Re: [PATCH] filterexcl: allow filterkey

[Steve Grubb <sgrubb@redhat.com>]

On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> The exclude rules did not permit a filterkey to be added.  This isn't as
> important for the exclude filter compared to the others since no records are
> generated with that key, but still helps identify rules in the rules list
> configuration.

How long ago did thkernel start allowing this? I'm trying to decide if this is 
generally applicable or needs some kind of versioning.

Thanks,
-Steve

> Allow filterkeys to be used with the exclude filter.
> 
> See: https://github.com/linux-audit/audit-userspace/issues/14
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  lib/libaudit.c |   13 +++++++++++--
>  lib/private.h  |    1 +
>  src/auditctl.c |    5 +++--
>  3 files changed, 15 insertions(+), 4 deletions(-)
> 
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index b1f8f9c..028483d 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -85,6 +85,7 @@ int _audit_permadded = 0;
>  int _audit_archadded = 0;
>  int _audit_syscalladded = 0;
>  int _audit_exeadded = 0;
> +int _audit_filterexcladded = 0;
>  unsigned int _audit_elf = 0U;
>  static struct libaudit_conf config;
> 
> @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
>  		uint32_t features = audit_get_features();
>  		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> -			if (field != AUDIT_MSGTYPE)
> +			switch(field) {
> +			case AUDIT_MSGTYPE:
> +				_audit_filterexcladded = 1;
> +			case AUDIT_FILTERKEY:
> +				break;
> +			default:
>  				return -EAU_FIELDNOSUPPORT;
> +			}
>  		} else {
>  			switch(field) {
>  				case AUDIT_PID:
> @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
>  				case AUDIT_SUBJ_SEN:
>  				case AUDIT_SUBJ_CLR:
> +					_audit_filterexcladded = 1;
> +				case AUDIT_FILTERKEY:
>  					break;
>  				default:
>  					return -EAU_MSGTYPECREDEXCLUDE;
> @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
>  			if (field == AUDIT_FILTERKEY &&
>  				!(_audit_syscalladded || _audit_permadded ||
> -				_audit_exeadded))
> +				_audit_exeadded || _audit_filterexcladded))
>                                  return -EAU_KEYDEP;
>  			vlen = strlen(v);
>  			if (field == AUDIT_FILTERKEY &&
> diff --git a/lib/private.h b/lib/private.h
> index cde1906..855187b 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -139,6 +139,7 @@ extern int _audit_permadded;
>  extern int _audit_archadded;
>  extern int _audit_syscalladded;
>  extern int _audit_exeadded;
> +extern int _audit_filterexcladded;
>  extern unsigned int _audit_elf;
> 
>  #ifdef __cplusplus
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 04765f4..c785087 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -74,6 +74,7 @@ static int reset_vars(void)
>  	_audit_permadded = 0;
>  	_audit_archadded = 0;
>  	_audit_exeadded = 0;
> +	_audit_filterexcladded = 0;
>  	_audit_elf = 0;
>  	add = AUDIT_FILTER_UNSET;
>  	del = AUDIT_FILTER_UNSET;
> @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
>  		break;
>  	case 'k':
>  		if (!(_audit_syscalladded || _audit_permadded ||
> -			     _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> -					del==AUDIT_FILTER_UNSET)) {
> +		      _audit_exeadded || _audit_filterexcladded) ||
> +		    (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
>  			audit_msg(LOG_ERR,
>  		    "key option needs a watch or syscall given prior to it");
>  			retval = -1;