subject:"\[PATCH v2\] audit\: allow not equal op for audit by executable"

Re: [PATCH v2] audit: allow not equal op for audit by executable

2018-04-24 Thread Paul Moore

On Mon, Apr 9, 2018 at 4:00 AM, Ondrej Mosnacek  wrote:
> From: Ondrej Mosnáček 
>
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
>
> See: https://github.com/linux-audit/audit-kernel/issues/53
>
> Signed-off-by: Ondrej Mosnacek 
> ---
>  kernel/auditfilter.c | 2 +-
>  kernel/auditsc.c | 2 ++
>  2 files changed, 3 insertions(+), 1 deletion(-)

Merged into audit/next, thanks.

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
> struct audit_field *f)
> return -EINVAL;
> break;
> case AUDIT_EXE:
> -   if (f->op != Audit_equal)
> +   if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> break;
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> +   if (f->op == Audit_not_equal)
> +   result = !result;
> break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, 
> f->uid);
> --
> 2.14.3
>



-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v2] audit: allow not equal op for audit by executable

2018-04-09 Thread Richard Guy Briggs

On 2018-04-09 10:00, Ondrej Mosnacek wrote:
> From: Ondrej Mosnáček 
> 
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/53
> 
> Signed-off-by: Ondrej Mosnacek 

Looks good to me.  Reveiwed-by: Richard Guy Briggs 

> ---
>  kernel/auditfilter.c | 2 +-
>  kernel/auditsc.c | 2 ++
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
> struct audit_field *f)
>   return -EINVAL;
>   break;
>   case AUDIT_EXE:
> - if (f->op != Audit_equal)
> + if (f->op != Audit_not_equal && f->op != Audit_equal)
>   return -EINVAL;
>   if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>   return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>   break;
>   case AUDIT_EXE:
>   result = audit_exe_compare(tsk, rule->exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
>   break;
>   case AUDIT_UID:
>   result = audit_uid_comparator(cred->uid, f->op, f->uid);
> -- 
> 2.14.3
> 

- RGB

--
Richard Guy Briggs 
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v2] audit: allow not equal op for audit by executable

2018-04-09 Thread Paul Moore

On Mon, Apr 9, 2018 at 4:00 AM, Ondrej Mosnacek  wrote:
> From: Ondrej Mosnáček 
>
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
>
> See: https://github.com/linux-audit/audit-kernel/issues/53
>
> Signed-off-by: Ondrej Mosnacek 
> ---
>  kernel/auditfilter.c | 2 +-
>  kernel/auditsc.c | 2 ++
>  2 files changed, 3 insertions(+), 1 deletion(-)

This looks better, thanks.

I think we should also add a test for this added to the exec_name
tests, could you also do that please?

* 
https://github.com/linux-audit/audit-testsuite/blob/master/tests/exec_name/test

You can send the audit-testsuite patch either to this mailing list or
as a PR against the GitHub project.

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
> struct audit_field *f)
> return -EINVAL;
> break;
> case AUDIT_EXE:
> -   if (f->op != Audit_equal)
> +   if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> break;
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> +   if (f->op == Audit_not_equal)
> +   result = !result;
> break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, 
> f->uid);
> --
> 2.14.3
>

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

[PATCH v2] audit: allow not equal op for audit by executable

2018-04-09 Thread Ondrej Mosnacek

From: Ondrej Mosnáček 

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek 
---
 kernel/auditfilter.c | 2 +-
 kernel/auditsc.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
struct audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
-   if (f->op != Audit_equal)
+   if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
+   if (f->op == Audit_not_equal)
+   result = !result;
break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
-- 
2.14.3

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v2] audit: allow not equal op for audit by executable

Re: [PATCH v2] audit: allow not equal op for audit by executable

Re: [PATCH v2] audit: allow not equal op for audit by executable

[PATCH v2] audit: allow not equal op for audit by executable

4 matches

Site Navigation

Mail list logo

Footer information