From: "Chu Li" <chul@cn.fujitsu.com>
To: 'Steve Grubb' <sgrubb@redhat.com>
Cc: 'linux-audit' <linux-audit@redhat.com>
Subject: RE: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported.
Date: Wed, 6 Aug 2008 15:27:00 +0800 [thread overview]
Message-ID: <003901c8f795$d0df9300$958da70a@truly> (raw)
In-Reply-To: <200808042018.41069.sgrubb@redhat.com>
Hi Steve,
> > When I use "-a user,always -S open", errors will be reported. But when I
> > use "-S open -a user,always", no errors will report. There is no
> > corresponding codes to deal with the later format.
>
> I'm still thinking about this patch. I'll look at it again tomorrow.
>
I modified the original patch. (I moved the judgment codes for list and syscall
in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".)
Then when using "-S open -a user,always" or "-S open -d user,always" will report
error to users.
And I found another problem, when using "-a 'list','action' -w /mnt", it will
always
add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found "-w" will
use the "exit" list automatically. I think it's better to add something about it
in
manual.
How about your opinion?
Signed-off-by: Chu Li <chul@cn.fujitsu.com>
---
diff --git a/src/auditctl.c b/src/auditctl.c
index 48f1369..f4f9553 100755
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -575,52 +575,41 @@ static int setopt(int count, char *vars[])
retval = -2;
break;
case 'a':
- if (strstr(optarg, "task") && audit_syscalladded) {
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
+ retval = -1;
+ } else if (rc == 2) {
fprintf(stderr,
- "Syscall auditing requested for task list\n");
+ "Append rule - bad keyword %s\n",
+ optarg);
retval = -1;
- } else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Append rule - bad keyword %s\n",
- optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else
- retval = 1; /* success - please send */
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
+ } else
+ retval = 1; /* success - please send */
}
break;
case 'A':
- if (strstr(optarg, "task") && audit_syscalladded) {
- fprintf(stderr,
- "Error: syscall auditing requested for task list\n");
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
retval = -1;
+ } else if (rc == 2) {
+ fprintf(stderr,
+ "Add rule - bad keyword %s\n", optarg);
+ retval = -1;
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
} else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Add rule - bad keyword %s\n", optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else {
- add |= AUDIT_FILTER_PREPEND;
- retval = 1; /* success - please send */
- }
+ add |= AUDIT_FILTER_PREPEND;
+ retval = 1; /* success - please send */
}
break;
case 'd':
@@ -1215,6 +1204,27 @@ static int handle_request(int status)
status = 0; // report success
else if (status > 0) {
int rc;
+ if(audit_syscalladded == 1){
+ if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to task list\n");
+ return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to user list\n");
+ return -1;
+ } else if (exclude) {
+ fprintf(stderr,
+ "Error: syscall auditing cannot be put on exclude list\n");
+ return -1;
+ }
+ }
if (add != AUDIT_FILTER_UNSET) {
// if !task add syscall any if not specified
if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Tuesday, August 05, 2008 8:19 AM
> To: chuli
> Cc: 'linux-audit'
> Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action", no errors
> will be reported.
>
> Hi,
>
> On Wednesday 30 July 2008 21:38:26 chuli wrote:
> > When I use "-a user,always -S open", errors will be reported. But when I
> > use "-S open -a user,always", no errors will report. There is no
> > corresponding codes to deal with the later format.
>
> I'm still thinking about this patch. I'll look at it again tomorrow.
>
> Thanks,
> -Steve
>
>
> > Here is my patch. Hope for your opinion about such modification.
> > (I move the code for checking "task" list to the handle_request().)
> >
> > Signed-off-by: Chu Li <chul@cn.fujitsu.com>
> > ---
> > diff --git a/src/auditctl.c b/src/auditctl.c
> > index d740509..9cc3df0 100755
> > --- a/src/auditctl.c
> > +++ b/src/auditctl.c
> > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[])
> > retval = -2;
> > break;
> > case 'a':
> > - if (strstr(optarg, "task") && audit_syscalladded) {
> > + rc = audit_rule_setup(optarg, &add, &action);
> > + if (rc == 3) {
> > + fprintf(stderr,
> > + "Multiple rule insert/delete operations are not allowed\n");
> > + retval = -1;
> > + } else if (rc == 2) {
> > fprintf(stderr,
> > - "Syscall auditing requested for task list\n");
> > + "Append rule - bad keyword %s\n",
> > + optarg);
> > retval = -1;
> > - } else {
> > - rc = audit_rule_setup(optarg, &add, &action);
> > - if (rc == 3) {
> > - fprintf(stderr,
> > - "Multiple rule insert/delete operations are not allowed\n");
> > - retval = -1;
> > - } else if (rc == 2) {
> > - fprintf(stderr,
> > - "Append rule - bad keyword %s\n",
> > - optarg);
> > - retval = -1;
> > - } else if (rc == 1) {
> > - fprintf(stderr,
> > - "Append rule - possible is deprecated\n");
> > - return -3; /* deprecated - eat it */
> > - } else
> > - retval = 1; /* success - please send */
> > - }
> > + } else if (rc == 1) {
> > + fprintf(stderr,
> > + "Append rule - possible is deprecated\n");
> > + return -3; /* deprecated - eat it */
> > + } else
> > + retval = 1; /* success - please send */
> > break;
> > case 'A':
> > - if (strstr(optarg, "task") && audit_syscalladded) {
> > - fprintf(stderr,
> > - "Error: syscall auditing requested for task list\n");
> > + rc = audit_rule_setup(optarg, &add, &action);
> > + if (rc == 3) {
> > + fprintf(stderr,
> > + "Multiple rule insert/delete operations are not allowed\n");
> > retval = -1;
> > + } else if (rc == 2) {
> > + fprintf(stderr,
> > + "Add rule - bad keyword %s\n", optarg);
> > + retval = -1;
> > + } else if (rc == 1) {
> > + fprintf(stderr,
> > + "Append rule - possible is deprecated\n");
> > + return -3; /* deprecated - eat it */
> > } else {
> > - rc = audit_rule_setup(optarg, &add, &action);
> > - if (rc == 3) {
> > - fprintf(stderr,
> > - "Multiple rule insert/delete operations are not allowed\n");
> > - retval = -1;
> > - } else if (rc == 2) {
> > - fprintf(stderr,
> > - "Add rule - bad keyword %s\n", optarg);
> > - retval = -1;
> > - } else if (rc == 1) {
> > - fprintf(stderr,
> > - "Append rule - possible is deprecated\n");
> > - return -3; /* deprecated - eat it */
> > - } else {
> > - add |= AUDIT_FILTER_PREPEND;
> > - retval = 1; /* success - please send */
> > - }
> > + add |= AUDIT_FILTER_PREPEND;
> > + retval = 1; /* success - please send */
> > }
> > break;
> > case 'd':
> > @@ -1167,6 +1155,27 @@ static int handle_request(int status)
> > audit_rule_syscallbyname_data(
> > rule_new, "all");
> > }
> > + if(audit_syscalladded == 1){
> > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > + AUDIT_FILTER_TASK || (del &
> > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > + AUDIT_FILTER_TASK)) {
> > + fprintf(stderr,
> > + "Error: syscall auditing being added to task list\n");
> > + return -1;
> > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > + AUDIT_FILTER_USER || (del &
> > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > + AUDIT_FILTER_USER)) {
> > + fprintf(stderr,
> > + "Error: syscall auditing being added to user list\n");
> > + return -1;
> > + } else if (exclude) {
> > + fprintf(stderr,
> > + "Error: syscall auditing cannot be put on exclude
> list\n");
> > + return -1;
> > + }
> > + }
> > if (which == OLD) {
> > rc = audit_add_rule(fd, &rule, add, action);
> > } else {
> >
> > Regards
> > Chu Li
next prev parent reply other threads:[~2008-08-06 7:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-31 1:38 [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported chuli
2008-08-05 0:18 ` Steve Grubb
2008-08-06 7:27 ` Chu Li [this message]
2008-08-06 8:51 ` Chu Li
2008-08-06 16:57 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='003901c8f795$d0df9300$958da70a@truly' \
--to=chul@cn.fujitsu.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.