[PATCH] filterexcl: allow filterkey

Richard Guy Briggs rgb at redhat.com
Tue Jun 13 18:46:19 UTC 2017 

On 2017-06-12 22:47, Richard Guy Briggs wrote:
> On 2017-06-12 20:05, Steve Grubb wrote:
> > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > The exclude rules did not permit a filterkey to be added.  This isn't as
> > > important for the exclude filter compared to the others since no records are
> > > generated with that key, but still helps identify rules in the rules list
> > > configuration.
> > 
> > How long ago did thkernel start allowing this? I'm trying to decide if this is 
> > generally applicable or needs some kind of versioning.
> 
> I wasn't aware it was disallowed previously.  I'll try to dig out if
> that was previously refused.

I see nothing obvious going back to its introduction:
	5adc8a6adc91 <amy.griffis at hp.com> 2006-06-14 ("add rule filterkey")

> > Thanks,
> > -Steve
> > 
> > > Allow filterkeys to be used with the exclude filter.
> > > 
> > > See: https://github.com/linux-audit/audit-userspace/issues/14
> > > 
> > > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > > ---
> > >  lib/libaudit.c |   13 +++++++++++--
> > >  lib/private.h  |    1 +
> > >  src/auditctl.c |    5 +++--
> > >  3 files changed, 15 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/lib/libaudit.c b/lib/libaudit.c
> > > index b1f8f9c..028483d 100644
> > > --- a/lib/libaudit.c
> > > +++ b/lib/libaudit.c
> > > @@ -85,6 +85,7 @@ int _audit_permadded = 0;
> > >  int _audit_archadded = 0;
> > >  int _audit_syscalladded = 0;
> > >  int _audit_exeadded = 0;
> > > +int _audit_filterexcladded = 0;
> > >  unsigned int _audit_elf = 0U;
> > >  static struct libaudit_conf config;
> > > 
> > > @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > > **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
> > >  		uint32_t features = audit_get_features();
> > >  		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> > > -			if (field != AUDIT_MSGTYPE)
> > > +			switch(field) {
> > > +			case AUDIT_MSGTYPE:
> > > +				_audit_filterexcladded = 1;
> > > +			case AUDIT_FILTERKEY:
> > > +				break;
> > > +			default:
> > >  				return -EAU_FIELDNOSUPPORT;
> > > +			}
> > >  		} else {
> > >  			switch(field) {
> > >  				case AUDIT_PID:
> > > @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > > **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
> > >  				case AUDIT_SUBJ_SEN:
> > >  				case AUDIT_SUBJ_CLR:
> > > +					_audit_filterexcladded = 1;
> > > +				case AUDIT_FILTERKEY:
> > >  					break;
> > >  				default:
> > >  					return -EAU_MSGTYPECREDEXCLUDE;
> > > @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > > **rulep, const char *pair, }
> > >  			if (field == AUDIT_FILTERKEY &&
> > >  				!(_audit_syscalladded || _audit_permadded ||
> > > -				_audit_exeadded))
> > > +				_audit_exeadded || _audit_filterexcladded))
> > >                                  return -EAU_KEYDEP;
> > >  			vlen = strlen(v);
> > >  			if (field == AUDIT_FILTERKEY &&
> > > diff --git a/lib/private.h b/lib/private.h
> > > index cde1906..855187b 100644
> > > --- a/lib/private.h
> > > +++ b/lib/private.h
> > > @@ -139,6 +139,7 @@ extern int _audit_permadded;
> > >  extern int _audit_archadded;
> > >  extern int _audit_syscalladded;
> > >  extern int _audit_exeadded;
> > > +extern int _audit_filterexcladded;
> > >  extern unsigned int _audit_elf;
> > > 
> > >  #ifdef __cplusplus
> > > diff --git a/src/auditctl.c b/src/auditctl.c
> > > index 04765f4..c785087 100644
> > > --- a/src/auditctl.c
> > > +++ b/src/auditctl.c
> > > @@ -74,6 +74,7 @@ static int reset_vars(void)
> > >  	_audit_permadded = 0;
> > >  	_audit_archadded = 0;
> > >  	_audit_exeadded = 0;
> > > +	_audit_filterexcladded = 0;
> > >  	_audit_elf = 0;
> > >  	add = AUDIT_FILTER_UNSET;
> > >  	del = AUDIT_FILTER_UNSET;
> > > @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
> > >  		break;
> > >  	case 'k':
> > >  		if (!(_audit_syscalladded || _audit_permadded ||
> > > -			     _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> > > -					del==AUDIT_FILTER_UNSET)) {
> > > +		      _audit_exeadded || _audit_filterexcladded) ||
> > > +		    (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> > >  			audit_msg(LOG_ERR,
> > >  		    "key option needs a watch or syscall given prior to it");
> > >  			retval = -1;
> 
> - RGB

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list