comparison update */
 #ifndef AUDIT_OBJ_UID
-- 
1.7.1

Re: [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel

[Steve Grubb]

On Thursday, August 18, 2016 2:33:20 PM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  trunk/lib/errormsg.h |    2 +-
>  trunk/lib/libaudit.c |   39 ++++++++++++++++++++++-----------------
>  trunk/lib/libaudit.h |    3 +++
>  3 files changed, 26 insertions(+), 18 deletions(-)
> 
> diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
> index 84bfdb3..4a897be 100644
> --- a/trunk/lib/errormsg.h
> +++ b/trunk/lib/errormsg.h
> @@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = {
>      { -9,    0,    "msgtype field can only be used with exclude filter
> list" }, { -10,    0,    "Failed upgrading rule" },
>      { -11,    0,    "String value too long" },
> -    { -12,    0,    "Only msgtype field can be used with exclude filter" },
> +    { -12,    0,    "Only msgtype, uid, gid, auid*, subj* fields can be
> used with exclude filter" }, { -13,    1,    "only takes = or != operators"
> },
>      { -14,    0,    "Permission can only contain  \'rwxa\'" },
>      { -15,    2,    "-F unknown errno -"},
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 798b3c8..5ffc38c 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -2;
> 
>  	/* Exclude filter can be used only with MSGTYPE and cred fields */
> -	if (flags == AUDIT_FILTER_EXCLUDE)
> -		switch(field) {
> -			case AUDIT_PID:
> -			case AUDIT_UID:
> -			case AUDIT_GID:
> -			case AUDIT_LOGINUID:
> -			case AUDIT_LOGINUID_SET:
> -			case AUDIT_MSGTYPE:
> -			case AUDIT_SUBJ_USER:
> -			case AUDIT_SUBJ_ROLE:
> -			case AUDIT_SUBJ_TYPE:
> -			case AUDIT_SUBJ_SEN:
> -			case AUDIT_SUBJ_CLR:
> -				break;
> -			default:
> -				return -12;
> -		}
> +	if (flags == AUDIT_FILTER_EXCLUDE) {
> +		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {

One question, why is this being and'ed directly? I was told that we have to go 
through AUDIT_FEATURE_TO_MASK() to convert the value to a mask which can then 
be and'ed. Is this macro now deprecated?

-Steve

> +			if (field != AUDIT_MSGTYPE)
> +				return -30;
> +		} else
> +			switch(field) {
> +				case AUDIT_PID:
> +				case AUDIT_UID:
> +				case AUDIT_GID:
> +				case AUDIT_LOGINUID:
> +				case AUDIT_LOGINUID_SET:
> +				case AUDIT_MSGTYPE:
> +				case AUDIT_SUBJ_USER:
> +				case AUDIT_SUBJ_ROLE:
> +				case AUDIT_SUBJ_TYPE:
> +				case AUDIT_SUBJ_SEN:
> +				case AUDIT_SUBJ_CLR:
> +					break;
> +				default:
> +					return -12;
> +			}
> +	}
> 
>  	rule->fields[rule->field_count] = field;
>  	rule->fieldflags[rule->field_count] = op;
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 0852bcc..f77691f 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -278,6 +278,9 @@ extern "C" {
>  #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
>  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
>  #endif
> +#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> +#endif
> 
>  /* Defines for interfield comparison update */
>  #ifndef AUDIT_OBJ_UID

Re: [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel

[Richard Guy Briggs]

On 2016-10-10 13:47, Steve Grubb wrote:
> On Thursday, August 18, 2016 2:33:20 PM EDT Richard Guy Briggs wrote:
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  trunk/lib/errormsg.h |    2 +-
> >  trunk/lib/libaudit.c |   39 ++++++++++++++++++++++-----------------
> >  trunk/lib/libaudit.h |    3 +++
> >  3 files changed, 26 insertions(+), 18 deletions(-)
> > 
> > diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
> > index 84bfdb3..4a897be 100644
> > --- a/trunk/lib/errormsg.h
> > +++ b/trunk/lib/errormsg.h
> > @@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = {
> >      { -9,    0,    "msgtype field can only be used with exclude filter
> > list" }, { -10,    0,    "Failed upgrading rule" },
> >      { -11,    0,    "String value too long" },
> > -    { -12,    0,    "Only msgtype field can be used with exclude filter" },
> > +    { -12,    0,    "Only msgtype, uid, gid, auid*, subj* fields can be
> > used with exclude filter" }, { -13,    1,    "only takes = or != operators"
> > },
> >      { -14,    0,    "Permission can only contain  \'rwxa\'" },
> >      { -15,    2,    "-F unknown errno -"},
> > diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> > index 798b3c8..5ffc38c 100644
> > --- a/trunk/lib/libaudit.c
> > +++ b/trunk/lib/libaudit.c
> > @@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, return -2;
> > 
> >  	/* Exclude filter can be used only with MSGTYPE and cred fields */
> > -	if (flags == AUDIT_FILTER_EXCLUDE)
> > -		switch(field) {
> > -			case AUDIT_PID:
> > -			case AUDIT_UID:
> > -			case AUDIT_GID:
> > -			case AUDIT_LOGINUID:
> > -			case AUDIT_LOGINUID_SET:
> > -			case AUDIT_MSGTYPE:
> > -			case AUDIT_SUBJ_USER:
> > -			case AUDIT_SUBJ_ROLE:
> > -			case AUDIT_SUBJ_TYPE:
> > -			case AUDIT_SUBJ_SEN:
> > -			case AUDIT_SUBJ_CLR:
> > -				break;
> > -			default:
> > -				return -12;
> > -		}
> > +	if (flags == AUDIT_FILTER_EXCLUDE) {
> > +		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> 
> One question, why is this being and'ed directly? I was told that we have to go 
> through AUDIT_FEATURE_TO_MASK() to convert the value to a mask which can then 
> be and'ed. Is this macro now deprecated?

I was going to congratulate you on a nice catch, but
AUDIT_GET/SET_FEATURE and AUDIT_FEATURE_BITMAP are two different things.

The former gets and sets the state of features while the latter replaced
AUDIT_VERSION and simply checks for the presence of a backported
feature.

> -Steve
> 
> > +			if (field != AUDIT_MSGTYPE)
> > +				return -30;
> > +		} else
> > +			switch(field) {
> > +				case AUDIT_PID:
> > +				case AUDIT_UID:
> > +				case AUDIT_GID:
> > +				case AUDIT_LOGINUID:
> > +				case AUDIT_LOGINUID_SET:
> > +				case AUDIT_MSGTYPE:
> > +				case AUDIT_SUBJ_USER:
> > +				case AUDIT_SUBJ_ROLE:
> > +				case AUDIT_SUBJ_TYPE:
> > +				case AUDIT_SUBJ_SEN:
> > +				case AUDIT_SUBJ_CLR:
> > +					break;
> > +				default:
> > +					return -12;
> > +			}
> > +	}
> > 
> >  	rule->fields[rule->field_count] = field;
> >  	rule->fieldflags[rule->field_count] = op;
> > diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> > index 0852bcc..f77691f 100644
> > --- a/trunk/lib/libaudit.h
> > +++ b/trunk/lib/libaudit.h
> > @@ -278,6 +278,9 @@ extern "C" {
> >  #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
> >  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
> >  #endif
> > +#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
> > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> > +#endif
> > 
> >  /* Defines for interfield comparison update */
> >  #ifndef AUDIT_OBJ_UID
> 
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [userspace PATCH v2 0/2] add support for more fields to the exclude filter

[Steve Grubb]

On Thursday, August 18, 2016 2:33:18 PM EDT Richard Guy Briggs wrote:
> Add userspace support for the exclude filter extension of subject
> credentials, including detection of the feature in the kernel.
> 
> This set should be added after loginuid_set support and before sessionID
> user filter support to avoid merge conflicts.
> 
> Richard Guy Briggs (2):
>   exclude filter: add support for user filter fields
>   Check exclude filter cred extension fields available in kernel
> 
>  trunk/docs/auditctl.8 |    2 +-
>  trunk/lib/errormsg.h  |    4 ++--
>  trunk/lib/libaudit.c  |   29 +++++++++++++++++++++++++----
>  trunk/lib/libaudit.h  |    3 +++
>  4 files changed, 31 insertions(+), 7 deletions(-)

Applied with some modifications as commit 1403.

-Steve