Re: [PATCH] audit: allow not equal op for audit by executable

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] audit: allow not equal op for audit by executable
Date: Fri, 06 Apr 2018 11:19:21 -0400	[thread overview]
Message-ID: <3513512.8tIADAi1Gv@x2> (raw)
In-Reply-To: <20180406144537.n4zbjvj52scw7ulu@madcap2.tricolour.ca>

On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote:
> On 2018-04-06 10:32, Steve Grubb wrote:
> > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> > > Current implementation of auditing by executable name only implements
> > > the 'equal' operator. This patch extends it to also support the 'not
> > > equal' operator.
> > > 
> > > See: https://github.com/linux-audit/audit-kernel/issues/53
> > 
> > What would an audit rule that uses this new capability look like?
> 
> auditctl -a exit,always ... -F exe!=/path/to/exec

Does this mean, audit the syscall for any application except the one 
mentioned? If so, how does this compare to

auditctl -a exit,never ... -F exe=/path/to/exec
auditctl -a exit,always ...

 -Steve

> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > 
> > > Hi Paul,
> > > 
> > > this turned out to be easier than I anticipated so I'm sending the
> > > patch
> > > already :) I hope I got everything right. Note that the userspace tools
> > > also need to be updated to check the feature bit and allow/disallow the
> > > operator based on that.
> > > 
> > > Ondrej
> > > 
> > >  include/uapi/linux/audit.h | 18 ++++++++++--------
> > >  kernel/auditfilter.c       |  2 +-
> > >  kernel/auditsc.c           |  2 ++
> > >  3 files changed, 13 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index 4e61a9e05132..03393f7e8932 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -333,13 +333,14 @@ enum {
> > > 
> > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > >  #define AUDIT_STATUS_LOST		0x0040
> > > 
> > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
> > > 
> > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > >  \
> > >  
> > >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > 
> > > @@ -347,7 +348,8 @@ enum {
> > > 
> > >  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> > >  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > >  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> > > 
> > > -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> > > +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> > > +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> > > 
> > >  /* deprecated: AUDIT_VERSION_* */
> > >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > > 
> > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > > index d7a807e81451..a0c5a3ec6e60 100644
> > > --- a/kernel/auditfilter.c
> > > +++ b/kernel/auditfilter.c
> > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
> > > *entry, struct audit_field *f) return -EINVAL;
> > > 
> > >  		break;
> > >  	
> > >  	case AUDIT_EXE:
> > > -		if (f->op != Audit_equal)
> > > +		if (f->op != Audit_not_equal && f->op != Audit_equal)
> > > 
> > >  			return -EINVAL;
> > >  		
> > >  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> > >  		
> > >  			return -EINVAL;
> > > 
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 4e0a4ac803db..479c031ec54c 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct
> > > *tsk,
> > > 
> > >  			break;
> > >  		
> > >  		case AUDIT_EXE:
> > >  			result = audit_exe_compare(tsk, rule->exe);
> > > 
> > > +			if (f->op == Audit_not_equal)
> > > +				result = !result;
> > > 
> > >  			break;
> > >  		
> > >  		case AUDIT_UID:
> > >  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

next prev parent reply	other threads:[~2018-04-06 15:19 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-06  8:43 [PATCH] audit: allow not equal op for audit by executable Ondrej Mosnacek
2018-04-06 10:37 ` Richard Guy Briggs
2018-04-06 11:10   ` Ondrej Mosnacek
2018-04-06 11:53     ` Richard Guy Briggs
2018-04-06 21:21       ` Paul Moore
2018-04-06 14:32 ` Steve Grubb
2018-04-06 14:45   ` Richard Guy Briggs
2018-04-06 15:19     ` Steve Grubb [this message]
2018-04-06 16:40       ` Richard Guy Briggs
2018-04-06 15:01   ` Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3513512.8tIADAi1Gv@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.