Re: [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>, Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel
Date: Mon, 10 Oct 2016 13:47:38 -0400	[thread overview]
Message-ID: <2956869.9SxeY5TJWN@x2> (raw)
In-Reply-To: <1471545200-3742-3-git-send-email-rgb@redhat.com>

On Thursday, August 18, 2016 2:33:20 PM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  trunk/lib/errormsg.h |    2 +-
>  trunk/lib/libaudit.c |   39 ++++++++++++++++++++++-----------------
>  trunk/lib/libaudit.h |    3 +++
>  3 files changed, 26 insertions(+), 18 deletions(-)
> 
> diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
> index 84bfdb3..4a897be 100644
> --- a/trunk/lib/errormsg.h
> +++ b/trunk/lib/errormsg.h
> @@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = {
>      { -9,    0,    "msgtype field can only be used with exclude filter
> list" }, { -10,    0,    "Failed upgrading rule" },
>      { -11,    0,    "String value too long" },
> -    { -12,    0,    "Only msgtype field can be used with exclude filter" },
> +    { -12,    0,    "Only msgtype, uid, gid, auid*, subj* fields can be
> used with exclude filter" }, { -13,    1,    "only takes = or != operators"
> },
>      { -14,    0,    "Permission can only contain  \'rwxa\'" },
>      { -15,    2,    "-F unknown errno -"},
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 798b3c8..5ffc38c 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -2;
> 
>  	/* Exclude filter can be used only with MSGTYPE and cred fields */
> -	if (flags == AUDIT_FILTER_EXCLUDE)
> -		switch(field) {
> -			case AUDIT_PID:
> -			case AUDIT_UID:
> -			case AUDIT_GID:
> -			case AUDIT_LOGINUID:
> -			case AUDIT_LOGINUID_SET:
> -			case AUDIT_MSGTYPE:
> -			case AUDIT_SUBJ_USER:
> -			case AUDIT_SUBJ_ROLE:
> -			case AUDIT_SUBJ_TYPE:
> -			case AUDIT_SUBJ_SEN:
> -			case AUDIT_SUBJ_CLR:
> -				break;
> -			default:
> -				return -12;
> -		}
> +	if (flags == AUDIT_FILTER_EXCLUDE) {
> +		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {

One question, why is this being and'ed directly? I was told that we have to go 
through AUDIT_FEATURE_TO_MASK() to convert the value to a mask which can then 
be and'ed. Is this macro now deprecated?

-Steve

> +			if (field != AUDIT_MSGTYPE)
> +				return -30;
> +		} else
> +			switch(field) {
> +				case AUDIT_PID:
> +				case AUDIT_UID:
> +				case AUDIT_GID:
> +				case AUDIT_LOGINUID:
> +				case AUDIT_LOGINUID_SET:
> +				case AUDIT_MSGTYPE:
> +				case AUDIT_SUBJ_USER:
> +				case AUDIT_SUBJ_ROLE:
> +				case AUDIT_SUBJ_TYPE:
> +				case AUDIT_SUBJ_SEN:
> +				case AUDIT_SUBJ_CLR:
> +					break;
> +				default:
> +					return -12;
> +			}
> +	}
> 
>  	rule->fields[rule->field_count] = field;
>  	rule->fieldflags[rule->field_count] = op;
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 0852bcc..f77691f 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -278,6 +278,9 @@ extern "C" {
>  #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
>  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
>  #endif
> +#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> +#endif
> 
>  /* Defines for interfield comparison update */
>  #ifndef AUDIT_OBJ_UID

next prev parent reply	other threads:[~2016-10-10 17:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-18 18:33 [userspace PATCH v2 0/2] add support for more fields to the exclude filter Richard Guy Briggs
2016-08-18 18:33 ` [userspace PATCH v2 1/2] exclude filter: add support for user filter fields Richard Guy Briggs
2016-08-18 18:33 ` [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel Richard Guy Briggs
2016-10-10 17:47   ` Steve Grubb [this message]
2016-10-11 19:09     ` Richard Guy Briggs
2016-10-11 22:56 ` [userspace PATCH v2 0/2] add support for more fields to the exclude filter Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2956869.9SxeY5TJWN@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=pmoore@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.