From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghau93 v1] add support to filter on sockaddr family
Date: Fri, 26 Apr 2019 12:59:45 -0400
Message-ID: <1556297985-1229-1-git-send-email-rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux-Audit Mailing List <linux-audit@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>
List-Id: linux-audit@redhat.com

Provide a method to filter on network address family.

This adds support for the kernel filter for sockaddr family,
AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl.

See: https://github.com/linux-audit/audit-kernel/issues/64
See: https://github.com/linux-audit/audit-userspace/issues/93

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 lib/errormsg.h | 2 ++
 lib/fieldtab.h | 1 +
 lib/libaudit.c | 6 ++++++
 lib/libaudit.h | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/lib/errormsg.h b/lib/errormsg.h
index fd8c4a4b1311..fc03b2475034 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -70,6 +70,7 @@ struct msg_tab {
 #define EAU_FIELDUNAVAIL	34
 #define EAU_FILTERNOSUPPORT	35
 #define EAU_FSTYPEUNKNOWN	36
+#define EAU_FIELDVALTOOBIG	37
 static const struct msg_tab err_msgtab[] = {
     { -EAU_OPMISSING,		2, "-F missing operation for" },
     { -EAU_FIELDUNKNOWN,	2, "-F unknown field:" },
@@ -107,5 +108,6 @@ static const struct msg_tab err_msgtab[] = {
     { -EAU_FIELDUNAVAIL,	1, "field is not valid for the filter" },
     { -EAU_FILTERNOSUPPORT,	1, "filter is not supported by the kernel" },
     { -EAU_FSTYPEUNKNOWN,	2, "file system type is unknown for field:" },
+    { -EAU_FIELDVALTOOBIG,	2, "value is too large for field:" },
 };
 #endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index c425d5b86049..b597cafb2df8 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -69,3 +69,4 @@ _S(AUDIT_ARG3,         "a3"           )
 
 _S(AUDIT_FILTERKEY,    "key"          )
 _S(AUDIT_EXE,          "exe"          )
+_S(AUDIT_SADDR_FAM,    "saddr_fam"    )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2af017a0e520..2e4b148edde9 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -40,6 +40,7 @@
 #include <limits.h>	/* for PATH_MAX */
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <sys/socket.h> /* AF_MAX */
 #ifdef HAVE_LIBCAP_NG
 #include <cap-ng.h>
 #endif
@@ -1742,6 +1743,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else if (strcmp(v, "unset") == 0)
 				rule->values[rule->field_count] = 4294967295;
 			break;
+		case AUDIT_SADDR_FAM:
+			rule->values[rule->field_count] = strtoul(v, NULL, 0);
+			if (rule->values[rule->field_count] >= AF_MAX)
+				return -EAU_FIELDVALTOOBIG;
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 77e4142beea2..89fe4839a69b 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -356,6 +356,9 @@ extern "C" {
 #ifndef AUDIT_EXE
 #define AUDIT_EXE 112
 #endif
+#ifndef AUDIT_SADDR_FAM
+#define AUDIT_SADDR_FAM 113
+#endif
 
 #ifndef AUDIT_SESSIONID
 #define AUDIT_SESSIONID 25
-- 
1.8.3.1