Re: [PATCH] filterexcl: allow filterkey

[Richard Guy Briggs]

On 2017-06-12 22:47, Richard Guy Briggs wrote:
> On 2017-06-12 20:05, Steve Grubb wrote:
> > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > The exclude rules did not permit a filterkey to be added.  This isn't as
> > > important for the exclude filter compared to the others since no records 
> > > are
> > > generated with that key, but still helps identify rules in the rules list
> > > configuration.
> > 
> > How long ago did thkernel start allowing this? I'm trying to decide if this 
> > is 
> > generally applicable or needs some kind of versioning.
> 
> I wasn't aware it was disallowed previously.  I'll try to dig out if
> that was previously refused.

I see nothing obvious going back to its introduction:
        5adc8a6adc91 <amy.grif...@hp.com> 2006-06-14 ("add rule filterkey")

> > Thanks,
> > -Steve
> > 
> > > Allow filterkeys to be used with the exclude filter.
> > > 
> > > See: https://github.com/linux-audit/audit-userspace/issues/14
> > > 
> > > Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> > > ---
> > >  lib/libaudit.c |   13 +++++++++++--
> > >  lib/private.h  |    1 +
> > >  src/auditctl.c |    5 +++--
> > >  3 files changed, 15 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/lib/libaudit.c b/lib/libaudit.c
> > > index b1f8f9c..028483d 100644
> > > --- a/lib/libaudit.c
> > > +++ b/lib/libaudit.c
> > > @@ -85,6 +85,7 @@ int _audit_permadded = 0;
> > >  int _audit_archadded = 0;
> > >  int _audit_syscalladded = 0;
> > >  int _audit_exeadded = 0;
> > > +int _audit_filterexcladded = 0;
> > >  unsigned int _audit_elf = 0U;
> > >  static struct libaudit_conf config;
> > > 
> > > @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct 
> > > audit_rule_data
> > > **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
> > >           uint32_t features = audit_get_features();
> > >           if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> > > -                 if (field != AUDIT_MSGTYPE)
> > > +                 switch(field) {
> > > +                 case AUDIT_MSGTYPE:
> > > +                         _audit_filterexcladded = 1;
> > > +                 case AUDIT_FILTERKEY:
> > > +                         break;
> > > +                 default:
> > >                           return -EAU_FIELDNOSUPPORT;
> > > +                 }
> > >           } else {
> > >                   switch(field) {
> > >                           case AUDIT_PID:
> > > @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > > **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
> > >                           case AUDIT_SUBJ_SEN:
> > >                           case AUDIT_SUBJ_CLR:
> > > +                                 _audit_filterexcladded = 1;
> > > +                         case AUDIT_FILTERKEY:
> > >                                   break;
> > >                           default:
> > >                                   return -EAU_MSGTYPECREDEXCLUDE;
> > > @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > > **rulep, const char *pair, }
> > >                   if (field == AUDIT_FILTERKEY &&
> > >                           !(_audit_syscalladded || _audit_permadded ||
> > > -                         _audit_exeadded))
> > > +                         _audit_exeadded || _audit_filterexcladded))
> > >                                  return -EAU_KEYDEP;
> > >                   vlen = strlen(v);
> > >                   if (field == AUDIT_FILTERKEY &&
> > > diff --git a/lib/private.h b/lib/private.h
> > > index cde1906..855187b 100644
> > > --- a/lib/private.h
> > > +++ b/lib/private.h
> > > @@ -139,6 +139,7 @@ extern int _audit_permadded;
> > >  extern int _audit_archadded;
> > >  extern int _audit_syscalladded;
> > >  extern int _audit_exeadded;
> > > +extern int _audit_filterexcladded;
> > >  extern unsigned int _audit_elf;
> > > 
> > >  #ifdef __cplusplus
> > > diff --git a/src/auditctl.c b/src/auditctl.c
> > > index 04765f4..c785087 100644
> > > --- a/src/auditctl.c
> > > +++ b/src/auditctl.c
> > > @@ -74,6 +74,7 @@ static int reset_vars(void)
> > >   _audit_permadded = 0;
> > >   _audit_archadded = 0;
> > >   _audit_exeadded = 0;
> > > + _audit_filterexcladded = 0;
> > >   _audit_elf = 0;
> > >   add = AUDIT_FILTER_UNSET;
> > >   del = AUDIT_FILTER_UNSET;
> > > @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
> > >           break;
> > >   case 'k':
> > >           if (!(_audit_syscalladded || _audit_permadded ||
> > > -                      _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> > > -                                 del==AUDIT_FILTER_UNSET)) {
> > > +               _audit_exeadded || _audit_filterexcladded) ||
> > > +             (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> > >                   audit_msg(LOG_ERR,
> > >               "key option needs a watch or syscall given prior to it");
> > >                   retval = -1;
> 
> - RGB

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit