From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH ghau93 v1] add support to filter on sockaddr family Date: Fri, 31 May 2019 16:37:10 -0400 Message-ID: <2066826.q3lDRu4DR0@x2> References: <1556297985-1229-1-git-send-email-rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1556297985-1229-1-git-send-email-rgb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: Linux-Audit Mailing List List-Id: linux-audit@redhat.com On Friday, April 26, 2019 12:59:45 PM EDT Richard Guy Briggs wrote: > Provide a method to filter on network address family. > > This adds support for the kernel filter for sockaddr family, > AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl. > > See: https://github.com/linux-audit/audit-kernel/issues/64 > See: https://github.com/linux-audit/audit-userspace/issues/93 > > Signed-off-by: Richard Guy Briggs Applied. Thanks, -Steve > --- > lib/errormsg.h | 2 ++ > lib/fieldtab.h | 1 + > lib/libaudit.c | 6 ++++++ > lib/libaudit.h | 3 +++ > 4 files changed, 12 insertions(+) > > diff --git a/lib/errormsg.h b/lib/errormsg.h > index fd8c4a4b1311..fc03b2475034 100644 > --- a/lib/errormsg.h > +++ b/lib/errormsg.h > @@ -70,6 +70,7 @@ struct msg_tab { > #define EAU_FIELDUNAVAIL 34 > #define EAU_FILTERNOSUPPORT 35 > #define EAU_FSTYPEUNKNOWN 36 > +#define EAU_FIELDVALTOOBIG 37 > static const struct msg_tab err_msgtab[] = { > { -EAU_OPMISSING, 2, "-F missing operation for" }, > { -EAU_FIELDUNKNOWN, 2, "-F unknown field:" }, > @@ -107,5 +108,6 @@ static const struct msg_tab err_msgtab[] = { > { -EAU_FIELDUNAVAIL, 1, "field is not valid for the filter" }, > { -EAU_FILTERNOSUPPORT, 1, "filter is not supported by the kernel" }, > { -EAU_FSTYPEUNKNOWN, 2, "file system type is unknown for field:" }, > + { -EAU_FIELDVALTOOBIG, 2, "value is too large for field:" }, > }; > #endif > diff --git a/lib/fieldtab.h b/lib/fieldtab.h > index c425d5b86049..b597cafb2df8 100644 > --- a/lib/fieldtab.h > +++ b/lib/fieldtab.h > @@ -69,3 +69,4 @@ _S(AUDIT_ARG3, "a3" ) > > _S(AUDIT_FILTERKEY, "key" ) > _S(AUDIT_EXE, "exe" ) > +_S(AUDIT_SADDR_FAM, "saddr_fam" ) > diff --git a/lib/libaudit.c b/lib/libaudit.c > index 2af017a0e520..2e4b148edde9 100644 > --- a/lib/libaudit.c > +++ b/lib/libaudit.c > @@ -40,6 +40,7 @@ > #include /* for PATH_MAX */ > #include > #include > +#include /* AF_MAX */ > #ifdef HAVE_LIBCAP_NG > #include > #endif > @@ -1742,6 +1743,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, else if (strcmp(v, "unset") == 0) > rule->values[rule->field_count] = 4294967295; > break; > + case AUDIT_SADDR_FAM: > + rule->values[rule->field_count] = strtoul(v, NULL, 0); > + if (rule->values[rule->field_count] >= AF_MAX) > + return -EAU_FIELDVALTOOBIG; > + break; > case AUDIT_DEVMAJOR...AUDIT_INODE: > case AUDIT_SUCCESS: > if (flags != AUDIT_FILTER_EXIT) > diff --git a/lib/libaudit.h b/lib/libaudit.h > index 77e4142beea2..89fe4839a69b 100644 > --- a/lib/libaudit.h > +++ b/lib/libaudit.h > @@ -356,6 +356,9 @@ extern "C" { > #ifndef AUDIT_EXE > #define AUDIT_EXE 112 > #endif > +#ifndef AUDIT_SADDR_FAM > +#define AUDIT_SADDR_FAM 113 > +#endif > > #ifndef AUDIT_SESSIONID > #define AUDIT_SESSIONID 25