From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Chu Li" Subject: RE: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. Date: Wed, 6 Aug 2008 16:51:52 +0800 Message-ID: <004301c8f7a1$abf5d7f0$958da70a@truly> References: <000901c8f2ae$209adb30$958da70a@truly><200808042018.41069.sgrubb@redhat.com> <003901c8f795$d0df9300$958da70a@truly> Return-path: In-Reply-To: <003901c8f795$d0df9300$958da70a@truly> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: 'Steve Grubb' Cc: 'linux-audit' List-Id: linux-audit@redhat.com Hi Steve, > > > When I use "-a user,always -S open", errors will be reported. But when I > > > use "-S open -a user,always", no errors will report. There is no > > > corresponding codes to deal with the later format. > > > > I'm still thinking about this patch. I'll look at it again tomorrow. > > > I modified the original patch. (I moved the judgment codes for list and > syscall > in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".) > Then when using "-S open -a user,always" or "-S open -d user,always" will > report > error to users. > There is another method, that is the format of "-S xx -a list,action" and "-S xx -a list,action " are not allowed. Only "-a list,action -S xx" and "-d list,action -S xx" can be allowed. The users have to add "list" before "syscall". Here is the patch for such method. Hope your opinion. Signed-off-by: Chu Li --- diff --git a/src/auditctl.c b/src/auditctl.c index 48f1369..0906369 100755 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -575,53 +575,42 @@ static int setopt(int count, char *vars[]) retval = -2; break; case 'a': - if (strstr(optarg, "task") && audit_syscalladded) { + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { fprintf(stderr, - "Syscall auditing requested for task list\n"); + "Append rule - bad keyword %s\n", + optarg); retval = -1; - } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Append rule - bad keyword %s\n", - optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else - retval = 1; /* success - please send */ + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ + } else + retval = 1; /* success - please send */ } break; case 'A': - if (strstr(optarg, "task") && audit_syscalladded) { - fprintf(stderr, - "Error: syscall auditing requested for task list\n"); + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { + fprintf(stderr, + "Add rule - bad keyword %s\n", optarg); retval = -1; + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Add rule - bad keyword %s\n", optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else { - add |= AUDIT_FILTER_PREPEND; - retval = 1; /* success - please send */ - } - } + add |= AUDIT_FILTER_PREPEND; + retval = 1; /* success - please send */ + } break; case 'd': rc = audit_rule_setup(optarg, &del, &action); @@ -643,7 +632,12 @@ static int setopt(int count, char *vars[]) case 'S': /* Do some checking to make sure that we are not adding a * syscall rule to a list that does not make sense. */ - if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + if ((add == AUDIT_FILTER_UNSET || del == AUDIT_FILTER_UNSET ) + && !exclude){ + fprintf(stderr, + "Error: list should be first added to rule\n"); + return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_TASK || (del & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_TASK)) { @@ -1206,10 +1200,6 @@ int main(int argc, char *argv[]) static int handle_request(int status) { if (status == 0) { - if (audit_syscalladded) { - fprintf(stderr, "Error - no list specified\n"); - return -1; - } get_reply(); } else if (status == -2) status = 0; // report success > -----Original Message----- > From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On > Behalf Of Chu Li > Sent: Wednesday, August 06, 2008 3:27 PM > To: 'Steve Grubb' > Cc: 'linux-audit' > Subject: RE: [Patch]Fix the bug of using "-S syscall -a list, action",no errors > will be reported. > > Hi Steve, > > > When I use "-a user,always -S open", errors will be reported. But when I > > > use "-S open -a user,always", no errors will report. There is no > > > corresponding codes to deal with the later format. > > > > I'm still thinking about this patch. I'll look at it again tomorrow. > > > I modified the original patch. (I moved the judgment codes for list and > syscall > in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".) > Then when using "-S open -a user,always" or "-S open -d user,always" will > report > error to users. > > And I found another problem, when using "-a 'list','action' -w /mnt", it will > always > add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found "-w" > will > use the "exit" list automatically. I think it's better to add something about it > in > manual. > > How about your opinion? > > Signed-off-by: Chu Li > --- > diff --git a/src/auditctl.c b/src/auditctl.c > index 48f1369..f4f9553 100755 > --- a/src/auditctl.c > +++ b/src/auditctl.c > @@ -575,52 +575,41 @@ static int setopt(int count, char *vars[]) > retval = -2; > break; > case 'a': > - if (strstr(optarg, "task") && audit_syscalladded) { > + rc = audit_rule_setup(optarg, &add, &action); > + if (rc == 3) { > + fprintf(stderr, > + "Multiple rule insert/delete operations are not allowed\n"); > + retval = -1; > + } else if (rc == 2) { > fprintf(stderr, > - "Syscall auditing requested for task list\n"); > + "Append rule - bad keyword %s\n", > + optarg); > retval = -1; > - } else { > - rc = audit_rule_setup(optarg, &add, &action); > - if (rc == 3) { > - fprintf(stderr, > - "Multiple rule insert/delete operations are not allowed\n"); > - retval = -1; > - } else if (rc == 2) { > - fprintf(stderr, > - "Append rule - bad keyword %s\n", > - optarg); > - retval = -1; > - } else if (rc == 1) { > - fprintf(stderr, > - "Append rule - possible is deprecated\n"); > - return -3; /* deprecated - eat it */ > - } else > - retval = 1; /* success - please send */ > + } else if (rc == 1) { > + fprintf(stderr, > + "Append rule - possible is deprecated\n"); > + return -3; /* deprecated - eat it */ > + } else > + retval = 1; /* success - please send */ > } > break; > case 'A': > - if (strstr(optarg, "task") && audit_syscalladded) { > - fprintf(stderr, > - "Error: syscall auditing requested for task list\n"); > + rc = audit_rule_setup(optarg, &add, &action); > + if (rc == 3) { > + fprintf(stderr, > + "Multiple rule insert/delete operations are not allowed\n"); > retval = -1; > + } else if (rc == 2) { > + fprintf(stderr, > + "Add rule - bad keyword %s\n", optarg); > + retval = -1; > + } else if (rc == 1) { > + fprintf(stderr, > + "Append rule - possible is deprecated\n"); > + return -3; /* deprecated - eat it */ > } else { > - rc = audit_rule_setup(optarg, &add, &action); > - if (rc == 3) { > - fprintf(stderr, > - "Multiple rule insert/delete operations are not allowed\n"); > - retval = -1; > - } else if (rc == 2) { > - fprintf(stderr, > - "Add rule - bad keyword %s\n", optarg); > - retval = -1; > - } else if (rc == 1) { > - fprintf(stderr, > - "Append rule - possible is deprecated\n"); > - return -3; /* deprecated - eat it */ > - } else { > - add |= AUDIT_FILTER_PREPEND; > - retval = 1; /* success - please send */ > - } > + add |= AUDIT_FILTER_PREPEND; > + retval = 1; /* success - please send */ > } > break; > case 'd': > @@ -1215,6 +1204,27 @@ static int handle_request(int status) > status = 0; // report success > else if (status > 0) { > int rc; > + if(audit_syscalladded == 1){ > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_TASK || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_TASK)) { > + fprintf(stderr, > + "Error: syscall auditing being added to task list\n"); > + return -1; > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_USER || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_USER)) { > + fprintf(stderr, > + "Error: syscall auditing being added to user list\n"); > + return -1; > + } else if (exclude) { > + fprintf(stderr, > + "Error: syscall auditing cannot be put on exclude list\n"); > + return -1; > + } > + } > if (add != AUDIT_FILTER_UNSET) { > // if !task add syscall any if not specified > if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && > > > -----Original Message----- > > From: Steve Grubb [mailto:sgrubb@redhat.com] > > Sent: Tuesday, August 05, 2008 8:19 AM > > To: chuli > > Cc: 'linux-audit' > > Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action", no > > errors > > will be reported. > > > > Hi, > > > > On Wednesday 30 July 2008 21:38:26 chuli wrote: > > > When I use "-a user,always -S open", errors will be reported. But when I > > > use "-S open -a user,always", no errors will report. There is no > > > corresponding codes to deal with the later format. > > > > I'm still thinking about this patch. I'll look at it again tomorrow. > > > > Thanks, > > -Steve > > > > > > > Here is my patch. Hope for your opinion about such modification. > > > (I move the code for checking "task" list to the handle_request().) > > > > > > Signed-off-by: Chu Li > > > --- > > > diff --git a/src/auditctl.c b/src/auditctl.c > > > index d740509..9cc3df0 100755 > > > --- a/src/auditctl.c > > > +++ b/src/auditctl.c > > > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[]) > > > retval = -2; > > > break; > > > case 'a': > > > - if (strstr(optarg, "task") && audit_syscalladded) { > > > + rc = audit_rule_setup(optarg, &add, &action); > > > + if (rc == 3) { > > > + fprintf(stderr, > > > + "Multiple rule insert/delete operations are not allowed\n"); > > > + retval = -1; > > > + } else if (rc == 2) { > > > fprintf(stderr, > > > - "Syscall auditing requested for task list\n"); > > > + "Append rule - bad keyword %s\n", > > > + optarg); > > > retval = -1; > > > - } else { > > > - rc = audit_rule_setup(optarg, &add, &action); > > > - if (rc == 3) { > > > - fprintf(stderr, > > > - "Multiple rule insert/delete operations are not allowed\n"); > > > - retval = -1; > > > - } else if (rc == 2) { > > > - fprintf(stderr, > > > - "Append rule - bad keyword %s\n", > > > - optarg); > > > - retval = -1; > > > - } else if (rc == 1) { > > > - fprintf(stderr, > > > - "Append rule - possible is deprecated\n"); > > > - return -3; /* deprecated - eat it */ > > > - } else > > > - retval = 1; /* success - please send */ > > > - } > > > + } else if (rc == 1) { > > > + fprintf(stderr, > > > + "Append rule - possible is deprecated\n"); > > > + return -3; /* deprecated - eat it */ > > > + } else > > > + retval = 1; /* success - please send */ > > > break; > > > case 'A': > > > - if (strstr(optarg, "task") && audit_syscalladded) { > > > - fprintf(stderr, > > > - "Error: syscall auditing requested for task list\n"); > > > + rc = audit_rule_setup(optarg, &add, &action); > > > + if (rc == 3) { > > > + fprintf(stderr, > > > + "Multiple rule insert/delete operations are not allowed\n"); > > > retval = -1; > > > + } else if (rc == 2) { > > > + fprintf(stderr, > > > + "Add rule - bad keyword %s\n", optarg); > > > + retval = -1; > > > + } else if (rc == 1) { > > > + fprintf(stderr, > > > + "Append rule - possible is deprecated\n"); > > > + return -3; /* deprecated - eat it */ > > > } else { > > > - rc = audit_rule_setup(optarg, &add, &action); > > > - if (rc == 3) { > > > - fprintf(stderr, > > > - "Multiple rule insert/delete operations are not allowed\n"); > > > - retval = -1; > > > - } else if (rc == 2) { > > > - fprintf(stderr, > > > - "Add rule - bad keyword %s\n", optarg); > > > - retval = -1; > > > - } else if (rc == 1) { > > > - fprintf(stderr, > > > - "Append rule - possible is deprecated\n"); > > > - return -3; /* deprecated - eat it */ > > > - } else { > > > - add |= AUDIT_FILTER_PREPEND; > > > - retval = 1; /* success - please send */ > > > - } > > > + add |= AUDIT_FILTER_PREPEND; > > > + retval = 1; /* success - please send */ > > > } > > > break; > > > case 'd': > > > @@ -1167,6 +1155,27 @@ static int handle_request(int status) > > > audit_rule_syscallbyname_data( > > > rule_new, "all"); > > > } > > > + if(audit_syscalladded == 1){ > > > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > > + AUDIT_FILTER_TASK || (del & > > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > > + AUDIT_FILTER_TASK)) { > > > + fprintf(stderr, > > > + "Error: syscall auditing being added to task > list\n"); > > > + return -1; > > > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) > == > > > + AUDIT_FILTER_USER || (del & > > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > > + AUDIT_FILTER_USER)) { > > > + fprintf(stderr, > > > + "Error: syscall auditing being added to user > list\n"); > > > + return -1; > > > + } else if (exclude) { > > > + fprintf(stderr, > > > + "Error: syscall auditing cannot be put on exclude > > list\n"); > > > + return -1; > > > + } > > > + } > > > if (which == OLD) { > > > rc = audit_add_rule(fd, &rule, add, action); > > > } else { > > > > > > Regards > > > Chu Li > > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit