2018-04-06 16:32 GMT+02:00 Steve Grubb <sgr...@redhat.com>:
> On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
>> Current implementation of auditing by executable name only implements
>> the 'equal' operator. This patch extends it to also support the 'not
>> equal' operator.
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/53
>
> What would an audit rule that uses this new capability look like?

The GitHub issue links to the following original user request:

https://www.redhat.com/archives/linux-audit/2017-June/msg00029.html

The desired rule would then look exactly as the user expected:

-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
exe!=/path/to/application -F key=voicemail_watch

> -Steve
>
>> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
>> ---
>>
>> Hi Paul,
>>
>> this turned out to be easier than I anticipated so I'm sending the patch
>> already :) I hope I got everything right. Note that the userspace tools
>> also need to be updated to check the feature bit and allow/disallow the
>> operator based on that.
>>
>> Ondrej
>>
>>  include/uapi/linux/audit.h | 18 ++++++++++--------
>>  kernel/auditfilter.c       |  2 +-
>>  kernel/auditsc.c           |  2 ++
>>  3 files changed, 13 insertions(+), 9 deletions(-)
>>
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 4e61a9e05132..03393f7e8932 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -333,13 +333,14 @@ enum {
>>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME       0x0020
>>  #define AUDIT_STATUS_LOST            0x0040
>>
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT   0x00000001
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME       0x00000002
>> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
>> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND  0x00000008
>> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER        0x00000010
>> -#define AUDIT_FEATURE_BITMAP_LOST_RESET              0x00000020
>> -#define AUDIT_FEATURE_BITMAP_FILTER_FS               0x00000040
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT           0x00000001
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME               0x00000002
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH         0x00000004
>> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND          0x00000008
>> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER                0x00000010
>> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                      0x00000020
>> +#define AUDIT_FEATURE_BITMAP_FILTER_FS                       0x00000040
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ     0x00000080
>>
>>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>>                                 AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>> @@ -347,7 +348,8 @@ enum {
>>                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>>                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>>                                 AUDIT_FEATURE_BITMAP_LOST_RESET | \
>> -                               AUDIT_FEATURE_BITMAP_FILTER_FS)
>> +                               AUDIT_FEATURE_BITMAP_FILTER_FS | \
>> +                               AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>>
>>  /* deprecated: AUDIT_VERSION_* */
>>  #define AUDIT_VERSION_LATEST                 AUDIT_FEATURE_BITMAP_ALL
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index d7a807e81451..a0c5a3ec6e60 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
>> struct audit_field *f) return -EINVAL;
>>               break;
>>       case AUDIT_EXE:
>> -             if (f->op != Audit_equal)
>> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
>>                       return -EINVAL;
>>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>>                       return -EINVAL;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 4e0a4ac803db..479c031ec54c 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>>                       break;
>>               case AUDIT_EXE:
>>                       result = audit_exe_compare(tsk, rule->exe);
>> +                     if (f->op == Audit_not_equal)
>> +                             result = !result;
>>                       break;
>>               case AUDIT_UID:
>>                       result = audit_uid_comparator(cred->uid, f->op, 
>> f->uid);
>
>
>
>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to