[PATCH] filterexcl: allow filterkey
Richard Guy Briggs
rgb at redhat.com
Tue Jun 13 02:47:58 UTC 2017
On 2017-06-12 20:05, Steve Grubb wrote:
> On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > The exclude rules did not permit a filterkey to be added. This isn't as
> > important for the exclude filter compared to the others since no records are
> > generated with that key, but still helps identify rules in the rules list
> > configuration.
>
> How long ago did thkernel start allowing this? I'm trying to decide if this is
> generally applicable or needs some kind of versioning.
I wasn't aware it was disallowed previously. I'll try to dig out if
that was previously refused.
> Thanks,
> -Steve
>
> > Allow filterkeys to be used with the exclude filter.
> >
> > See: https://github.com/linux-audit/audit-userspace/issues/14
> >
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> > lib/libaudit.c | 13 +++++++++++--
> > lib/private.h | 1 +
> > src/auditctl.c | 5 +++--
> > 3 files changed, 15 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/libaudit.c b/lib/libaudit.c
> > index b1f8f9c..028483d 100644
> > --- a/lib/libaudit.c
> > +++ b/lib/libaudit.c
> > @@ -85,6 +85,7 @@ int _audit_permadded = 0;
> > int _audit_archadded = 0;
> > int _audit_syscalladded = 0;
> > int _audit_exeadded = 0;
> > +int _audit_filterexcladded = 0;
> > unsigned int _audit_elf = 0U;
> > static struct libaudit_conf config;
> >
> > @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
> > uint32_t features = audit_get_features();
> > if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> > - if (field != AUDIT_MSGTYPE)
> > + switch(field) {
> > + case AUDIT_MSGTYPE:
> > + _audit_filterexcladded = 1;
> > + case AUDIT_FILTERKEY:
> > + break;
> > + default:
> > return -EAU_FIELDNOSUPPORT;
> > + }
> > } else {
> > switch(field) {
> > case AUDIT_PID:
> > @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
> > case AUDIT_SUBJ_SEN:
> > case AUDIT_SUBJ_CLR:
> > + _audit_filterexcladded = 1;
> > + case AUDIT_FILTERKEY:
> > break;
> > default:
> > return -EAU_MSGTYPECREDEXCLUDE;
> > @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, }
> > if (field == AUDIT_FILTERKEY &&
> > !(_audit_syscalladded || _audit_permadded ||
> > - _audit_exeadded))
> > + _audit_exeadded || _audit_filterexcladded))
> > return -EAU_KEYDEP;
> > vlen = strlen(v);
> > if (field == AUDIT_FILTERKEY &&
> > diff --git a/lib/private.h b/lib/private.h
> > index cde1906..855187b 100644
> > --- a/lib/private.h
> > +++ b/lib/private.h
> > @@ -139,6 +139,7 @@ extern int _audit_permadded;
> > extern int _audit_archadded;
> > extern int _audit_syscalladded;
> > extern int _audit_exeadded;
> > +extern int _audit_filterexcladded;
> > extern unsigned int _audit_elf;
> >
> > #ifdef __cplusplus
> > diff --git a/src/auditctl.c b/src/auditctl.c
> > index 04765f4..c785087 100644
> > --- a/src/auditctl.c
> > +++ b/src/auditctl.c
> > @@ -74,6 +74,7 @@ static int reset_vars(void)
> > _audit_permadded = 0;
> > _audit_archadded = 0;
> > _audit_exeadded = 0;
> > + _audit_filterexcladded = 0;
> > _audit_elf = 0;
> > add = AUDIT_FILTER_UNSET;
> > del = AUDIT_FILTER_UNSET;
> > @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
> > break;
> > case 'k':
> > if (!(_audit_syscalladded || _audit_permadded ||
> > - _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> > - del==AUDIT_FILTER_UNSET)) {
> > + _audit_exeadded || _audit_filterexcladded) ||
> > + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> > audit_msg(LOG_ERR,
> > "key option needs a watch or syscall given prior to it");
> > retval = -1;
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list