[PATCH] audit: allow not equal op for audit by executable

Ondrej Mosnacek omosnace at redhat.com
Fri Apr 6 11:10:40 UTC 2018 

2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb at redhat.com>:
> On 2018-04-06 10:43, Ondrej Mosnacek wrote:
>> Current implementation of auditing by executable name only implements
>> the 'equal' operator. This patch extends it to also support the 'not
>> equal' operator.
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/53
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
>> ---
>>
>> Hi Paul,
>>
>> this turned out to be easier than I anticipated so I'm sending the patch
>> already :) I hope I got everything right. Note that the userspace tools
>> also need to be updated to check the feature bit and allow/disallow the
>> operator based on that.
>
> Do we really need to eat up a feature bit for this?  The kernel will
> simply return -EINVAL if it isn't supported.  That will make userspace
> implementation easier.

The problem then would be that if someone tried to use the not equal
operator on an older kernel, he would get some generic error message
instead of the current "exe only takes = operator".

This is how it would be handled with the feature bit:
https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e

If the consensus is that it's not worth it, I will resend it without that part.

>> Ondrej
>>
>>  include/uapi/linux/audit.h | 18 ++++++++++--------
>>  kernel/auditfilter.c       |  2 +-
>>  kernel/auditsc.c           |  2 ++
>>  3 files changed, 13 insertions(+), 9 deletions(-)
>>
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 4e61a9e05132..03393f7e8932 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -333,13 +333,14 @@ enum {
>>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME       0x0020
>>  #define AUDIT_STATUS_LOST            0x0040
>>
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT   0x00000001
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME       0x00000002
>> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
>> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND  0x00000008
>> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER        0x00000010
>> -#define AUDIT_FEATURE_BITMAP_LOST_RESET              0x00000020
>> -#define AUDIT_FEATURE_BITMAP_FILTER_FS               0x00000040
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT           0x00000001
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME               0x00000002
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH         0x00000004
>> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND          0x00000008
>> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER                0x00000010
>> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                      0x00000020
>> +#define AUDIT_FEATURE_BITMAP_FILTER_FS                       0x00000040
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ     0x00000080
>>
>>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>>                                 AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>> @@ -347,7 +348,8 @@ enum {
>>                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>>                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>>                                 AUDIT_FEATURE_BITMAP_LOST_RESET | \
>> -                               AUDIT_FEATURE_BITMAP_FILTER_FS)
>> +                               AUDIT_FEATURE_BITMAP_FILTER_FS | \
>> +                               AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>>
>>  /* deprecated: AUDIT_VERSION_* */
>>  #define AUDIT_VERSION_LATEST                 AUDIT_FEATURE_BITMAP_ALL
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index d7a807e81451..a0c5a3ec6e60 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>>                       return -EINVAL;
>>               break;
>>       case AUDIT_EXE:
>> -             if (f->op != Audit_equal)
>> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
>>                       return -EINVAL;
>>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>>                       return -EINVAL;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 4e0a4ac803db..479c031ec54c 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>>                       break;
>>               case AUDIT_EXE:
>>                       result = audit_exe_compare(tsk, rule->exe);
>> +                     if (f->op == Audit_not_equal)
>> +                             result = !result;
>>                       break;
>>               case AUDIT_UID:
>>                       result = audit_uid_comparator(cred->uid, f->op, f->uid);
>> --
>> 2.14.3
>>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.

More information about the Linux-audit mailing list