public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* test patch for new inode filter types
@ 2011-11-17 22:23 Eric Paris
  2011-11-17 22:31 ` Peter Moody
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Paris @ 2011-11-17 22:23 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1: Type: text/plain, Size: 1638 bytes --]

This is NOT full support for the new inode filter constructs I added to
the policy, but is just enough to test some of it.  I'm hoping someone
else will write real userspace patches.  One will need to apply the
kernel patches and then install the new kernel headers (or
update /usr/include/linux/audit.h by hand) Then apply this patch to
audit and build a new audit (I found audit build sucks because it will
build against the system libaudit rather than the one in tree, but you
can fix this using make DESTDIR=[dir] install, and using the auditctl
from [dir]/usr/local/sbin/)

This patch supports two types of rules

auditctl -a exit,always -F arch=b64 -S open -F obj_uid=500

Which audits all opens for a uid=500 file.  (the kernel supports gid,
but this patch doesn't, you can just copy the uid code to make gid work)

This patch also supports

auditctl -a exit,always -C

Which will audit all cases where a process accesses a file in which the
process uid != file uid.

The kernel is a bit more flexible, it supports process_gid != file_gid.
The kernel also supports == > <, etc.  This portion of the patch needs
to do support a better construct for parsing the intent and passing that
down.  But it seemed like a lot of work on a codebase I'm not familiar
with and hoped someone familiar could write a text parse for this
construct.  

We should be able to support something like:
auditctl -a exit,always -F interfield!=uid

I dunno what it should look like.  But like I said, I just slapped -C as
a way to test process_uid != file_uid, so it should be pretty easy to
look at that and see how other interactions should work.

-Eric

[-- Attachment #2: tmp.patch --]
[-- Type: text/x-patch, Size: 2526 bytes --]

Index: trunk/src/auditctl.c
===================================================================
--- trunk/src/auditctl.c	(revision 606)
+++ trunk/src/auditctl.c	(working copy)
@@ -481,7 +481,7 @@
     keylen = AUDIT_MAX_KEY_LEN;
 
     while ((retval >= 0) && (c = getopt(count, vars,
-			"hislDvte:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) {
+			"hislDvtCe:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) {
 	int flags = AUDIT_FILTER_UNSET;
 	rc = 10;	// Init to something impossible to see if unused.
         switch (c) {
@@ -742,6 +742,12 @@
 		}
 
 		break;
+	case 'C':
+		rule_new->fields[rule_new->field_count] = AUDIT_FIELD_COMPARE;
+		rule_new->fieldflags[rule_new->field_count] = AUDIT_NOT_EQUAL;
+		rule_new->values[rule_new->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID;
+		rule_new->field_count++;
+		break;
         case 'm':
 		if (count > 3) {
 			fprintf(stderr,
Index: trunk/src/ausearch-report.c
===================================================================
--- trunk/src/ausearch-report.c	(revision 606)
+++ trunk/src/ausearch-report.c	(working copy)
@@ -333,6 +333,7 @@
 	{T_UID, "id"},
 	{T_UID, "inode_uid"},
 	{T_UID, "sauid"},
+	{T_UID, "obj_uid"},
 	{T_GID, "gid"},
 	{T_GID, "egid"},
 	{T_GID, "sgid"},
Index: trunk/auparse/typetab.h
===================================================================
--- trunk/auparse/typetab.h	(revision 606)
+++ trunk/auparse/typetab.h	(working copy)
@@ -32,6 +32,7 @@
 _S(AUPARSE_TYPE_UID,		"id"		)
 _S(AUPARSE_TYPE_UID,		"inode_uid"	)
 _S(AUPARSE_TYPE_UID,		"sauid"		)
+_S(AUPARSE_TYPE_UID,		"obj_uid"	)
 _S(AUPARSE_TYPE_GID,		"gid"		)
 _S(AUPARSE_TYPE_GID,		"egid"		)
 _S(AUPARSE_TYPE_GID,		"sgid"		)
Index: trunk/lib/fieldtab.h
===================================================================
--- trunk/lib/fieldtab.h	(revision 606)
+++ trunk/lib/fieldtab.h	(working copy)
@@ -55,6 +55,7 @@
 _S(AUDIT_PERM,         "perm"         )
 _S(AUDIT_DIR,          "dir"          )
 _S(AUDIT_FILETYPE,     "filetype"     )
+_S(AUDIT_OBJ_UID,      "obj_uid"      )
 
 _S(AUDIT_ARG0,         "a0"           )
 _S(AUDIT_ARG1,         "a1"           )
Index: trunk/lib/libaudit.c
===================================================================
--- trunk/lib/libaudit.c	(revision 606)
+++ trunk/lib/libaudit.c	(working copy)
@@ -857,6 +857,8 @@
 		case AUDIT_SUID:
 		case AUDIT_FSUID:
 		case AUDIT_LOGINUID:
+		case AUDIT_OBJ_UID:
+		case AUDIT_OBJ_GID:
 			// Do positive & negative separate for 32 bit systems
 			vlen = strlen(v);
 			if (isdigit((char)*(v))) 

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: test patch for new inode filter types
  2011-11-17 22:23 test patch for new inode filter types Eric Paris
@ 2011-11-17 22:31 ` Peter Moody
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Moody @ 2011-11-17 22:31 UTC (permalink / raw)
  To: Eric Paris; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1929 bytes --]

Excellent, thank you!

Cheers,
peter

On Thu, Nov 17, 2011 at 2:23 PM, Eric Paris <eparis@redhat.com> wrote:

> This is NOT full support for the new inode filter constructs I added to
> the policy, but is just enough to test some of it.  I'm hoping someone
> else will write real userspace patches.  One will need to apply the
> kernel patches and then install the new kernel headers (or
> update /usr/include/linux/audit.h by hand) Then apply this patch to
> audit and build a new audit (I found audit build sucks because it will
> build against the system libaudit rather than the one in tree, but you
> can fix this using make DESTDIR=[dir] install, and using the auditctl
> from [dir]/usr/local/sbin/)
>
> This patch supports two types of rules
>
> auditctl -a exit,always -F arch=b64 -S open -F obj_uid=500
>
> Which audits all opens for a uid=500 file.  (the kernel supports gid,
> but this patch doesn't, you can just copy the uid code to make gid work)
>
> This patch also supports
>
> auditctl -a exit,always -C
>
> Which will audit all cases where a process accesses a file in which the
> process uid != file uid.
>
> The kernel is a bit more flexible, it supports process_gid != file_gid.
> The kernel also supports == > <, etc.  This portion of the patch needs
> to do support a better construct for parsing the intent and passing that
> down.  But it seemed like a lot of work on a codebase I'm not familiar
> with and hoped someone familiar could write a text parse for this
> construct.
>
> We should be able to support something like:
> auditctl -a exit,always -F interfield!=uid
>
> I dunno what it should look like.  But like I said, I just slapped -C as
> a way to test process_uid != file_uid, so it should be pretty easy to
> look at that and see how other interactions should work.
>
> -Eric
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 2506 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-11-17 22:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-17 22:23 test patch for new inode filter types Eric Paris
2011-11-17 22:31 ` Peter Moody

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox