On 2018-04-06 10:43, Ondrej Mosnacek wrote:
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/53
> 
> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
> ---
> 
> Hi Paul,
> 
> this turned out to be easier than I anticipated so I'm sending the patch
> already :) I hope I got everything right. Note that the userspace tools
> also need to be updated to check the feature bit and allow/disallow the
> operator based on that.

Do we really need to eat up a feature bit for this?  The kernel will
simply return -EINVAL if it isn't supported.  That will make userspace
implementation easier.

> Ondrej
> 
>  include/uapi/linux/audit.h | 18 ++++++++++--------
>  kernel/auditfilter.c       |  2 +-
>  kernel/auditsc.c           |  2 ++
>  3 files changed, 13 insertions(+), 9 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 4e61a9e05132..03393f7e8932 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,13 +333,14 @@ enum {
>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME       0x0020
>  #define AUDIT_STATUS_LOST            0x0040
>  
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT   0x00000001
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME       0x00000002
> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND  0x00000008
> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER        0x00000010
> -#define AUDIT_FEATURE_BITMAP_LOST_RESET              0x00000020
> -#define AUDIT_FEATURE_BITMAP_FILTER_FS               0x00000040
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT           0x00000001
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME               0x00000002
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH         0x00000004
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND          0x00000008
> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER                0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                      0x00000020
> +#define AUDIT_FEATURE_BITMAP_FILTER_FS                       0x00000040
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ     0x00000080
>  
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>                                 AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> @@ -347,7 +348,8 @@ enum {
>                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>                                 AUDIT_FEATURE_BITMAP_LOST_RESET | \
> -                               AUDIT_FEATURE_BITMAP_FILTER_FS)
> +                               AUDIT_FEATURE_BITMAP_FILTER_FS | \
> +                               AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>  
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST                 AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
> struct audit_field *f)
>                       return -EINVAL;
>               break;
>       case AUDIT_EXE:
> -             if (f->op != Audit_equal)
> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
>                       return -EINVAL;
>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>                       return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>                       break;
>               case AUDIT_EXE:
>                       result = audit_exe_compare(tsk, rule->exe);
> +                     if (f->op == Audit_not_equal)
> +                             result = !result;
>                       break;
>               case AUDIT_UID:
>                       result = audit_uid_comparator(cred->uid, f->op, f->uid);
> -- 
> 2.14.3
> 

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to