On 2018-04-06 13:10, Ondrej Mosnacek wrote: > 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <r...@redhat.com>: > > On 2018-04-06 10:43, Ondrej Mosnacek wrote: > >> Current implementation of auditing by executable name only implements > >> the 'equal' operator. This patch extends it to also support the 'not > >> equal' operator. > >> > >> See: https://github.com/linux-audit/audit-kernel/issues/53 > >> > >> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com> > >> --- > >> > >> Hi Paul, > >> > >> this turned out to be easier than I anticipated so I'm sending the patch > >> already :) I hope I got everything right. Note that the userspace tools > >> also need to be updated to check the feature bit and allow/disallow the > >> operator based on that. > > > > Do we really need to eat up a feature bit for this? The kernel will > > simply return -EINVAL if it isn't supported. That will make userspace > > implementation easier. > > The problem then would be that if someone tried to use the not equal > operator on an older kernel, he would get some generic error message > instead of the current "exe only takes = operator".
You are right. I'm just not sure it is worth spending a feature bit on it. > This is how it would be handled with the feature bit: > https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e > > If the consensus is that it's not worth it, I will resend it without that > part. I'd be interested to hear Paul and Steve's perspective. > >> Ondrej > >> > >> include/uapi/linux/audit.h | 18 ++++++++++-------- > >> kernel/auditfilter.c | 2 +- > >> kernel/auditsc.c | 2 ++ > >> 3 files changed, 13 insertions(+), 9 deletions(-) > >> > >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > >> index 4e61a9e05132..03393f7e8932 100644 > >> --- a/include/uapi/linux/audit.h > >> +++ b/include/uapi/linux/audit.h > >> @@ -333,13 +333,14 @@ enum { > >> #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > >> #define AUDIT_STATUS_LOST 0x0040 > >> > >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > >> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > >> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > >> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > >> -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > >> -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > >> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > >> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > >> +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > >> +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > >> > >> #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > >> AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > >> @@ -347,7 +348,8 @@ enum { > >> AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > >> AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > >> AUDIT_FEATURE_BITMAP_LOST_RESET | \ > >> - AUDIT_FEATURE_BITMAP_FILTER_FS) > >> + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > >> + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > >> > >> /* deprecated: AUDIT_VERSION_* */ > >> #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > >> index d7a807e81451..a0c5a3ec6e60 100644 > >> --- a/kernel/auditfilter.c > >> +++ b/kernel/auditfilter.c > >> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry > >> *entry, struct audit_field *f) > >> return -EINVAL; > >> break; > >> case AUDIT_EXE: > >> - if (f->op != Audit_equal) > >> + if (f->op != Audit_not_equal && f->op != Audit_equal) > >> return -EINVAL; > >> if (entry->rule.listnr != AUDIT_FILTER_EXIT) > >> return -EINVAL; > >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c > >> index 4e0a4ac803db..479c031ec54c 100644 > >> --- a/kernel/auditsc.c > >> +++ b/kernel/auditsc.c > >> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > >> break; > >> case AUDIT_EXE: > >> result = audit_exe_compare(tsk, rule->exe); > >> + if (f->op == Audit_not_equal) > >> + result = !result; > >> break; > >> case AUDIT_UID: > >> result = audit_uid_comparator(cred->uid, f->op, > >> f->uid); > >> -- > >> 2.14.3 > >> > > > > - RGB > > Ondrej Mosnacek <omosnace at redhat dot com> - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit