* [PATCH] audit: allow other filter list types for AUDIT_EXE
@ 2018-04-25 13:06 Ondrej Mosnacek
2018-04-26 16:14 ` Richard Guy Briggs
2018-05-01 20:06 ` Paul Moore
0 siblings, 2 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2018-04-25 13:06 UTC (permalink / raw)
To: Paul Moore; +Cc: Richard Guy Briggs, linux-audit
This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.
This makes it possible to write rule lists such as:
auditctl -a exit,always [some general rule]
# Filter out events with executable name /bin/exe1 or /bin/exe2:
auditctl -a exclude,always -F exe=/bin/exe1
auditctl -a exclude,always -F exe=/bin/exe2
See: https://github.com/linux-audit/audit-kernel/issues/54
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
kernel/auditfilter.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a0c5a3ec6e60..8c9abbf20d42 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXE:
if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
- if (entry->rule.listnr != AUDIT_FILTER_EXIT)
- return -EINVAL;
break;
}
return 0;
@@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
f->type, f->op, f->lsm_rule, NULL);
}
break;
+ case AUDIT_EXE:
+ result = audit_exe_compare(current, e->rule.exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
+ break;
default:
goto unlock_and_return;
}
--
2.14.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] audit: allow other filter list types for AUDIT_EXE
2018-04-25 13:06 [PATCH] audit: allow other filter list types for AUDIT_EXE Ondrej Mosnacek
@ 2018-04-26 16:14 ` Richard Guy Briggs
2018-05-01 20:06 ` Paul Moore
1 sibling, 0 replies; 5+ messages in thread
From: Richard Guy Briggs @ 2018-04-26 16:14 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: linux-audit
On 2018-04-25 15:06, Ondrej Mosnacek wrote:
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general rule]
> # Filter out events with executable name /bin/exe1 or /bin/exe2:
> auditctl -a exclude,always -F exe=/bin/exe1
> auditctl -a exclude,always -F exe=/bin/exe2
>
> See: https://github.com/linux-audit/audit-kernel/issues/54
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> kernel/auditfilter.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index a0c5a3ec6e60..8c9abbf20d42 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> case AUDIT_EXE:
> if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> - return -EINVAL;
This looks right since the FS filter will throw its own error in
higher in that function. (The ENTRY and WATCH filters are gone.)
> break;
> }
> return 0;
> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
> f->type, f->op, f->lsm_rule, NULL);
> }
> break;
> + case AUDIT_EXE:
> + result = audit_exe_compare(current, e->rule.exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
> + break;
> default:
> goto unlock_and_return;
> }
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] audit: allow other filter list types for AUDIT_EXE
2018-04-25 13:06 [PATCH] audit: allow other filter list types for AUDIT_EXE Ondrej Mosnacek
2018-04-26 16:14 ` Richard Guy Briggs
@ 2018-05-01 20:06 ` Paul Moore
2018-05-02 7:00 ` Ondrej Mosnacek
1 sibling, 1 reply; 5+ messages in thread
From: Paul Moore @ 2018-05-01 20:06 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: Richard Guy Briggs, linux-audit
On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek <omosnace@redhat.com> wrote:
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general rule]
> # Filter out events with executable name /bin/exe1 or /bin/exe2:
> auditctl -a exclude,always -F exe=/bin/exe1
> auditctl -a exclude,always -F exe=/bin/exe2
>
> See: https://github.com/linux-audit/audit-kernel/issues/54
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> kernel/auditfilter.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
Looks reasonable, do you have a working test for this?
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index a0c5a3ec6e60..8c9abbf20d42 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> case AUDIT_EXE:
> if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> - return -EINVAL;
> break;
> }
> return 0;
> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
> f->type, f->op, f->lsm_rule, NULL);
> }
> break;
> + case AUDIT_EXE:
> + result = audit_exe_compare(current, e->rule.exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
> + break;
> default:
> goto unlock_and_return;
> }
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] audit: allow other filter list types for AUDIT_EXE
2018-05-01 20:06 ` Paul Moore
@ 2018-05-02 7:00 ` Ondrej Mosnacek
2018-05-02 14:54 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: Ondrej Mosnacek @ 2018-05-02 7:00 UTC (permalink / raw)
To: Paul Moore; +Cc: Richard Guy Briggs, Linux-Audit Mailing List
2018-05-01 22:06 GMT+02:00 Paul Moore <paul@paul-moore.com>:
> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek <omosnace@redhat.com> wrote:
>> This patch removes the restriction of the AUDIT_EXE field to only
>> SYSCALL filter and teaches audit_filter to recognize this field.
>>
>> This makes it possible to write rule lists such as:
>>
>> auditctl -a exit,always [some general rule]
>> # Filter out events with executable name /bin/exe1 or /bin/exe2:
>> auditctl -a exclude,always -F exe=/bin/exe1
>> auditctl -a exclude,always -F exe=/bin/exe2
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/54
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> ---
>> kernel/auditfilter.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Looks reasonable, do you have a working test for this?
Sure, I listed all the related patches (test suite and userspace) in
the GHAK issue. Anyway, the testsuite patch can be found here:
https://github.com/linux-audit/audit-testsuite/pull/68
>
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index a0c5a3ec6e60..8c9abbf20d42 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>> case AUDIT_EXE:
>> if (f->op != Audit_not_equal && f->op != Audit_equal)
>> return -EINVAL;
>> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>> - return -EINVAL;
>> break;
>> }
>> return 0;
>> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
>> f->type, f->op, f->lsm_rule, NULL);
>> }
>> break;
>> + case AUDIT_EXE:
>> + result = audit_exe_compare(current, e->rule.exe);
>> + if (f->op == Audit_not_equal)
>> + result = !result;
>> + break;
>> default:
>> goto unlock_and_return;
>> }
>> --
>> 2.14.3
>>
>
>
>
> --
> paul moore
> www.paul-moore.com
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] audit: allow other filter list types for AUDIT_EXE
2018-05-02 7:00 ` Ondrej Mosnacek
@ 2018-05-02 14:54 ` Paul Moore
0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2018-05-02 14:54 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: Richard Guy Briggs, Linux-Audit Mailing List
On Wed, May 2, 2018 at 3:00 AM, Ondrej Mosnacek <omosnace@redhat.com> wrote:
> 2018-05-01 22:06 GMT+02:00 Paul Moore <paul@paul-moore.com>:
>> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>> This patch removes the restriction of the AUDIT_EXE field to only
>>> SYSCALL filter and teaches audit_filter to recognize this field.
>>>
>>> This makes it possible to write rule lists such as:
>>>
>>> auditctl -a exit,always [some general rule]
>>> # Filter out events with executable name /bin/exe1 or /bin/exe2:
>>> auditctl -a exclude,always -F exe=/bin/exe1
>>> auditctl -a exclude,always -F exe=/bin/exe2
>>>
>>> See: https://github.com/linux-audit/audit-kernel/issues/54
>>>
>>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>>> ---
>>> kernel/auditfilter.c | 7 +++++--
>>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> Looks reasonable, do you have a working test for this?
>
> Sure, I listed all the related patches (test suite and userspace) in
> the GHAK issue. Anyway, the testsuite patch can be found here:
>
> https://github.com/linux-audit/audit-testsuite/pull/68
Great, thanks. As soon as we get a verdict on the userspace portion
from Steve I think we can merge this.
>>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>>> index a0c5a3ec6e60..8c9abbf20d42 100644
>>> --- a/kernel/auditfilter.c
>>> +++ b/kernel/auditfilter.c
>>> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>>> case AUDIT_EXE:
>>> if (f->op != Audit_not_equal && f->op != Audit_equal)
>>> return -EINVAL;
>>> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>>> - return -EINVAL;
>>> break;
>>> }
>>> return 0;
>>> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
>>> f->type, f->op, f->lsm_rule, NULL);
>>> }
>>> break;
>>> + case AUDIT_EXE:
>>> + result = audit_exe_compare(current, e->rule.exe);
>>> + if (f->op == Audit_not_equal)
>>> + result = !result;
>>> + break;
>>> default:
>>> goto unlock_and_return;
>>> }
>>> --
>>> 2.14.3
>>>
>>
>>
>>
>> --
>> paul moore
>> www.paul-moore.com
>
>
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-02 14:55 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-25 13:06 [PATCH] audit: allow other filter list types for AUDIT_EXE Ondrej Mosnacek
2018-04-26 16:14 ` Richard Guy Briggs
2018-05-01 20:06 ` Paul Moore
2018-05-02 7:00 ` Ondrej Mosnacek
2018-05-02 14:54 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.