[PATCH ghak114 V1] audit: enforce op for string fields
Richard Guy Briggs
rgb at redhat.com
Tue May 28 22:22:28 UTC 2019
On 2019-05-28 18:00, Paul Moore wrote:
> On Wed, May 22, 2019 at 5:52 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> >
> > The field operator is ignored on several string fields. WATCH, DIR,
> > PERM and FILETYPE field operators are completely ignored and meaningless
> > since the op is not referenced in audit_filter_rules(). Range and
> > bitwise operators are already addressed in ghak73.
> >
> > Honour the operator for WATCH, DIR, PERM, FILETYPE fields as is done in
> > the EXE field.
> >
> > Please see github issue
> > https://github.com/linux-audit/audit-kernel/issues/114
> > ---
> > kernel/auditsc.c | 18 +++++++++++++++---
> > 1 file changed, 15 insertions(+), 3 deletions(-)
>
> While the patch looks fine, it is missing your sign-off. If you reply
> to this thread with it, I'll go ahead and add to the patch when
> merging.
GHAK! Sorry about that!
Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
It passed checkpatch.pl when that code was in the ghak73 patch. :-)
> I'm sure everyone is tired of hearing me complain about people not
> checking their patches, but this is something that would have been
> caught by running ./scripts/checkpatch.pl against your patch (the
> entire patch, not just the code portion). If you aren't running your
> full patch through checkpatch already, it is easy to do (there are
> likely other ways too, these are just the two that I use):
>
> * using git
> # git format-patch --stdout -1 <commit_id> | ./scripts/checkpatch.pl -
>
> * using stgit (my favorite)
> # stg export -s <patch> | ./scripts/checkpatch.pl -
Nice, it even works for a series...
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 30aa07b0115f..087137d341a2 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -601,12 +601,20 @@ static int audit_filter_rules(struct task_struct *tsk,
> > }
> > break;
> > case AUDIT_WATCH:
> > - if (name)
> > - result = audit_watch_compare(rule->watch, name->ino, name->dev);
> > + if (name) {
> > + result = audit_watch_compare(rule->watch,
> > + name->ino,
> > + name->dev);
> > + if (f->op == Audit_not_equal)
> > + result = !result;
> > + }
> > break;
> > case AUDIT_DIR:
> > - if (ctx)
> > + if (ctx) {
> > result = match_tree_refs(ctx, rule->tree);
> > + if (f->op == Audit_not_equal)
> > + result = !result;
> > + }
> > break;
> > case AUDIT_LOGINUID:
> > result = audit_uid_comparator(audit_get_loginuid(tsk),
> > @@ -684,9 +692,13 @@ static int audit_filter_rules(struct task_struct *tsk,
> > break;
> > case AUDIT_PERM:
> > result = audit_match_perm(ctx, f->val);
> > + if (f->op == Audit_not_equal)
> > + result = !result;
> > break;
> > case AUDIT_FILETYPE:
> > result = audit_match_filetype(ctx, f->val);
> > + if (f->op == Audit_not_equal)
> > + result = !result;
> > break;
> > case AUDIT_FIELD_COMPARE:
> > result = audit_field_compare(tsk, cred, f, ctx, name);
> > --
> > 1.8.3.1
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list