[PATCH] audit: add fields to exclude filter by reusing user filter

Paul Moore paul at paul-moore.com
Fri Jun 3 19:32:17 UTC 2016 

On Wed, Jun 1, 2016 at 6:50 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> RFE: add additional fields for use in audit filter exclude rules
> https://github.com/linux-audit/audit-kernel/issues/5
>
> Re-factor audit_filter_type() to use audit_filter_user_rules() to enable
> exclude filter to additionally filter on PID, UID, GID, AUID,
> LOGINUID_SET, SUBJ_*.
>
> Add check in audit_filter_user() to quit early if list is empty.
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
>  kernel/auditfilter.c |   22 +++++++++-------------
>  1 files changed, 9 insertions(+), 13 deletions(-)

I like the consolidation between audit_filter_type() and
audit_filter_user(), I like it so much I think we should take it
further.  Let's consolidate both functions into a single function (say
audit_filter()?) and update the callers to use the new function.  This
shouldn't be hard as the only callers are audit_receive_msg() and
audit_log_start(); you'll need to be careful as the return values of
the current functions are opposite of each other, but it should be
easy enough to update one of the callers.

Sound reasonable?

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 96c9a1b..515c752 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1358,6 +1358,9 @@ int audit_filter_user(int type)
>         ret = 1; /* Audit by default */
>
>         rcu_read_lock();
> +       if (list_empty(&audit_filter_list[AUDIT_FILTER_USER]))
> +               goto unlock_and_return;
> +
>         list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
>                 rc = audit_filter_user_rules(&e->rule, type, &state);
>                 if (rc) {
> @@ -1366,13 +1369,14 @@ int audit_filter_user(int type)
>                         break;
>                 }
>         }
> +unlock_and_return:
>         rcu_read_unlock();
> -
>         return ret;
>  }
>
>  int audit_filter_type(int type)
>  {
> +       enum audit_state state = AUDIT_DISABLED;
>         struct audit_entry *e;
>         int result = 0;
>
> @@ -1380,19 +1384,11 @@ int audit_filter_type(int type)
>         if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
>                 goto unlock_and_return;
>
> -       list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
> -                               list) {
> -               int i;
> -               for (i = 0; i < e->rule.field_count; i++) {
> -                       struct audit_field *f = &e->rule.fields[i];
> -                       if (f->type == AUDIT_MSGTYPE) {
> -                               result = audit_comparator(type, f->op, f->val);
> -                               if (!result)
> -                                       break;
> -                       }
> +       list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], list) {
> +               if (audit_filter_user_rules(&e->rule, type, &state) == 1) {
> +                       result = 1;
> +                       break;
>                 }
> -               if (result)
> -                       goto unlock_and_return;
>         }
>  unlock_and_return:
>         rcu_read_unlock();
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list