[PATCH 2/2] exclude filter: add support for user filter fields

[Richard Guy Briggs]

RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5

Enable the exclude filter to additionally filter on PID, UID, GID, AUID,
LOGINUID_SET, SUBJ_*.

Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
 docs/auditctl.8 |    2 +-
 lib/libaudit.c  |   21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/docs/auditctl.8 b/docs/auditctl.8
index ceb6c40..540ff70 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -76,7 +76,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c
 Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
 .TP
 .B exclude
-Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. 
+Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that.  Events can be excluded by process ID, user ID, group ID, login user ID, login user ID set, message type or subject context.
 .RE
 
 The following describes the valid \fIactions\fP for the rule:
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 184bc65..cff2cd8 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1393,9 +1393,24 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 	if ((field = audit_name_to_field(f)) < 0) 
 		return -2;
 
-	/* Exclude filter can be used only with MSGTYPE field */
-	if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE)
-		return -12; 
+	/* Exclude filter can be used only with MSGTYPE and cred fields */
+	if (flags == AUDIT_FILTER_EXCLUDE)
+		switch(field) {
+ 			case AUDIT_PID:
+ 			case AUDIT_UID:
+ 			case AUDIT_GID:
+ 			case AUDIT_LOGINUID:
+ 			case AUDIT_LOGINUID_SET:
+ 			case AUDIT_MSGTYPE:
+ 			case AUDIT_SUBJ_USER:
+ 			case AUDIT_SUBJ_ROLE:
+ 			case AUDIT_SUBJ_TYPE:
+ 			case AUDIT_SUBJ_SEN:
+ 			case AUDIT_SUBJ_CLR:
+				break;
+			default:
+				return -12; 
+		}
 
 	rule->fields[rule->field_count] = field;
 	rule->fieldflags[rule->field_count] = op;
-- 
1.7.1