From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: allow not equal op for audit by executable Date: Fri, 06 Apr 2018 10:32:34 -0400 Message-ID: <5047360.9LCk7V2fUA@x2> References: <20180406084300.31456-1-omosnace@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20180406084300.31456-1-omosnace@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ondrej Mosnacek Cc: Richard Guy Briggs , linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote: > Current implementation of auditing by executable name only implements > the 'equal' operator. This patch extends it to also support the 'not > equal' operator. > > See: https://github.com/linux-audit/audit-kernel/issues/53 What would an audit rule that uses this new capability look like? -Steve > Signed-off-by: Ondrej Mosnacek > --- > > Hi Paul, > > this turned out to be easier than I anticipated so I'm sending the patch > already :) I hope I got everything right. Note that the userspace tools > also need to be updated to check the feature bit and allow/disallow the > operator based on that. > > Ondrej > > include/uapi/linux/audit.h | 18 ++++++++++-------- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 2 ++ > 3 files changed, 13 insertions(+), 9 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 4e61a9e05132..03393f7e8932 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -333,13 +333,14 @@ enum { > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > #define AUDIT_STATUS_LOST 0x0040 > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > @@ -347,7 +348,8 @@ enum { > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > - AUDIT_FEATURE_BITMAP_FILTER_FS) > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > > /* deprecated: AUDIT_VERSION_* */ > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index d7a807e81451..a0c5a3ec6e60 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) return -EINVAL; > break; > case AUDIT_EXE: > - if (f->op != Audit_equal) > + if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > return -EINVAL; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4e0a4ac803db..479c031ec54c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > break; > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > + if (f->op == Audit_not_equal) > + result = !result; > break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, f->uid);