[PATCH] filterexcl: allow filterkey
Steve Grubb
sgrubb at redhat.com
Tue Jun 13 00:05:46 UTC 2017
On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> The exclude rules did not permit a filterkey to be added. This isn't as
> important for the exclude filter compared to the others since no records are
> generated with that key, but still helps identify rules in the rules list
> configuration.
How long ago did thkernel start allowing this? I'm trying to decide if this is
generally applicable or needs some kind of versioning.
Thanks,
-Steve
> Allow filterkeys to be used with the exclude filter.
>
> See: https://github.com/linux-audit/audit-userspace/issues/14
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> lib/libaudit.c | 13 +++++++++++--
> lib/private.h | 1 +
> src/auditctl.c | 5 +++--
> 3 files changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index b1f8f9c..028483d 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -85,6 +85,7 @@ int _audit_permadded = 0;
> int _audit_archadded = 0;
> int _audit_syscalladded = 0;
> int _audit_exeadded = 0;
> +int _audit_filterexcladded = 0;
> unsigned int _audit_elf = 0U;
> static struct libaudit_conf config;
>
> @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
> uint32_t features = audit_get_features();
> if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> - if (field != AUDIT_MSGTYPE)
> + switch(field) {
> + case AUDIT_MSGTYPE:
> + _audit_filterexcladded = 1;
> + case AUDIT_FILTERKEY:
> + break;
> + default:
> return -EAU_FIELDNOSUPPORT;
> + }
> } else {
> switch(field) {
> case AUDIT_PID:
> @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
> case AUDIT_SUBJ_SEN:
> case AUDIT_SUBJ_CLR:
> + _audit_filterexcladded = 1;
> + case AUDIT_FILTERKEY:
> break;
> default:
> return -EAU_MSGTYPECREDEXCLUDE;
> @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> if (field == AUDIT_FILTERKEY &&
> !(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded))
> + _audit_exeadded || _audit_filterexcladded))
> return -EAU_KEYDEP;
> vlen = strlen(v);
> if (field == AUDIT_FILTERKEY &&
> diff --git a/lib/private.h b/lib/private.h
> index cde1906..855187b 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -139,6 +139,7 @@ extern int _audit_permadded;
> extern int _audit_archadded;
> extern int _audit_syscalladded;
> extern int _audit_exeadded;
> +extern int _audit_filterexcladded;
> extern unsigned int _audit_elf;
>
> #ifdef __cplusplus
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 04765f4..c785087 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -74,6 +74,7 @@ static int reset_vars(void)
> _audit_permadded = 0;
> _audit_archadded = 0;
> _audit_exeadded = 0;
> + _audit_filterexcladded = 0;
> _audit_elf = 0;
> add = AUDIT_FILTER_UNSET;
> del = AUDIT_FILTER_UNSET;
> @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
> break;
> case 'k':
> if (!(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> - del==AUDIT_FILTER_UNSET)) {
> + _audit_exeadded || _audit_filterexcladded) ||
> + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> audit_msg(LOG_ERR,
> "key option needs a watch or syscall given prior to it");
> retval = -1;
More information about the Linux-audit
mailing list