Re: [PATCH ghau93 v1] add support to filter on sockaddr family

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: [PATCH ghau93 v1] add support to filter on sockaddr family
Date: Fri, 31 May 2019 16:37:10 -0400	[thread overview]
Message-ID: <2066826.q3lDRu4DR0@x2> (raw)
In-Reply-To: <1556297985-1229-1-git-send-email-rgb@redhat.com>

On Friday, April 26, 2019 12:59:45 PM EDT Richard Guy Briggs wrote:
> Provide a method to filter on network address family.
> 
> This adds support for the kernel filter for sockaddr family,
> AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/64
> See: https://github.com/linux-audit/audit-userspace/issues/93
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Applied.

Thanks,
-Steve


> ---
>  lib/errormsg.h | 2 ++
>  lib/fieldtab.h | 1 +
>  lib/libaudit.c | 6 ++++++
>  lib/libaudit.h | 3 +++
>  4 files changed, 12 insertions(+)
> 
> diff --git a/lib/errormsg.h b/lib/errormsg.h
> index fd8c4a4b1311..fc03b2475034 100644
> --- a/lib/errormsg.h
> +++ b/lib/errormsg.h
> @@ -70,6 +70,7 @@ struct msg_tab {
>  #define EAU_FIELDUNAVAIL	34
>  #define EAU_FILTERNOSUPPORT	35
>  #define EAU_FSTYPEUNKNOWN	36
> +#define EAU_FIELDVALTOOBIG	37
>  static const struct msg_tab err_msgtab[] = {
>      { -EAU_OPMISSING,		2, "-F missing operation for" },
>      { -EAU_FIELDUNKNOWN,	2, "-F unknown field:" },
> @@ -107,5 +108,6 @@ static const struct msg_tab err_msgtab[] = {
>      { -EAU_FIELDUNAVAIL,	1, "field is not valid for the filter" },
>      { -EAU_FILTERNOSUPPORT,	1, "filter is not supported by the kernel" },
>      { -EAU_FSTYPEUNKNOWN,	2, "file system type is unknown for field:" },
> +    { -EAU_FIELDVALTOOBIG,	2, "value is too large for field:" },
>  };
>  #endif
> diff --git a/lib/fieldtab.h b/lib/fieldtab.h
> index c425d5b86049..b597cafb2df8 100644
> --- a/lib/fieldtab.h
> +++ b/lib/fieldtab.h
> @@ -69,3 +69,4 @@ _S(AUDIT_ARG3,         "a3"           )
> 
>  _S(AUDIT_FILTERKEY,    "key"          )
>  _S(AUDIT_EXE,          "exe"          )
> +_S(AUDIT_SADDR_FAM,    "saddr_fam"    )
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index 2af017a0e520..2e4b148edde9 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -40,6 +40,7 @@
>  #include <limits.h>	/* for PATH_MAX */
>  #include <sys/stat.h>
>  #include <sys/types.h>
> +#include <sys/socket.h> /* AF_MAX */
>  #ifdef HAVE_LIBCAP_NG
>  #include <cap-ng.h>
>  #endif
> @@ -1742,6 +1743,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, else if (strcmp(v, "unset") == 0)
>  				rule->values[rule->field_count] = 4294967295;
>  			break;
> +		case AUDIT_SADDR_FAM:
> +			rule->values[rule->field_count] = strtoul(v, NULL, 0);
> +			if (rule->values[rule->field_count] >= AF_MAX)
> +				return -EAU_FIELDVALTOOBIG;
> +			break;
>  		case AUDIT_DEVMAJOR...AUDIT_INODE:
>  		case AUDIT_SUCCESS:
>  			if (flags != AUDIT_FILTER_EXIT)
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index 77e4142beea2..89fe4839a69b 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -356,6 +356,9 @@ extern "C" {
>  #ifndef AUDIT_EXE
>  #define AUDIT_EXE 112
>  #endif
> +#ifndef AUDIT_SADDR_FAM
> +#define AUDIT_SADDR_FAM 113
> +#endif
> 
>  #ifndef AUDIT_SESSIONID
>  #define AUDIT_SESSIONID 25

     prev parent reply	other threads:[~2019-05-31 20:37 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-26 16:59 [PATCH ghau93 v1] add support to filter on sockaddr family Richard Guy Briggs
2019-05-31 20:37 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2066826.q3lDRu4DR0@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.