From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel Date: Mon, 10 Oct 2016 13:47:38 -0400 Message-ID: <2956869.9SxeY5TJWN@x2> References: <1471545200-3742-1-git-send-email-rgb@redhat.com> <1471545200-3742-3-git-send-email-rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1471545200-3742-3-git-send-email-rgb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs , Paul Moore Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, August 18, 2016 2:33:20 PM EDT Richard Guy Briggs wrote: > Signed-off-by: Richard Guy Briggs > --- > trunk/lib/errormsg.h | 2 +- > trunk/lib/libaudit.c | 39 ++++++++++++++++++++++----------------- > trunk/lib/libaudit.h | 3 +++ > 3 files changed, 26 insertions(+), 18 deletions(-) > > diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h > index 84bfdb3..4a897be 100644 > --- a/trunk/lib/errormsg.h > +++ b/trunk/lib/errormsg.h > @@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = { > { -9, 0, "msgtype field can only be used with exclude filter > list" }, { -10, 0, "Failed upgrading rule" }, > { -11, 0, "String value too long" }, > - { -12, 0, "Only msgtype field can be used with exclude filter" }, > + { -12, 0, "Only msgtype, uid, gid, auid*, subj* fields can be > used with exclude filter" }, { -13, 1, "only takes = or != operators" > }, > { -14, 0, "Permission can only contain \'rwxa\'" }, > { -15, 2, "-F unknown errno -"}, > diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c > index 798b3c8..5ffc38c 100644 > --- a/trunk/lib/libaudit.c > +++ b/trunk/lib/libaudit.c > @@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, return -2; > > /* Exclude filter can be used only with MSGTYPE and cred fields */ > - if (flags == AUDIT_FILTER_EXCLUDE) > - switch(field) { > - case AUDIT_PID: > - case AUDIT_UID: > - case AUDIT_GID: > - case AUDIT_LOGINUID: > - case AUDIT_LOGINUID_SET: > - case AUDIT_MSGTYPE: > - case AUDIT_SUBJ_USER: > - case AUDIT_SUBJ_ROLE: > - case AUDIT_SUBJ_TYPE: > - case AUDIT_SUBJ_SEN: > - case AUDIT_SUBJ_CLR: > - break; > - default: > - return -12; > - } > + if (flags == AUDIT_FILTER_EXCLUDE) { > + if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) { One question, why is this being and'ed directly? I was told that we have to go through AUDIT_FEATURE_TO_MASK() to convert the value to a mask which can then be and'ed. Is this macro now deprecated? -Steve > + if (field != AUDIT_MSGTYPE) > + return -30; > + } else > + switch(field) { > + case AUDIT_PID: > + case AUDIT_UID: > + case AUDIT_GID: > + case AUDIT_LOGINUID: > + case AUDIT_LOGINUID_SET: > + case AUDIT_MSGTYPE: > + case AUDIT_SUBJ_USER: > + case AUDIT_SUBJ_ROLE: > + case AUDIT_SUBJ_TYPE: > + case AUDIT_SUBJ_SEN: > + case AUDIT_SUBJ_CLR: > + break; > + default: > + return -12; > + } > + } > > rule->fields[rule->field_count] = field; > rule->fieldflags[rule->field_count] = op; > diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h > index 0852bcc..f77691f 100644 > --- a/trunk/lib/libaudit.h > +++ b/trunk/lib/libaudit.h > @@ -278,6 +278,9 @@ extern "C" { > #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH > #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > #endif > +#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > +#endif > > /* Defines for interfield comparison update */ > #ifndef AUDIT_OBJ_UID