[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] (2/2) new audit filter allows excluding messages by type (userspace)



Userspace component to pass an exclude filter to and from the kernel.

- Teach userspace about the "exclude,???" filter
- Teach userspace about the "msgtype=???" field
- Look up the message type in the name-to-msg table if need be

STEVE:

The blob of code in audit_print_reply() might take some munging.  This
patch is built on top of my operators patch, which you haven't released
yet.  I taught the "auditctl -l" to process the "exclude" list rules
from the kernel for better debugging purposes.  To do this, I had to
update audit_print_reply() to translate the operators to their symbols.
I'll gladly rework this part as soon as you have a release of audit with
the operator code in it.

But this should be enough to see what's going on here.  Comments
welcome.

:-Dustin



diff -urpN audit-1.0.7-operators/lib/libaudit.c
audit-1.0.7-operators-exclude/lib/libaudit.c
--- audit-1.0.7-operators/lib/libaudit.c	2005-10-26 12:58:59.000000000 -0500
+++ audit-1.0.7-operators-exclude/lib/libaudit.c	2005-11-01 16:28:09.000000000 -0600
@@ -699,6 +699,17 @@ int audit_rule_fieldpair(struct audit_ru
 				}
 			}
 			break;
+		case AUDIT_MSGTYPE:
+			if (isdigit((char)*(v)))
+				rule->values[rule->field_count] =
+					strtol(v, NULL, 0);
+			else
+				if (audit_name_to_msg_type(v) > 0)
+					rule->values[rule->field_count] =
+						audit_name_to_msg_type(v);
+				else
+					return -8;
+			break;
 		case AUDIT_ARCH:
 			if (audit_syscalladded) 
 				return -3;
 /* This bitmask is used to validate user input.  It represents all bits that
    are currently used in an audit field constant understood by the kernel.
diff -urpN audit-1.0.7-operators/lib/lookup_table.c audit-1.0.7-operators-exclude/lib/lookup_table.c
--- audit-1.0.7-operators/lib/lookup_table.c	2005-10-20 17:28:40.000000000 -0500
+++ audit-1.0.7-operators-exclude/lib/lookup_table.c	2005-10-31 15:53:55.000000000 -0600
@@ -90,6 +90,7 @@ static struct transtab fieldtab[] = {
     { AUDIT_LOGINUID, "loginuid" },
     { AUDIT_PERS,     "pers"     },
     { AUDIT_ARCH,     "arch"     },
+    { AUDIT_MSGTYPE,  "msgtype"  },
 
     { AUDIT_DEVMAJOR, "devmajor" },
     { AUDIT_DEVMINOR, "devminor" },
@@ -104,11 +105,12 @@ static struct transtab fieldtab[] = {
 #define AUDIT_FIELD_NAMES (sizeof(fieldtab)/sizeof(fieldtab[0]))
 
 static struct transtab flagtab[] = {
-    { AUDIT_FILTER_TASK,  "task"     },
-    { AUDIT_FILTER_ENTRY, "entry"    },
-    { AUDIT_FILTER_EXIT,  "exit"     },
-    { AUDIT_FILTER_USER,  "user"     },
-    { AUDIT_FILTER_WATCH, "watch"    }
+    { AUDIT_FILTER_TASK,    "task"     },
+    { AUDIT_FILTER_ENTRY,   "entry"    },
+    { AUDIT_FILTER_EXIT,    "exit"     },
+    { AUDIT_FILTER_USER,    "user"     },
+    { AUDIT_FILTER_WATCH,   "watch"    },
+    { AUDIT_FILTER_EXCLUDE, "exclude"  }
 
 };
 #define AUDIT_FLAG_NAMES (sizeof(flagtab)/sizeof(flagtab[0]))
diff -urpN audit-1.0.7-operators/src/auditctl.c audit-1.0.7-operators-exclude/src/auditctl.c
--- audit-1.0.7-operators/src/auditctl.c	2005-10-20 17:28:03.000000000 -0500
+++ audit-1.0.7-operators-exclude/src/auditctl.c	2005-11-01 16:24:34.000000000 -0600
@@ -150,6 +150,8 @@ static int audit_rule_setup(const char *
 		*flags = AUDIT_FILTER_USER;
 	else if (strstr(opt, "watch"))
 		*flags = AUDIT_FILTER_WATCH;
+	else if (strstr(opt, "exclude"))
+		*flags = AUDIT_FILTER_EXCLUDE;
 	else
 		return 1;
 	if (strstr(opt, "never"))
@@ -569,6 +571,10 @@ static int setopt(int count, char *vars[
 				fprintf(stderr, "Field %s cannot be checked at syscall entry\n", optarg);
 				retval = -1;
 				break;
+			case -8:
+				fprintf(stderr, "-F unknown message type\n");
+				retval = -1;
+				break;
 			default:
 				retval = -1;
 				break;
@@ -1011,30 +1017,34 @@ static int audit_print_reply(struct audi
 				audit_flag_to_name((int)rep->rule->flags),
 				audit_action_to_name(rep->rule->action));
 			for (i = 0; i < rep->rule->field_count; i++) {
-				int field = rep->rule->fields[i];
-				int negated = 0;
-
-				if (field & AUDIT_NEGATE) {
-					field &= ~AUDIT_NEGATE;
-					negated  = 1;
-				}
+				int field = rep->rule->fields[i] & ~AUDIT_OPERATORS & ~AUDIT_NEGATE;
+				int op = rep->rule->fields[i] & AUDIT_OPERATORS & ~AUDIT_NEGATE;
                 
 				const char *name = audit_field_to_name(field);
 				if (name) {
 					if (strcmp(name, "arch") == 0) { 
 						audit_elf =rep->rule->values[i];
 						printf(" %s%s%u", name, 
-							negated ? "!=" : "=",
+							audit_operator_to_symbol(op),
 							(unsigned)rep->rule->values[i]);
 					}
-					else 
+					else if (strcmp(name, "msgtype") == 0) 
+						if (!audit_msg_type_to_name(rep->rule->values[i]))
+							printf(" %s%s%d", name,
+								audit_operator_to_symbol(op),
+								rep->rule->values[i]);
+						else
+							printf(" %s%s%s", name,
+								audit_operator_to_symbol(op),
+								audit_msg_type_to_name(rep->rule->values[i]));
+					else
 						printf(" %s%s%d", name, 
-							negated ? "!=" : "=",
+							audit_operator_to_symbol(op),
 							rep->rule->values[i]);
 				}
 				else 
 					printf(" f%d%s%d", rep->rule->fields[i],
-						negated ? "!=" : "=",
+						audit_operator_to_symbol(op),
 						rep->rule->values[i]);
 				if (rep->rule->values[i])
 					printf(" (0x%x)", rep->rule->values[i]);

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]