From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel Date: Thu, 18 Aug 2016 14:33:20 -0400 Message-ID: <1471545200-3742-3-git-send-email-rgb@redhat.com> References: <1471545200-3742-1-git-send-email-rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1471545200-3742-1-git-send-email-rgb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs List-Id: linux-audit@redhat.com Signed-off-by: Richard Guy Briggs --- trunk/lib/errormsg.h | 2 +- trunk/lib/libaudit.c | 39 ++++++++++++++++++++++----------------- trunk/lib/libaudit.h | 3 +++ 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h index 84bfdb3..4a897be 100644 --- a/trunk/lib/errormsg.h +++ b/trunk/lib/errormsg.h @@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = { { -9, 0, "msgtype field can only be used with exclude filter list" }, { -10, 0, "Failed upgrading rule" }, { -11, 0, "String value too long" }, - { -12, 0, "Only msgtype field can be used with exclude filter" }, + { -12, 0, "Only msgtype, uid, gid, auid*, subj* fields can be used with exclude filter" }, { -13, 1, "only takes = or != operators" }, { -14, 0, "Permission can only contain \'rwxa\'" }, { -15, 2, "-F unknown errno -"}, diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c index 798b3c8..5ffc38c 100644 --- a/trunk/lib/libaudit.c +++ b/trunk/lib/libaudit.c @@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, return -2; /* Exclude filter can be used only with MSGTYPE and cred fields */ - if (flags == AUDIT_FILTER_EXCLUDE) - switch(field) { - case AUDIT_PID: - case AUDIT_UID: - case AUDIT_GID: - case AUDIT_LOGINUID: - case AUDIT_LOGINUID_SET: - case AUDIT_MSGTYPE: - case AUDIT_SUBJ_USER: - case AUDIT_SUBJ_ROLE: - case AUDIT_SUBJ_TYPE: - case AUDIT_SUBJ_SEN: - case AUDIT_SUBJ_CLR: - break; - default: - return -12; - } + if (flags == AUDIT_FILTER_EXCLUDE) { + if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) { + if (field != AUDIT_MSGTYPE) + return -30; + } else + switch(field) { + case AUDIT_PID: + case AUDIT_UID: + case AUDIT_GID: + case AUDIT_LOGINUID: + case AUDIT_LOGINUID_SET: + case AUDIT_MSGTYPE: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: + break; + default: + return -12; + } + } rule->fields[rule->field_count] = field; rule->fieldflags[rule->field_count] = op; diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h index 0852bcc..f77691f 100644 --- a/trunk/lib/libaudit.h +++ b/trunk/lib/libaudit.h @@ -278,6 +278,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 #endif +#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID -- 1.7.1