[RFC PATCH 1/2] audit: allow other filter list types for AUDIT_EXE
Ondrej Mosnacek
omosnace at redhat.com
Tue Jun 5 11:13:33 UTC 2018
2018-06-04 22:41 GMT+02:00 Paul Moore <paul at paul-moore.com>:
> On Wed, May 30, 2018 at 4:45 AM, Ondrej Mosnacek <omosnace at redhat.com> wrote:
>> This patch removes the restriction of the AUDIT_EXE field to only
>> SYSCALL filter and teaches audit_filter to recognize this field.
>>
>> This makes it possible to write rule lists such as:
>>
>> auditctl -a exit,always [some general rule]
>> # Filter out events with executable name /bin/exe1 or /bin/exe2:
>> auditctl -a exclude,always -F exe=/bin/exe1
>> auditctl -a exclude,always -F exe=/bin/exe2
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/54
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
>> ---
>> kernel/auditfilter.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Thanks for your patience Ondrej.
>
> Having reflected a bit on things from the recent IMA audit discussion,
> my current thinking is to go ahead and merge this patch into
> audit/next once the merge window closes.
OK, feel free to merge it independently of the DIR patch, I sent them
in series because they need to be applied in order (otherwise there
would be merge conflicts).
>
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index eaa320148d97..6db9847ca031 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>> case AUDIT_EXE:
>> if (f->op != Audit_not_equal && f->op != Audit_equal)
>> return -EINVAL;
>> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>> - return -EINVAL;
>> break;
>> }
>> return 0;
>> @@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype)
>> f->type, f->op, f->lsm_rule, NULL);
>> }
>> break;
>> + case AUDIT_EXE:
>> + result = audit_exe_compare(current, e->rule.exe);
>> + if (f->op == Audit_not_equal)
>> + result = !result;
>> + break;
>> default:
>> goto unlock_and_return;
>> }
>> --
>> 2.17.0
>
> --
> paul moore
> www.paul-moore.com
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
More information about the Linux-audit
mailing list