[PATCH] audit: allow other filter list types for AUDIT_EXE
Paul Moore
paul at paul-moore.com
Wed May 2 14:54:56 UTC 2018
On Wed, May 2, 2018 at 3:00 AM, Ondrej Mosnacek <omosnace at redhat.com> wrote:
> 2018-05-01 22:06 GMT+02:00 Paul Moore <paul at paul-moore.com>:
>> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek <omosnace at redhat.com> wrote:
>>> This patch removes the restriction of the AUDIT_EXE field to only
>>> SYSCALL filter and teaches audit_filter to recognize this field.
>>>
>>> This makes it possible to write rule lists such as:
>>>
>>> auditctl -a exit,always [some general rule]
>>> # Filter out events with executable name /bin/exe1 or /bin/exe2:
>>> auditctl -a exclude,always -F exe=/bin/exe1
>>> auditctl -a exclude,always -F exe=/bin/exe2
>>>
>>> See: https://github.com/linux-audit/audit-kernel/issues/54
>>>
>>> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
>>> ---
>>> kernel/auditfilter.c | 7 +++++--
>>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> Looks reasonable, do you have a working test for this?
>
> Sure, I listed all the related patches (test suite and userspace) in
> the GHAK issue. Anyway, the testsuite patch can be found here:
>
> https://github.com/linux-audit/audit-testsuite/pull/68
Great, thanks. As soon as we get a verdict on the userspace portion
from Steve I think we can merge this.
>>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>>> index a0c5a3ec6e60..8c9abbf20d42 100644
>>> --- a/kernel/auditfilter.c
>>> +++ b/kernel/auditfilter.c
>>> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>>> case AUDIT_EXE:
>>> if (f->op != Audit_not_equal && f->op != Audit_equal)
>>> return -EINVAL;
>>> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>>> - return -EINVAL;
>>> break;
>>> }
>>> return 0;
>>> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
>>> f->type, f->op, f->lsm_rule, NULL);
>>> }
>>> break;
>>> + case AUDIT_EXE:
>>> + result = audit_exe_compare(current, e->rule.exe);
>>> + if (f->op == Audit_not_equal)
>>> + result = !result;
>>> + break;
>>> default:
>>> goto unlock_and_return;
>>> }
>>> --
>>> 2.14.3
>>>
>>
>>
>>
>> --
>> paul moore
>> www.paul-moore.com
>
>
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list