[PATCH] filter: add path filter with fstype

[PATCH] filter: add path filter with fstype

[Richard Guy Briggs]

Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
        -a always,exit -F arch=x86_64 -S init_module -F key=mod-load

Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.

An example rule would look like:
	-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
	-a never,path -F fstype=0x64626720 -F key=ignore_debugfs

Note: "always,path" will log the PATH record anyways and add latency.

See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 docs/audit_add_rule_data.3 |    3 +++
 lib/errormsg.h             |    5 +++++
 lib/fieldtab.h             |    2 ++
 lib/flagtab.h              |    2 ++
 lib/libaudit.c             |   26 ++++++++++++++++++++++++--
 lib/libaudit.h             |   10 ++++++++++
 lib/private.h              |    1 +
 src/auditctl-listing.c     |    6 ++++--
 src/auditctl.c             |   14 +++++++++++++-
 9 files changed, 64 insertions(+), 5 deletions(-)

diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
 .TP
 \(bu
 AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
 .LP
 
 .PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
  * Authors:
  *      Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
  *      Steve Grubb <sgrubb@redhat.com>
+ *      Richard Guy Briggs <rgb@redhat.com>
  */
 
 struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
     { -32,    0,    "field data is missing" },
     { -33,    2,    "-C field incompatible" },
     { -34,    2,    "-C value incompatible" },
+    { -35,    1,    "field is not valid for the filter" },
+    { -36,    1,    "filter is not supported ty kernel" },
 };
 #define EAU_OPMISSING		1
 #define EAU_FIELDUNKNOWN	2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
 #define EAU_DATAMISSING		32
 #define EAU_COMPFIELDINCOMPAT	33
 #define EAU_COMPVALINCOMPAT	34
+#define EAU_FIELDUNAVAIL	35
+#define EAU_FILTERNOSUPPORT	36
 #endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
  *
  * Authors:
  *      Steve Grubb <sgrubb@redhat.com>
+ *      Richard Guy Briggs <rgb@redhat.com>
  */
 
 _S(AUDIT_PID,          "pid"          )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH,        "path"         )
 _S(AUDIT_PERM,         "perm"         )
 _S(AUDIT_DIR,          "dir"          )
 _S(AUDIT_FILETYPE,     "filetype"     )
+_S(AUDIT_FSTYPE,       "fstype"       )
 _S(AUDIT_OBJ_UID,      "obj_uid"      )
 _S(AUDIT_OBJ_GID,      "obj_gid"      )
 _S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
  *
  * Authors:
  *      Steve Grubb <sgrubb@redhat.com>
+ *      Richard Guy Briggs <rgb@redhat.com>
  */
 _S(AUDIT_FILTER_TASK,    "task"     )
 _S(AUDIT_FILTER_EXIT,    "exit"     )
 _S(AUDIT_FILTER_USER,    "user"     )
 _S(AUDIT_FILTER_EXCLUDE, "exclude"  )
+_S(AUDIT_FILTER_PATH,    "path"     )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
  * Authors:
  *      Steve Grubb <sgrubb@redhat.com>
  *      Rickard E. (Rik) Faith <faith@redhat.com>
+ *      Richard Guy Briggs <rgb@redhat.com>
  */
 
 #include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
 int _audit_syscalladded = 0;
 int _audit_exeadded = 0;
 int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
 unsigned int _audit_elf = 0U;
 static struct libaudit_conf config;
 
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		}
 	}
 
+	/* PATH filter can be used only with FSTYPE field */
+	if (flags == AUDIT_FILTER_PATH) {
+		uint32_t features = audit_get_features();
+		if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+			return -EAU_FILTERNOSUPPORT;
+		} else {
+			switch(field) {
+				case AUDIT_FSTYPE:
+					_audit_filterpathadded = 1;
+				case AUDIT_FILTERKEY:
+					break;
+				default:
+					return -EAU_FIELDUNAVAIL;
+			}
+		}
+	}
+
 	rule->fields[rule->field_count] = field;
 	rule->fieldflags[rule->field_count] = op;
 	switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			}
 			if (field == AUDIT_FILTERKEY &&
 				!(_audit_syscalladded || _audit_permadded ||
-				_audit_exeadded || _audit_filterexcladded))
+				_audit_exeadded || _audit_filterexcladded ||
+				_audit_filterpathadded))
                                 return -EAU_KEYDEP;
 			vlen = strlen(v);
 			if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 				return -EAU_EXITONLY;
 			/* fallthrough */
 		default:
-			if (field == AUDIT_INODE) {
+			if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
 				if (!(op == AUDIT_NOT_EQUAL ||
 							op == AUDIT_EQUAL))
 					return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			if (!isdigit((char)*(v)))
 				return -EAU_FIELDVALNUM;
 
+			if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+				return -EAU_FIELDUNAVAIL;
 			if (field == AUDIT_INODE)
 				rule->values[rule->field_count] =
 					strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
 #define AUDIT_KEY_SEPARATOR 0x01
 
 /* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH	0x06 /* PATH record filter in __audit_inode_child */
+#endif
 #define AUDIT_FILTER_EXCLUDE	AUDIT_FILTER_TYPE
 #define AUDIT_FILTER_MASK	0x07	/* Mask to get actual filter */
 #define AUDIT_FILTER_UNSET	0x80	/* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
 #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
 #define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
 #endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH	0x00000040
+#endif
 
 /* Defines for interfield comparison update */
 #ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
 #define AUDIT_SESSIONID 25
 #endif
 
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
 #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
 #endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
 extern int _audit_syscalladded;
 extern int _audit_exeadded;
 extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
 extern unsigned int _audit_elf;
 
 #ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
 
 	if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
 		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
-		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
 		for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
 			if (r->mask[i] != (uint32_t)~0) {
 				all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
 	/* Rules on the following filters do not take a syscall */
 	if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
 	    ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
-	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
 		return 0;
 
 	/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
  * Authors:
  *     Steve Grubb <sgrubb@redhat.com>
  *     Rickard E. (Rik) Faith <faith@redhat.com>
+ *     Richard Guy Briggs <rgb@redhat.com>
  */
 
 #include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
 	_audit_archadded = 0;
 	_audit_exeadded = 0;
 	_audit_filterexcladded = 0;
+	_audit_filterpathadded = 0;
 	_audit_elf = 0;
 	add = AUDIT_FILTER_UNSET;
 	del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
 		*filter = AUDIT_FILTER_EXIT;
 	else if (strcmp(str, "user") == 0)
 		*filter = AUDIT_FILTER_USER;
+	else if (strcmp(str, "path") == 0)
+		*filter = AUDIT_FILTER_PATH;
 	else if (strcmp(str, "exclude") == 0) {
 		*filter = AUDIT_FILTER_EXCLUDE;
 		exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
 			audit_msg(LOG_ERR, 
 			  "Error: syscall auditing being added to user list");
 			return -1;
+		} else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+				AUDIT_FILTER_PATH || (del &
+				(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+				AUDIT_FILTER_PATH)) {
+			audit_msg(LOG_ERR, 
+			  "Error: syscall auditing being added to path list");
+			return -1;
 		} else if (exclude) {
 			audit_msg(LOG_ERR, 
 		    "Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
 		break;
 	case 'k':
 		if (!(_audit_syscalladded || _audit_permadded ||
-		      _audit_exeadded || _audit_filterexcladded) ||
+		      _audit_exeadded || _audit_filterexcladded ||
+		      _audit_filterpathadded) ||
 		    (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
 			audit_msg(LOG_ERR,
 		    "key option needs a watch or syscall given prior to it");
-- 
1.7.1

Re: [PATCH] filter: add path filter with fstype

[Steve Grubb]

Hello,

This patch needs to be refactored to match the current count of error messages 
in err_msgtab.

What error message is emitted when run on a kernel that does not support the 
new filter?

On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
> Tracefs or debugfs were causing hundreds to thousands of PATH records to
> be associated with the init_module and finit_module SYSCALL records on a
> few modules when the following rule was in place for startup:
>         -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> 
> Add the new "path" filter list anchored in __audit_inode_child() to
> filter out PATH records from uninteresting filesystem types, "fstype",
> keying on their kernel hexadecimal 4-octet magic identifier.
> 
> An example rule would look like:
> 	-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> 	-a never,path -F fstype=0x64626720 -F key=ignore_debugfs

Are we sure path is the best name for this filter? Is there something more 
precise like filesystem?


> Note: "always,path" will log the PATH record anyways and add latency.
> 
> See: https://github.com/linux-audit/audit-userspace/issues/15
> See: https://github.com/linux-audit/audit-kernel/issues/8
> Test case: https://github.com/linux-audit/audit-testsuite/issues/42
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  docs/audit_add_rule_data.3 |    3 +++
>  lib/errormsg.h             |    5 +++++
>  lib/fieldtab.h             |    2 ++
>  lib/flagtab.h              |    2 ++
>  lib/libaudit.c             |   26 ++++++++++++++++++++++++--
>  lib/libaudit.h             |   10 ++++++++++
>  lib/private.h              |    1 +
>  src/auditctl-listing.c     |    6 ++++--
>  src/auditctl.c             |   14 +++++++++++++-
>  9 files changed, 64 insertions(+), 5 deletions(-)
> 
> diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> index 2321f39..4867e8c 100644
> --- a/docs/audit_add_rule_data.3
> +++ b/docs/audit_add_rule_data.3
> @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
>  .TP
>  \(bu
>  AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> +.TP
> +\(bu
> +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.

I don't think this is real clear. Maybe some others need touching up here as 
well. But we should say something someone with a casual knowledge of audit 
would understand.

>  .LP
> 
>  .PP
> diff --git a/lib/errormsg.h b/lib/errormsg.h
> index 50c7d50..2a6e4d6 100644
> --- a/lib/errormsg.h
> +++ b/lib/errormsg.h
> @@ -20,6 +20,7 @@
>   * Authors:
>   *      Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
>   *      Steve Grubb <sgrubb@redhat.com>
> + *      Richard Guy Briggs <rgb@redhat.com>
>   */
> 
>  struct msg_tab {
> @@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
>      { -32,    0,    "field data is missing" },
>      { -33,    2,    "-C field incompatible" },
>      { -34,    2,    "-C value incompatible" },
> +    { -35,    1,    "field is not valid for the filter" },
> +    { -36,    1,    "filter is not supported ty kernel" },
>  };

Numbers need re-aligning.

-Steve

>  #define EAU_OPMISSING		1
>  #define EAU_FIELDUNKNOWN	2
> @@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
>  #define EAU_DATAMISSING		32
>  #define EAU_COMPFIELDINCOMPAT	33
>  #define EAU_COMPVALINCOMPAT	34
> +#define EAU_FIELDUNAVAIL	35
> +#define EAU_FILTERNOSUPPORT	36
>  #endif
> diff --git a/lib/fieldtab.h b/lib/fieldtab.h
> index 0c5e39d..c425d5b 100644
> --- a/lib/fieldtab.h
> +++ b/lib/fieldtab.h
> @@ -18,6 +18,7 @@
>   *
>   * Authors:
>   *      Steve Grubb <sgrubb@redhat.com>
> + *      Richard Guy Briggs <rgb@redhat.com>
>   */
> 
>  _S(AUDIT_PID,          "pid"          )
> @@ -56,6 +57,7 @@ _S(AUDIT_WATCH,        "path"         )
>  _S(AUDIT_PERM,         "perm"         )
>  _S(AUDIT_DIR,          "dir"          )
>  _S(AUDIT_FILETYPE,     "filetype"     )
> +_S(AUDIT_FSTYPE,       "fstype"       )
>  _S(AUDIT_OBJ_UID,      "obj_uid"      )
>  _S(AUDIT_OBJ_GID,      "obj_gid"      )
>  _S(AUDIT_FIELD_COMPARE, "field_compare" )
> diff --git a/lib/flagtab.h b/lib/flagtab.h
> index 4b04692..ed3e729 100644
> --- a/lib/flagtab.h
> +++ b/lib/flagtab.h
> @@ -18,8 +18,10 @@
>   *
>   * Authors:
>   *      Steve Grubb <sgrubb@redhat.com>
> + *      Richard Guy Briggs <rgb@redhat.com>
>   */
>  _S(AUDIT_FILTER_TASK,    "task"     )
>  _S(AUDIT_FILTER_EXIT,    "exit"     )
>  _S(AUDIT_FILTER_USER,    "user"     )
>  _S(AUDIT_FILTER_EXCLUDE, "exclude"  )
> +_S(AUDIT_FILTER_PATH,    "path"     )
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index 028483d..f28238a 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -19,6 +19,7 @@
>   * Authors:
>   *      Steve Grubb <sgrubb@redhat.com>
>   *      Rickard E. (Rik) Faith <faith@redhat.com>
> + *      Richard Guy Briggs <rgb@redhat.com>
>   */
> 
>  #include "config.h"
> @@ -86,6 +87,7 @@ int _audit_archadded = 0;
>  int _audit_syscalladded = 0;
>  int _audit_exeadded = 0;
>  int _audit_filterexcladded = 0;
> +int _audit_filterpathadded = 0;
>  unsigned int _audit_elf = 0U;
>  static struct libaudit_conf config;
> 
> @@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
>  	}
> 
> +	/* PATH filter can be used only with FSTYPE field */
> +	if (flags == AUDIT_FILTER_PATH) {
> +		uint32_t features = audit_get_features();
> +		if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
> +			return -EAU_FILTERNOSUPPORT;
> +		} else {
> +			switch(field) {
> +				case AUDIT_FSTYPE:
> +					_audit_filterpathadded = 1;
> +				case AUDIT_FILTERKEY:
> +					break;
> +				default:
> +					return -EAU_FIELDUNAVAIL;
> +			}
> +		}
> +	}
> +
>  	rule->fields[rule->field_count] = field;
>  	rule->fieldflags[rule->field_count] = op;
>  	switch (field)
> @@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
>  			if (field == AUDIT_FILTERKEY &&
>  				!(_audit_syscalladded || _audit_permadded ||
> -				_audit_exeadded || _audit_filterexcladded))
> +				_audit_exeadded || _audit_filterexcladded ||
> +				_audit_filterpathadded))
>                                  return -EAU_KEYDEP;
>  			vlen = strlen(v);
>  			if (field == AUDIT_FILTERKEY &&
> @@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -EAU_EXITONLY;
>  			/* fallthrough */
>  		default:
> -			if (field == AUDIT_INODE) {
> +			if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
>  				if (!(op == AUDIT_NOT_EQUAL ||
>  							op == AUDIT_EQUAL))
>  					return -EAU_OPEQNOTEQ;
> @@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, if (!isdigit((char)*(v)))
>  				return -EAU_FIELDVALNUM;
> 
> +			if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
> +				return -EAU_FIELDUNAVAIL;
>  			if (field == AUDIT_INODE)
>  				rule->values[rule->field_count] =
>  					strtoul(v, NULL, 0);
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index e5c7a4d..e9c4973 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -277,6 +277,9 @@ extern "C" {
>  #define AUDIT_KEY_SEPARATOR 0x01
> 
>  /* These are used in filter control */
> +#ifndef AUDIT_FILTER_PATH
> +#define AUDIT_FILTER_PATH	0x06 /* PATH record filter in 
__audit_inode_child
> */ +#endif
>  #define AUDIT_FILTER_EXCLUDE	AUDIT_FILTER_TYPE
>  #define AUDIT_FILTER_MASK	0x07	/* Mask to get actual filter */
>  #define AUDIT_FILTER_UNSET	0x80	/* This value means filter is unset */
> @@ -305,6 +308,9 @@ extern "C" {
>  #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
>  #define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
>  #endif
> +#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
> +#define AUDIT_FEATURE_BITMAP_FILTER_PATH	0x00000040
> +#endif
> 
>  /* Defines for interfield comparison update */
>  #ifndef AUDIT_OBJ_UID
> @@ -324,6 +330,10 @@ extern "C" {
>  #define AUDIT_SESSIONID 25
>  #endif
> 
> +#ifndef AUDIT_FSTYPE
> +#define AUDIT_FSTYPE 26
> +#endif
> +
>  #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
>  #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
>  #endif
> diff --git a/lib/private.h b/lib/private.h
> index 855187b..117d6e3 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -140,6 +140,7 @@ extern int _audit_archadded;
>  extern int _audit_syscalladded;
>  extern int _audit_exeadded;
>  extern int _audit_filterexcladded;
> +extern int _audit_filterpathadded;
>  extern unsigned int _audit_elf;
> 
>  #ifdef __cplusplus
> diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
> index 3bc8e71..e8640dd 100644
> --- a/src/auditctl-listing.c
> +++ b/src/auditctl-listing.c
> @@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
> 
>  	if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
>  		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
> -		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
> +		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
> +		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
>  		for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
>  			if (r->mask[i] != (uint32_t)~0) {
>  				all = 0;
> @@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data
> *r, unsigned int *sc) /* Rules on the following filters do not take a
> syscall */
>  	if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
>  	    ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
> -	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
> +	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
> +	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
>  		return 0;
> 
>  	/* See if its all or specific syscalls */
> diff --git a/src/auditctl.c b/src/auditctl.c
> index c785087..c7e8f0f 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -19,6 +19,7 @@
>   * Authors:
>   *     Steve Grubb <sgrubb@redhat.com>
>   *     Rickard E. (Rik) Faith <faith@redhat.com>
> + *     Richard Guy Briggs <rgb@redhat.com>
>   */
> 
>  #include "config.h"
> @@ -75,6 +76,7 @@ static int reset_vars(void)
>  	_audit_archadded = 0;
>  	_audit_exeadded = 0;
>  	_audit_filterexcladded = 0;
> +	_audit_filterpathadded = 0;
>  	_audit_elf = 0;
>  	add = AUDIT_FILTER_UNSET;
>  	del = AUDIT_FILTER_UNSET;
> @@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
>  		*filter = AUDIT_FILTER_EXIT;
>  	else if (strcmp(str, "user") == 0)
>  		*filter = AUDIT_FILTER_USER;
> +	else if (strcmp(str, "path") == 0)
> +		*filter = AUDIT_FILTER_PATH;
>  	else if (strcmp(str, "exclude") == 0) {
>  		*filter = AUDIT_FILTER_EXCLUDE;
>  		exclude = 1;
> @@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
>  			audit_msg(LOG_ERR,
>  			  "Error: syscall auditing being added to user list");
>  			return -1;
> +		} else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> +				AUDIT_FILTER_PATH || (del &
> +				(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> +				AUDIT_FILTER_PATH)) {
> +			audit_msg(LOG_ERR,
> +			  "Error: syscall auditing being added to path list");
> +			return -1;
>  		} else if (exclude) {
>  			audit_msg(LOG_ERR,
>  		    "Error: syscall auditing cannot be put on exclude list");
> @@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
>  		break;
>  	case 'k':
>  		if (!(_audit_syscalladded || _audit_permadded ||
> -		      _audit_exeadded || _audit_filterexcladded) ||
> +		      _audit_exeadded || _audit_filterexcladded ||
> +		      _audit_filterpathadded) ||
>  		    (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
>  			audit_msg(LOG_ERR,
>  		    "key option needs a watch or syscall given prior to it");

Re: [PATCH] filter: add path filter with fstype

[Richard Guy Briggs]

On 2017-06-12 20:28, Steve Grubb wrote:
> Hello,

Hi (swapping in this task after > 2 months...)

> This patch needs to be refactored to match the current count of error messages 
> in err_msgtab.
> 
> What error message is emitted when run on a kernel that does not support the 
> new filter?

-36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)

> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> > few modules when the following rule was in place for startup:
> >         -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> > 
> > Add the new "path" filter list anchored in __audit_inode_child() to
> > filter out PATH records from uninteresting filesystem types, "fstype",
> > keying on their kernel hexadecimal 4-octet magic identifier.
> > 
> > An example rule would look like:
> > 	-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> > 	-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
> 
> Are we sure path is the best name for this filter? Is there something more 
> precise like filesystem?

It is filesystem type that we are filtering, but there may be a use case
to filter on another factor later, so like the "type" filter that really
is the "exclude" filter, let's not make that mistake again.

I wrestled with that for a while and kept coming back to "path" filter
due to the fact that it was a path record that was affected.  At the
moment it is only active on audit_inode_child, but I could potentially
see it being active on audit_inode as well.

> > Note: "always,path" will log the PATH record anyways and add latency.
> > 
> > See: https://github.com/linux-audit/audit-userspace/issues/15
> > See: https://github.com/linux-audit/audit-kernel/issues/8
> > Test case: https://github.com/linux-audit/audit-testsuite/issues/42
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  docs/audit_add_rule_data.3 |    3 +++
> >  lib/errormsg.h             |    5 +++++
> >  lib/fieldtab.h             |    2 ++
> >  lib/flagtab.h              |    2 ++
> >  lib/libaudit.c             |   26 ++++++++++++++++++++++++--
> >  lib/libaudit.h             |   10 ++++++++++
> >  lib/private.h              |    1 +
> >  src/auditctl-listing.c     |    6 ++++--
> >  src/auditctl.c             |   14 +++++++++++++-
> >  9 files changed, 64 insertions(+), 5 deletions(-)
> > 
> > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> > index 2321f39..4867e8c 100644
> > --- a/docs/audit_add_rule_data.3
> > +++ b/docs/audit_add_rule_data.3
> > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
> >  .TP
> >  \(bu
> >  AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> > +.TP
> > +\(bu
> > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
> 
> I don't think this is real clear. Maybe some others need touching up here as 
> well. But we should say something someone with a casual knowledge of audit 
> would understand.

Agreed.  How about "Apply rule when adding PATH auxiliary records to SYSCALL events."
> 
> >  .LP
> > 
> >  .PP
> > diff --git a/lib/errormsg.h b/lib/errormsg.h
> > index 50c7d50..2a6e4d6 100644
> > --- a/lib/errormsg.h
> > +++ b/lib/errormsg.h
> > @@ -20,6 +20,7 @@
> >   * Authors:
> >   *      Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
> >   *      Steve Grubb <sgrubb@redhat.com>
> > + *      Richard Guy Briggs <rgb@redhat.com>
> >   */
> > 
> >  struct msg_tab {
> > @@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
> >      { -32,    0,    "field data is missing" },
> >      { -33,    2,    "-C field incompatible" },
> >      { -34,    2,    "-C value incompatible" },
> > +    { -35,    1,    "field is not valid for the filter" },
> > +    { -36,    1,    "filter is not supported ty kernel" },
> >  };
> 
> Numbers need re-aligning.

Probably...

> -Steve
> 
> >  #define EAU_OPMISSING		1
> >  #define EAU_FIELDUNKNOWN	2
> > @@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
> >  #define EAU_DATAMISSING		32
> >  #define EAU_COMPFIELDINCOMPAT	33
> >  #define EAU_COMPVALINCOMPAT	34
> > +#define EAU_FIELDUNAVAIL	35
> > +#define EAU_FILTERNOSUPPORT	36
> >  #endif
> > diff --git a/lib/fieldtab.h b/lib/fieldtab.h
> > index 0c5e39d..c425d5b 100644
> > --- a/lib/fieldtab.h
> > +++ b/lib/fieldtab.h
> > @@ -18,6 +18,7 @@
> >   *
> >   * Authors:
> >   *      Steve Grubb <sgrubb@redhat.com>
> > + *      Richard Guy Briggs <rgb@redhat.com>
> >   */
> > 
> >  _S(AUDIT_PID,          "pid"          )
> > @@ -56,6 +57,7 @@ _S(AUDIT_WATCH,        "path"         )
> >  _S(AUDIT_PERM,         "perm"         )
> >  _S(AUDIT_DIR,          "dir"          )
> >  _S(AUDIT_FILETYPE,     "filetype"     )
> > +_S(AUDIT_FSTYPE,       "fstype"       )
> >  _S(AUDIT_OBJ_UID,      "obj_uid"      )
> >  _S(AUDIT_OBJ_GID,      "obj_gid"      )
> >  _S(AUDIT_FIELD_COMPARE, "field_compare" )
> > diff --git a/lib/flagtab.h b/lib/flagtab.h
> > index 4b04692..ed3e729 100644
> > --- a/lib/flagtab.h
> > +++ b/lib/flagtab.h
> > @@ -18,8 +18,10 @@
> >   *
> >   * Authors:
> >   *      Steve Grubb <sgrubb@redhat.com>
> > + *      Richard Guy Briggs <rgb@redhat.com>
> >   */
> >  _S(AUDIT_FILTER_TASK,    "task"     )
> >  _S(AUDIT_FILTER_EXIT,    "exit"     )
> >  _S(AUDIT_FILTER_USER,    "user"     )
> >  _S(AUDIT_FILTER_EXCLUDE, "exclude"  )
> > +_S(AUDIT_FILTER_PATH,    "path"     )
> > diff --git a/lib/libaudit.c b/lib/libaudit.c
> > index 028483d..f28238a 100644
> > --- a/lib/libaudit.c
> > +++ b/lib/libaudit.c
> > @@ -19,6 +19,7 @@
> >   * Authors:
> >   *      Steve Grubb <sgrubb@redhat.com>
> >   *      Rickard E. (Rik) Faith <faith@redhat.com>
> > + *      Richard Guy Briggs <rgb@redhat.com>
> >   */
> > 
> >  #include "config.h"
> > @@ -86,6 +87,7 @@ int _audit_archadded = 0;
> >  int _audit_syscalladded = 0;
> >  int _audit_exeadded = 0;
> >  int _audit_filterexcladded = 0;
> > +int _audit_filterpathadded = 0;
> >  unsigned int _audit_elf = 0U;
> >  static struct libaudit_conf config;
> > 
> > @@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, }
> >  	}
> > 
> > +	/* PATH filter can be used only with FSTYPE field */
> > +	if (flags == AUDIT_FILTER_PATH) {
> > +		uint32_t features = audit_get_features();
> > +		if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
> > +			return -EAU_FILTERNOSUPPORT;
> > +		} else {
> > +			switch(field) {
> > +				case AUDIT_FSTYPE:
> > +					_audit_filterpathadded = 1;
> > +				case AUDIT_FILTERKEY:
> > +					break;
> > +				default:
> > +					return -EAU_FIELDUNAVAIL;
> > +			}
> > +		}
> > +	}
> > +
> >  	rule->fields[rule->field_count] = field;
> >  	rule->fieldflags[rule->field_count] = op;
> >  	switch (field)
> > @@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, }
> >  			if (field == AUDIT_FILTERKEY &&
> >  				!(_audit_syscalladded || _audit_permadded ||
> > -				_audit_exeadded || _audit_filterexcladded))
> > +				_audit_exeadded || _audit_filterexcladded ||
> > +				_audit_filterpathadded))
> >                                  return -EAU_KEYDEP;
> >  			vlen = strlen(v);
> >  			if (field == AUDIT_FILTERKEY &&
> > @@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, return -EAU_EXITONLY;
> >  			/* fallthrough */
> >  		default:
> > -			if (field == AUDIT_INODE) {
> > +			if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
> >  				if (!(op == AUDIT_NOT_EQUAL ||
> >  							op == AUDIT_EQUAL))
> >  					return -EAU_OPEQNOTEQ;
> > @@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, if (!isdigit((char)*(v)))
> >  				return -EAU_FIELDVALNUM;
> > 
> > +			if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
> > +				return -EAU_FIELDUNAVAIL;
> >  			if (field == AUDIT_INODE)
> >  				rule->values[rule->field_count] =
> >  					strtoul(v, NULL, 0);
> > diff --git a/lib/libaudit.h b/lib/libaudit.h
> > index e5c7a4d..e9c4973 100644
> > --- a/lib/libaudit.h
> > +++ b/lib/libaudit.h
> > @@ -277,6 +277,9 @@ extern "C" {
> >  #define AUDIT_KEY_SEPARATOR 0x01
> > 
> >  /* These are used in filter control */
> > +#ifndef AUDIT_FILTER_PATH
> > +#define AUDIT_FILTER_PATH	0x06 /* PATH record filter in 
> __audit_inode_child
> > */ +#endif
> >  #define AUDIT_FILTER_EXCLUDE	AUDIT_FILTER_TYPE
> >  #define AUDIT_FILTER_MASK	0x07	/* Mask to get actual filter */
> >  #define AUDIT_FILTER_UNSET	0x80	/* This value means filter is unset */
> > @@ -305,6 +308,9 @@ extern "C" {
> >  #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
> >  #define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> >  #endif
> > +#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
> > +#define AUDIT_FEATURE_BITMAP_FILTER_PATH	0x00000040
> > +#endif
> > 
> >  /* Defines for interfield comparison update */
> >  #ifndef AUDIT_OBJ_UID
> > @@ -324,6 +330,10 @@ extern "C" {
> >  #define AUDIT_SESSIONID 25
> >  #endif
> > 
> > +#ifndef AUDIT_FSTYPE
> > +#define AUDIT_FSTYPE 26
> > +#endif
> > +
> >  #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
> >  #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
> >  #endif
> > diff --git a/lib/private.h b/lib/private.h
> > index 855187b..117d6e3 100644
> > --- a/lib/private.h
> > +++ b/lib/private.h
> > @@ -140,6 +140,7 @@ extern int _audit_archadded;
> >  extern int _audit_syscalladded;
> >  extern int _audit_exeadded;
> >  extern int _audit_filterexcladded;
> > +extern int _audit_filterpathadded;
> >  extern unsigned int _audit_elf;
> > 
> >  #ifdef __cplusplus
> > diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
> > index 3bc8e71..e8640dd 100644
> > --- a/src/auditctl-listing.c
> > +++ b/src/auditctl-listing.c
> > @@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
> > 
> >  	if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
> >  		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
> > -		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
> > +		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
> > +		((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
> >  		for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
> >  			if (r->mask[i] != (uint32_t)~0) {
> >  				all = 0;
> > @@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data
> > *r, unsigned int *sc) /* Rules on the following filters do not take a
> > syscall */
> >  	if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
> >  	    ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
> > -	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
> > +	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
> > +	    ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
> >  		return 0;
> > 
> >  	/* See if its all or specific syscalls */
> > diff --git a/src/auditctl.c b/src/auditctl.c
> > index c785087..c7e8f0f 100644
> > --- a/src/auditctl.c
> > +++ b/src/auditctl.c
> > @@ -19,6 +19,7 @@
> >   * Authors:
> >   *     Steve Grubb <sgrubb@redhat.com>
> >   *     Rickard E. (Rik) Faith <faith@redhat.com>
> > + *     Richard Guy Briggs <rgb@redhat.com>
> >   */
> > 
> >  #include "config.h"
> > @@ -75,6 +76,7 @@ static int reset_vars(void)
> >  	_audit_archadded = 0;
> >  	_audit_exeadded = 0;
> >  	_audit_filterexcladded = 0;
> > +	_audit_filterpathadded = 0;
> >  	_audit_elf = 0;
> >  	add = AUDIT_FILTER_UNSET;
> >  	del = AUDIT_FILTER_UNSET;
> > @@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
> >  		*filter = AUDIT_FILTER_EXIT;
> >  	else if (strcmp(str, "user") == 0)
> >  		*filter = AUDIT_FILTER_USER;
> > +	else if (strcmp(str, "path") == 0)
> > +		*filter = AUDIT_FILTER_PATH;
> >  	else if (strcmp(str, "exclude") == 0) {
> >  		*filter = AUDIT_FILTER_EXCLUDE;
> >  		exclude = 1;
> > @@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
> >  			audit_msg(LOG_ERR,
> >  			  "Error: syscall auditing being added to user list");
> >  			return -1;
> > +		} else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > +				AUDIT_FILTER_PATH || (del &
> > +				(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > +				AUDIT_FILTER_PATH)) {
> > +			audit_msg(LOG_ERR,
> > +			  "Error: syscall auditing being added to path list");
> > +			return -1;
> >  		} else if (exclude) {
> >  			audit_msg(LOG_ERR,
> >  		    "Error: syscall auditing cannot be put on exclude list");
> > @@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
> >  		break;
> >  	case 'k':
> >  		if (!(_audit_syscalladded || _audit_permadded ||
> > -		      _audit_exeadded || _audit_filterexcladded) ||
> > +		      _audit_exeadded || _audit_filterexcladded ||
> > +		      _audit_filterpathadded) ||
> >  		    (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> >  			audit_msg(LOG_ERR,
> >  		    "key option needs a watch or syscall given prior to it");
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH] filter: add path filter with fstype

[Paul Moore]

On Mon, Jun 12, 2017 at 10:45 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-06-12 20:28, Steve Grubb wrote:
>> Hello,
>
> Hi (swapping in this task after > 2 months...)
>
>> This patch needs to be refactored to match the current count of error messages
>> in err_msgtab.
>>
>> What error message is emitted when run on a kernel that does not support the
>> new filter?
>
> -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
>
>> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
>> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
>> > be associated with the init_module and finit_module SYSCALL records on a
>> > few modules when the following rule was in place for startup:
>> >         -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
>> >
>> > Add the new "path" filter list anchored in __audit_inode_child() to
>> > filter out PATH records from uninteresting filesystem types, "fstype",
>> > keying on their kernel hexadecimal 4-octet magic identifier.
>> >
>> > An example rule would look like:
>> >     -a never,path -F fstype=0x74726163 -F key=ignore_tracefs
>> >     -a never,path -F fstype=0x64626720 -F key=ignore_debugfs
>>
>> Are we sure path is the best name for this filter? Is there something more
>> precise like filesystem?
>
> It is filesystem type that we are filtering, but there may be a use case
> to filter on another factor later, so like the "type" filter that really
> is the "exclude" filter, let's not make that mistake again.
>
> I wrestled with that for a while and kept coming back to "path" filter
> due to the fact that it was a path record that was affected.  At the
> moment it is only active on audit_inode_child, but I could potentially
> see it being active on audit_inode as well.

FWIW, I too struggled a bit with that name when looking at the kernel
code.  I'm not a fan of "path" in this case, but I can't think of
anything substantially better.

-- 
paul moore
www.paul-moore.com

Re: [PATCH] filter: add path filter with fstype

[Steve Grubb]

Hello,

On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote:
> On 2017-06-12 20:28, Steve Grubb wrote:
> > This patch needs to be refactored to match the current count of error
> > messages in err_msgtab.
> > 
> > What error message is emitted when run on a kernel that does not support
> > the new filter?
> 
> -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)

And now that the other error message macros have been applied...


> > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
> > > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > > be associated with the init_module and finit_module SYSCALL records on a
> > > 
> > > few modules when the following rule was in place for startup:
> > >         -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> > > 
> > > Add the new "path" filter list anchored in __audit_inode_child() to
> > > filter out PATH records from uninteresting filesystem types, "fstype",
> > > keying on their kernel hexadecimal 4-octet magic identifier.
> > > 
> > > An example rule would look like:
> > > 	-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> > > 	-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
> > 
> > Are we sure path is the best name for this filter? Is there something more
> > precise like filesystem?
> 
> It is filesystem type that we are filtering, but there may be a use case
> to filter on another factor later, so like the "type" filter that really
> is the "exclude" filter, let's not make that mistake again.

What else could this filter have its hands on? Could it audit mounting/
unmounting of certain file systems?

> I wrestled with that for a while and kept coming back to "path" filter
> due to the fact that it was a path record that was affected. 

I don't like having path as a filter and path as a field option. Path is 
getting too overloaded.

> At the moment it is only active on audit_inode_child, but I could
> potentially see it being active on audit_inode as well.

I'd lean towards filesystem for the filter name.

-Steve

> > > Note: "always,path" will log the PATH record anyways and add latency.
> > > 
> > > See: https://github.com/linux-audit/audit-userspace/issues/15
> > > See: https://github.com/linux-audit/audit-kernel/issues/8
> > > Test case: https://github.com/linux-audit/audit-testsuite/issues/42
> > > 
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > 
> > >  docs/audit_add_rule_data.3 |    3 +++
> > >  lib/errormsg.h             |    5 +++++
> > >  lib/fieldtab.h             |    2 ++
> > >  lib/flagtab.h              |    2 ++
> > >  lib/libaudit.c             |   26 ++++++++++++++++++++++++--
> > >  lib/libaudit.h             |   10 ++++++++++
> > >  lib/private.h              |    1 +
> > >  src/auditctl-listing.c     |    6 ++++--
> > >  src/auditctl.c             |   14 +++++++++++++-
> > >  9 files changed, 64 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> > > index 2321f39..4867e8c 100644
> > > --- a/docs/audit_add_rule_data.3
> > > +++ b/docs/audit_add_rule_data.3
> > > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
> > > 
> > >  .TP
> > >  \(bu
> > >  AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> > > 
> > > +.TP
> > > +\(bu
> > > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
> > 
> > I don't think this is real clear. Maybe some others need touching up here
> > as well. But we should say something someone with a casual knowledge of
> > audit would understand.
> 
> Agreed.  How about "Apply rule when adding PATH auxiliary records to SYSCALL
> events."

I updated this man page. It needs to say when its applicable, whether events 
are normally accepted or blocked with no rule applied, and what the typical 
use case is.

-Steve

Re: [PATCH] filter: add path filter with fstype

[Richard Guy Briggs]

On 2017-06-13 17:25, Steve Grubb wrote:
> Hello,
> 
> On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote:
> > On 2017-06-12 20:28, Steve Grubb wrote:
> > > This patch needs to be refactored to match the current count of error
> > > messages in err_msgtab.
> > > 
> > > What error message is emitted when run on a kernel that does not support
> > > the new filter?
> > 
> > -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
> 
> And now that the other error message macros have been applied...

Re-spinning...

> > > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
> > > > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > > > be associated with the init_module and finit_module SYSCALL records on a
> > > > 
> > > > few modules when the following rule was in place for startup:
> > > >         -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> > > > 
> > > > Add the new "path" filter list anchored in __audit_inode_child() to
> > > > filter out PATH records from uninteresting filesystem types, "fstype",
> > > > keying on their kernel hexadecimal 4-octet magic identifier.
> > > > 
> > > > An example rule would look like:
> > > > 	-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> > > > 	-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
> > > 
> > > Are we sure path is the best name for this filter? Is there something more
> > > precise like filesystem?
> > 
> > It is filesystem type that we are filtering, but there may be a use case
> > to filter on another factor later, so like the "type" filter that really
> > is the "exclude" filter, let's not make that mistake again.
> 
> What else could this filter have its hands on? Could it audit mounting/
> unmounting of certain file systems?

I wasn't thinking so much of the filter point, but other filter fields
(like auid=-1? or a mount sub-tree? or ...?).

> > I wrestled with that for a while and kept coming back to "path" filter
> > due to the fact that it was a path record that was affected. 
> 
> I don't like having path as a filter and path as a field option. Path is 
> getting too overloaded.

Granted.

> > At the moment it is only active on audit_inode_child, but I could
> > potentially see it being active on audit_inode as well.
> 
> I'd lean towards filesystem for the filter name.

I think I'm alright with that name.  I'll re-spin the patch and see if
anything jumps out at me in the process.

Another place this might be used is for the CWD record.

> -Steve
> 
> > > > Note: "always,path" will log the PATH record anyways and add latency.
> > > > 
> > > > See: https://github.com/linux-audit/audit-userspace/issues/15
> > > > See: https://github.com/linux-audit/audit-kernel/issues/8
> > > > Test case: https://github.com/linux-audit/audit-testsuite/issues/42
> > > > 
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > ---
> > > > 
> > > >  docs/audit_add_rule_data.3 |    3 +++
> > > >  lib/errormsg.h             |    5 +++++
> > > >  lib/fieldtab.h             |    2 ++
> > > >  lib/flagtab.h              |    2 ++
> > > >  lib/libaudit.c             |   26 ++++++++++++++++++++++++--
> > > >  lib/libaudit.h             |   10 ++++++++++
> > > >  lib/private.h              |    1 +
> > > >  src/auditctl-listing.c     |    6 ++++--
> > > >  src/auditctl.c             |   14 +++++++++++++-
> > > >  9 files changed, 64 insertions(+), 5 deletions(-)
> > > > 
> > > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> > > > index 2321f39..4867e8c 100644
> > > > --- a/docs/audit_add_rule_data.3
> > > > +++ b/docs/audit_add_rule_data.3
> > > > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
> > > > 
> > > >  .TP
> > > >  \(bu
> > > >  AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> > > > 
> > > > +.TP
> > > > +\(bu
> > > > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
> > > 
> > > I don't think this is real clear. Maybe some others need touching up here
> > > as well. But we should say something someone with a casual knowledge of
> > > audit would understand.
> > 
> > Agreed.  How about "Apply rule when adding PATH auxiliary records to SYSCALL
> > events."
> 
> I updated this man page. It needs to say when its applicable, whether events 
> are normally accepted or blocked with no rule applied, and what the typical 
> use case is.

Ok, I see the other examples.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635