[PATCH] audit: allow other filter list types for AUDIT_EXE

Wed May 2 07:00:09 UTC 2018

2018-05-01 22:06 GMT+02:00 Paul Moore <paul at paul-moore.com>:
> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek <omosnace at redhat.com> wrote:
>> This patch removes the restriction of the AUDIT_EXE field to only
>> SYSCALL filter and teaches audit_filter to recognize this field.
>>
>> This makes it possible to write rule lists such as:
>>
>>     auditctl -a exit,always [some general rule]
>>     # Filter out events with executable name /bin/exe1 or /bin/exe2:
>>     auditctl -a exclude,always -F exe=/bin/exe1
>>     auditctl -a exclude,always -F exe=/bin/exe2
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/54
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
>> ---
>>  kernel/auditfilter.c | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> Looks reasonable, do you have a working test for this?

Sure, I listed all the related patches (test suite and userspace) in
the GHAK issue. Anyway, the testsuite patch can be found here:

https://github.com/linux-audit/audit-testsuite/pull/68

>
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index a0c5a3ec6e60..8c9abbf20d42 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>>         case AUDIT_EXE:
>>                 if (f->op != Audit_not_equal && f->op != Audit_equal)
>>                         return -EINVAL;
>> -               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>> -                       return -EINVAL;
>>                 break;
>>         }
>>         return 0;
>> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
>>                                                         f->type, f->op, f->lsm_rule, NULL);
>>                                 }
>>                                 break;
>> +                       case AUDIT_EXE:
>> +                               result = audit_exe_compare(current, e->rule.exe);
>> +                               if (f->op == Audit_not_equal)
>> +                                       result = !result;
>> +                               break;
>>                         default:
>>                                 goto unlock_and_return;
>>                         }
>> --
>> 2.14.3
>>
>
>
>
> --
> paul moore
> www.paul-moore.com

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.