From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Chu Li" Subject: RE: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. Date: Wed, 6 Aug 2008 15:27:00 +0800 Message-ID: <003901c8f795$d0df9300$958da70a@truly> References: <000901c8f2ae$209adb30$958da70a@truly> <200808042018.41069.sgrubb@redhat.com> Return-path: In-Reply-To: <200808042018.41069.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: 'Steve Grubb' Cc: 'linux-audit' List-Id: linux-audit@redhat.com Hi Steve, > > When I use "-a user,always -S open", errors will be reported. But when I > > use "-S open -a user,always", no errors will report. There is no > > corresponding codes to deal with the later format. > > I'm still thinking about this patch. I'll look at it again tomorrow. > I modified the original patch. (I moved the judgment codes for list and syscall in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".) Then when using "-S open -a user,always" or "-S open -d user,always" will report error to users. And I found another problem, when using "-a 'list','action' -w /mnt", it will always add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found "-w" will use the "exit" list automatically. I think it's better to add something about it in manual. How about your opinion? Signed-off-by: Chu Li --- diff --git a/src/auditctl.c b/src/auditctl.c index 48f1369..f4f9553 100755 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -575,52 +575,41 @@ static int setopt(int count, char *vars[]) retval = -2; break; case 'a': - if (strstr(optarg, "task") && audit_syscalladded) { + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { fprintf(stderr, - "Syscall auditing requested for task list\n"); + "Append rule - bad keyword %s\n", + optarg); retval = -1; - } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Append rule - bad keyword %s\n", - optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else - retval = 1; /* success - please send */ + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ + } else + retval = 1; /* success - please send */ } break; case 'A': - if (strstr(optarg, "task") && audit_syscalladded) { - fprintf(stderr, - "Error: syscall auditing requested for task list\n"); + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); retval = -1; + } else if (rc == 2) { + fprintf(stderr, + "Add rule - bad keyword %s\n", optarg); + retval = -1; + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Add rule - bad keyword %s\n", optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else { - add |= AUDIT_FILTER_PREPEND; - retval = 1; /* success - please send */ - } + add |= AUDIT_FILTER_PREPEND; + retval = 1; /* success - please send */ } break; case 'd': @@ -1215,6 +1204,27 @@ static int handle_request(int status) status = 0; // report success else if (status > 0) { int rc; + if(audit_syscalladded == 1){ + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_TASK || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_TASK)) { + fprintf(stderr, + "Error: syscall auditing being added to task list\n"); + return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_USER || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_USER)) { + fprintf(stderr, + "Error: syscall auditing being added to user list\n"); + return -1; + } else if (exclude) { + fprintf(stderr, + "Error: syscall auditing cannot be put on exclude list\n"); + return -1; + } + } if (add != AUDIT_FILTER_UNSET) { // if !task add syscall any if not specified if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Tuesday, August 05, 2008 8:19 AM > To: chuli > Cc: 'linux-audit' > Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action", no errors > will be reported. > > Hi, > > On Wednesday 30 July 2008 21:38:26 chuli wrote: > > When I use "-a user,always -S open", errors will be reported. But when I > > use "-S open -a user,always", no errors will report. There is no > > corresponding codes to deal with the later format. > > I'm still thinking about this patch. I'll look at it again tomorrow. > > Thanks, > -Steve > > > > Here is my patch. Hope for your opinion about such modification. > > (I move the code for checking "task" list to the handle_request().) > > > > Signed-off-by: Chu Li > > --- > > diff --git a/src/auditctl.c b/src/auditctl.c > > index d740509..9cc3df0 100755 > > --- a/src/auditctl.c > > +++ b/src/auditctl.c > > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[]) > > retval = -2; > > break; > > case 'a': > > - if (strstr(optarg, "task") && audit_syscalladded) { > > + rc = audit_rule_setup(optarg, &add, &action); > > + if (rc == 3) { > > + fprintf(stderr, > > + "Multiple rule insert/delete operations are not allowed\n"); > > + retval = -1; > > + } else if (rc == 2) { > > fprintf(stderr, > > - "Syscall auditing requested for task list\n"); > > + "Append rule - bad keyword %s\n", > > + optarg); > > retval = -1; > > - } else { > > - rc = audit_rule_setup(optarg, &add, &action); > > - if (rc == 3) { > > - fprintf(stderr, > > - "Multiple rule insert/delete operations are not allowed\n"); > > - retval = -1; > > - } else if (rc == 2) { > > - fprintf(stderr, > > - "Append rule - bad keyword %s\n", > > - optarg); > > - retval = -1; > > - } else if (rc == 1) { > > - fprintf(stderr, > > - "Append rule - possible is deprecated\n"); > > - return -3; /* deprecated - eat it */ > > - } else > > - retval = 1; /* success - please send */ > > - } > > + } else if (rc == 1) { > > + fprintf(stderr, > > + "Append rule - possible is deprecated\n"); > > + return -3; /* deprecated - eat it */ > > + } else > > + retval = 1; /* success - please send */ > > break; > > case 'A': > > - if (strstr(optarg, "task") && audit_syscalladded) { > > - fprintf(stderr, > > - "Error: syscall auditing requested for task list\n"); > > + rc = audit_rule_setup(optarg, &add, &action); > > + if (rc == 3) { > > + fprintf(stderr, > > + "Multiple rule insert/delete operations are not allowed\n"); > > retval = -1; > > + } else if (rc == 2) { > > + fprintf(stderr, > > + "Add rule - bad keyword %s\n", optarg); > > + retval = -1; > > + } else if (rc == 1) { > > + fprintf(stderr, > > + "Append rule - possible is deprecated\n"); > > + return -3; /* deprecated - eat it */ > > } else { > > - rc = audit_rule_setup(optarg, &add, &action); > > - if (rc == 3) { > > - fprintf(stderr, > > - "Multiple rule insert/delete operations are not allowed\n"); > > - retval = -1; > > - } else if (rc == 2) { > > - fprintf(stderr, > > - "Add rule - bad keyword %s\n", optarg); > > - retval = -1; > > - } else if (rc == 1) { > > - fprintf(stderr, > > - "Append rule - possible is deprecated\n"); > > - return -3; /* deprecated - eat it */ > > - } else { > > - add |= AUDIT_FILTER_PREPEND; > > - retval = 1; /* success - please send */ > > - } > > + add |= AUDIT_FILTER_PREPEND; > > + retval = 1; /* success - please send */ > > } > > break; > > case 'd': > > @@ -1167,6 +1155,27 @@ static int handle_request(int status) > > audit_rule_syscallbyname_data( > > rule_new, "all"); > > } > > + if(audit_syscalladded == 1){ > > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_TASK || (del & > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_TASK)) { > > + fprintf(stderr, > > + "Error: syscall auditing being added to task list\n"); > > + return -1; > > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_USER || (del & > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_USER)) { > > + fprintf(stderr, > > + "Error: syscall auditing being added to user list\n"); > > + return -1; > > + } else if (exclude) { > > + fprintf(stderr, > > + "Error: syscall auditing cannot be put on exclude > list\n"); > > + return -1; > > + } > > + } > > if (which == OLD) { > > rc = audit_add_rule(fd, &rule, add, action); > > } else { > > > > Regards > > Chu Li