Re: [PATCH] audit: allow not equal op for audit by executable

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] audit: allow not equal op for audit by executable
Date: Fri, 06 Apr 2018 11:19:21 -0400	[thread overview]
Message-ID: <3513512.8tIADAi1Gv@x2> (raw)
In-Reply-To: <20180406144537.n4zbjvj52scw7ulu@madcap2.tricolour.ca>

On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote:
> On 2018-04-06 10:32, Steve Grubb wrote:
> > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> > > Current implementation of auditing by executable name only implements
> > > the 'equal' operator. This patch extends it to also support the 'not
> > > equal' operator.
> > > 
> > > See: https://github.com/linux-audit/audit-kernel/issues/53
> > 
> > What would an audit rule that uses this new capability look like?
> 
> auditctl -a exit,always ... -F exe!=/path/to/exec

Does this mean, audit the syscall for any application except the one 
mentioned? If so, how does this compare to

auditctl -a exit,never ... -F exe=/path/to/exec
auditctl -a exit,always ...

 -Steve

> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > 
> > > Hi Paul,
> > > 
> > > this turned out to be easier than I anticipated so I'm sending the
> > > patch
> > > already :) I hope I got everything right. Note that the userspace tools
> > > also need to be updated to check the feature bit and allow/disallow the
> > > operator based on that.
> > > 
> > > Ondrej
> > > 
> > >  include/uapi/linux/audit.h | 18 ++++++++++--------
> > >  kernel/auditfilter.c       |  2 +-
> > >  kernel/auditsc.c           |  2 ++
> > >  3 files changed, 13 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index 4e61a9e05132..03393f7e8932 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -333,13 +333,14 @@ enum {
> > > 
> > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > >  #define AUDIT_STATUS_LOST		0x0040
> > > 
> > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
> > > 
> > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > >  \
> > >  
> > >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > 
> > > @@ -347,7 +348,8 @@ enum {
> > > 
> > >  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> > >  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > >  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> > > 
> > > -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> > > +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> > > +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> > > 
> > >  /* deprecated: AUDIT_VERSION_* */
> > >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > > 
> > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > > index d7a807e81451..a0c5a3ec6e60 100644
> > > --- a/kernel/auditfilter.c
> > > +++ b/kernel/auditfilter.c
> > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
> > > *entry, struct audit_field *f) return -EINVAL;
> > > 
> > >  		break;
> > >  	
> > >  	case AUDIT_EXE:
> > > -		if (f->op != Audit_equal)
> > > +		if (f->op != Audit_not_equal && f->op != Audit_equal)
> > > 
> > >  			return -EINVAL;
> > >  		
> > >  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> > >  		
> > >  			return -EINVAL;
> > > 
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 4e0a4ac803db..479c031ec54c 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct
> > > *tsk,
> > > 
> > >  			break;
> > >  		
> > >  		case AUDIT_EXE:
> > >  			result = audit_exe_compare(tsk, rule->exe);
> > > 
> > > +			if (f->op == Audit_not_equal)
> > > +				result = !result;
> > > 
> > >  			break;
> > >  		
> > >  		case AUDIT_UID:
> > >  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

next prev parent reply	other threads:[~2018-04-06 15:19 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-06  8:43 [PATCH] audit: allow not equal op for audit by executable Ondrej Mosnacek
2018-04-06 10:37 ` Richard Guy Briggs
2018-04-06 11:10   ` Ondrej Mosnacek
2018-04-06 11:53     ` Richard Guy Briggs
2018-04-06 21:21       ` Paul Moore
2018-04-06 14:32 ` Steve Grubb
2018-04-06 14:45   ` Richard Guy Briggs
2018-04-06 15:19     ` Steve Grubb [this message]
2018-04-06 16:40       ` Richard Guy Briggs
2018-04-06 15:01   ` Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3513512.8tIADAi1Gv@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox