* [PATCH] audit: allow not equal op for audit by executable @ 2018-04-06 8:43 Ondrej Mosnacek 2018-04-06 10:37 ` Richard Guy Briggs 2018-04-06 14:32 ` Steve Grubb 0 siblings, 2 replies; 10+ messages in thread From: Ondrej Mosnacek @ 2018-04-06 8:43 UTC (permalink / raw) To: Paul Moore; +Cc: Richard Guy Briggs, linux-audit Current implementation of auditing by executable name only implements the 'equal' operator. This patch extends it to also support the 'not equal' operator. See: https://github.com/linux-audit/audit-kernel/issues/53 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- Hi Paul, this turned out to be easier than I anticipated so I'm sending the patch already :) I hope I got everything right. Note that the userspace tools also need to be updated to check the feature bit and allow/disallow the operator based on that. Ondrej include/uapi/linux/audit.h | 18 ++++++++++-------- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 2 ++ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4e61a9e05132..03393f7e8932 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,13 +333,14 @@ enum { #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 #define AUDIT_STATUS_LOST 0x0040 -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ @@ -347,7 +348,8 @@ enum { AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ AUDIT_FEATURE_BITMAP_LOST_RESET | \ - AUDIT_FEATURE_BITMAP_FILTER_FS) + AUDIT_FEATURE_BITMAP_FILTER_FS | \ + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) /* deprecated: AUDIT_VERSION_* */ #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index d7a807e81451..a0c5a3ec6e60 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) return -EINVAL; break; case AUDIT_EXE: - if (f->op != Audit_equal) + if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; if (entry->rule.listnr != AUDIT_FILTER_EXIT) return -EINVAL; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4e0a4ac803db..479c031ec54c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, break; case AUDIT_EXE: result = audit_exe_compare(tsk, rule->exe); + if (f->op == Audit_not_equal) + result = !result; break; case AUDIT_UID: result = audit_uid_comparator(cred->uid, f->op, f->uid); -- 2.14.3 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 8:43 [PATCH] audit: allow not equal op for audit by executable Ondrej Mosnacek @ 2018-04-06 10:37 ` Richard Guy Briggs 2018-04-06 11:10 ` Ondrej Mosnacek 2018-04-06 14:32 ` Steve Grubb 1 sibling, 1 reply; 10+ messages in thread From: Richard Guy Briggs @ 2018-04-06 10:37 UTC (permalink / raw) To: Ondrej Mosnacek; +Cc: linux-audit On 2018-04-06 10:43, Ondrej Mosnacek wrote: > Current implementation of auditing by executable name only implements > the 'equal' operator. This patch extends it to also support the 'not > equal' operator. > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > > Hi Paul, > > this turned out to be easier than I anticipated so I'm sending the patch > already :) I hope I got everything right. Note that the userspace tools > also need to be updated to check the feature bit and allow/disallow the > operator based on that. Do we really need to eat up a feature bit for this? The kernel will simply return -EINVAL if it isn't supported. That will make userspace implementation easier. > Ondrej > > include/uapi/linux/audit.h | 18 ++++++++++-------- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 2 ++ > 3 files changed, 13 insertions(+), 9 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 4e61a9e05132..03393f7e8932 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -333,13 +333,14 @@ enum { > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > #define AUDIT_STATUS_LOST 0x0040 > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > @@ -347,7 +348,8 @@ enum { > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > - AUDIT_FEATURE_BITMAP_FILTER_FS) > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > > /* deprecated: AUDIT_VERSION_* */ > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index d7a807e81451..a0c5a3ec6e60 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) > return -EINVAL; > break; > case AUDIT_EXE: > - if (f->op != Audit_equal) > + if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > return -EINVAL; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4e0a4ac803db..479c031ec54c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > break; > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > + if (f->op == Audit_not_equal) > + result = !result; > break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, f->uid); > -- > 2.14.3 > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 10:37 ` Richard Guy Briggs @ 2018-04-06 11:10 ` Ondrej Mosnacek 2018-04-06 11:53 ` Richard Guy Briggs 0 siblings, 1 reply; 10+ messages in thread From: Ondrej Mosnacek @ 2018-04-06 11:10 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>: > On 2018-04-06 10:43, Ondrej Mosnacek wrote: >> Current implementation of auditing by executable name only implements >> the 'equal' operator. This patch extends it to also support the 'not >> equal' operator. >> >> See: https://github.com/linux-audit/audit-kernel/issues/53 >> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> >> --- >> >> Hi Paul, >> >> this turned out to be easier than I anticipated so I'm sending the patch >> already :) I hope I got everything right. Note that the userspace tools >> also need to be updated to check the feature bit and allow/disallow the >> operator based on that. > > Do we really need to eat up a feature bit for this? The kernel will > simply return -EINVAL if it isn't supported. That will make userspace > implementation easier. The problem then would be that if someone tried to use the not equal operator on an older kernel, he would get some generic error message instead of the current "exe only takes = operator". This is how it would be handled with the feature bit: https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e If the consensus is that it's not worth it, I will resend it without that part. >> Ondrej >> >> include/uapi/linux/audit.h | 18 ++++++++++-------- >> kernel/auditfilter.c | 2 +- >> kernel/auditsc.c | 2 ++ >> 3 files changed, 13 insertions(+), 9 deletions(-) >> >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h >> index 4e61a9e05132..03393f7e8932 100644 >> --- a/include/uapi/linux/audit.h >> +++ b/include/uapi/linux/audit.h >> @@ -333,13 +333,14 @@ enum { >> #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 >> #define AUDIT_STATUS_LOST 0x0040 >> >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 >> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 >> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 >> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 >> -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 >> -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 >> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 >> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 >> +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 >> +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 >> >> #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ >> AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ >> @@ -347,7 +348,8 @@ enum { >> AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ >> AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ >> AUDIT_FEATURE_BITMAP_LOST_RESET | \ >> - AUDIT_FEATURE_BITMAP_FILTER_FS) >> + AUDIT_FEATURE_BITMAP_FILTER_FS | \ >> + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) >> >> /* deprecated: AUDIT_VERSION_* */ >> #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c >> index d7a807e81451..a0c5a3ec6e60 100644 >> --- a/kernel/auditfilter.c >> +++ b/kernel/auditfilter.c >> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) >> return -EINVAL; >> break; >> case AUDIT_EXE: >> - if (f->op != Audit_equal) >> + if (f->op != Audit_not_equal && f->op != Audit_equal) >> return -EINVAL; >> if (entry->rule.listnr != AUDIT_FILTER_EXIT) >> return -EINVAL; >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c >> index 4e0a4ac803db..479c031ec54c 100644 >> --- a/kernel/auditsc.c >> +++ b/kernel/auditsc.c >> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, >> break; >> case AUDIT_EXE: >> result = audit_exe_compare(tsk, rule->exe); >> + if (f->op == Audit_not_equal) >> + result = !result; >> break; >> case AUDIT_UID: >> result = audit_uid_comparator(cred->uid, f->op, f->uid); >> -- >> 2.14.3 >> > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 11:10 ` Ondrej Mosnacek @ 2018-04-06 11:53 ` Richard Guy Briggs 2018-04-06 21:21 ` Paul Moore 0 siblings, 1 reply; 10+ messages in thread From: Richard Guy Briggs @ 2018-04-06 11:53 UTC (permalink / raw) To: Ondrej Mosnacek; +Cc: linux-audit On 2018-04-06 13:10, Ondrej Mosnacek wrote: > 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>: > > On 2018-04-06 10:43, Ondrej Mosnacek wrote: > >> Current implementation of auditing by executable name only implements > >> the 'equal' operator. This patch extends it to also support the 'not > >> equal' operator. > >> > >> See: https://github.com/linux-audit/audit-kernel/issues/53 > >> > >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > >> --- > >> > >> Hi Paul, > >> > >> this turned out to be easier than I anticipated so I'm sending the patch > >> already :) I hope I got everything right. Note that the userspace tools > >> also need to be updated to check the feature bit and allow/disallow the > >> operator based on that. > > > > Do we really need to eat up a feature bit for this? The kernel will > > simply return -EINVAL if it isn't supported. That will make userspace > > implementation easier. > > The problem then would be that if someone tried to use the not equal > operator on an older kernel, he would get some generic error message > instead of the current "exe only takes = operator". You are right. I'm just not sure it is worth spending a feature bit on it. > This is how it would be handled with the feature bit: > https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e > > If the consensus is that it's not worth it, I will resend it without that part. I'd be interested to hear Paul and Steve's perspective. > >> Ondrej > >> > >> include/uapi/linux/audit.h | 18 ++++++++++-------- > >> kernel/auditfilter.c | 2 +- > >> kernel/auditsc.c | 2 ++ > >> 3 files changed, 13 insertions(+), 9 deletions(-) > >> > >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > >> index 4e61a9e05132..03393f7e8932 100644 > >> --- a/include/uapi/linux/audit.h > >> +++ b/include/uapi/linux/audit.h > >> @@ -333,13 +333,14 @@ enum { > >> #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > >> #define AUDIT_STATUS_LOST 0x0040 > >> > >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > >> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > >> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > >> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > >> -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > >> -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > >> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > >> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > >> +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > >> +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > >> > >> #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > >> AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > >> @@ -347,7 +348,8 @@ enum { > >> AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > >> AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > >> AUDIT_FEATURE_BITMAP_LOST_RESET | \ > >> - AUDIT_FEATURE_BITMAP_FILTER_FS) > >> + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > >> + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > >> > >> /* deprecated: AUDIT_VERSION_* */ > >> #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > >> index d7a807e81451..a0c5a3ec6e60 100644 > >> --- a/kernel/auditfilter.c > >> +++ b/kernel/auditfilter.c > >> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) > >> return -EINVAL; > >> break; > >> case AUDIT_EXE: > >> - if (f->op != Audit_equal) > >> + if (f->op != Audit_not_equal && f->op != Audit_equal) > >> return -EINVAL; > >> if (entry->rule.listnr != AUDIT_FILTER_EXIT) > >> return -EINVAL; > >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c > >> index 4e0a4ac803db..479c031ec54c 100644 > >> --- a/kernel/auditsc.c > >> +++ b/kernel/auditsc.c > >> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > >> break; > >> case AUDIT_EXE: > >> result = audit_exe_compare(tsk, rule->exe); > >> + if (f->op == Audit_not_equal) > >> + result = !result; > >> break; > >> case AUDIT_UID: > >> result = audit_uid_comparator(cred->uid, f->op, f->uid); > >> -- > >> 2.14.3 > >> > > > > - RGB > > Ondrej Mosnacek <omosnace at redhat dot com> - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 11:53 ` Richard Guy Briggs @ 2018-04-06 21:21 ` Paul Moore 0 siblings, 0 replies; 10+ messages in thread From: Paul Moore @ 2018-04-06 21:21 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit On Fri, Apr 6, 2018 at 7:53 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > On 2018-04-06 13:10, Ondrej Mosnacek wrote: >> 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>: >> > On 2018-04-06 10:43, Ondrej Mosnacek wrote: >> >> Current implementation of auditing by executable name only implements >> >> the 'equal' operator. This patch extends it to also support the 'not >> >> equal' operator. >> >> >> >> See: https://github.com/linux-audit/audit-kernel/issues/53 >> >> >> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> >> >> --- >> >> >> >> Hi Paul, >> >> >> >> this turned out to be easier than I anticipated so I'm sending the patch >> >> already :) I hope I got everything right. Note that the userspace tools >> >> also need to be updated to check the feature bit and allow/disallow the >> >> operator based on that. >> > >> > Do we really need to eat up a feature bit for this? The kernel will >> > simply return -EINVAL if it isn't supported. That will make userspace >> > implementation easier. >> >> The problem then would be that if someone tried to use the not equal >> operator on an older kernel, he would get some generic error message >> instead of the current "exe only takes = operator". > > You are right. I'm just not sure it is worth spending a feature bit on > it. We've gotten a bit carried away with our use of the feature bits and we need to start engaging in a bit more discipline when it comes to our feature bit "spending". Ondrej, let's implement this without the feature bit. While I agree the generic error message isn't extremely useful, it still generates a "safe" error condition that is transmitted back to the user. Other than that, I think the patch looked fine to me; resend it and I'll apply it once the merge window closes. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 8:43 [PATCH] audit: allow not equal op for audit by executable Ondrej Mosnacek 2018-04-06 10:37 ` Richard Guy Briggs @ 2018-04-06 14:32 ` Steve Grubb 2018-04-06 14:45 ` Richard Guy Briggs 2018-04-06 15:01 ` Ondrej Mosnacek 1 sibling, 2 replies; 10+ messages in thread From: Steve Grubb @ 2018-04-06 14:32 UTC (permalink / raw) To: Ondrej Mosnacek; +Cc: Richard Guy Briggs, linux-audit On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote: > Current implementation of auditing by executable name only implements > the 'equal' operator. This patch extends it to also support the 'not > equal' operator. > > See: https://github.com/linux-audit/audit-kernel/issues/53 What would an audit rule that uses this new capability look like? -Steve > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > > Hi Paul, > > this turned out to be easier than I anticipated so I'm sending the patch > already :) I hope I got everything right. Note that the userspace tools > also need to be updated to check the feature bit and allow/disallow the > operator based on that. > > Ondrej > > include/uapi/linux/audit.h | 18 ++++++++++-------- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 2 ++ > 3 files changed, 13 insertions(+), 9 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 4e61a9e05132..03393f7e8932 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -333,13 +333,14 @@ enum { > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > #define AUDIT_STATUS_LOST 0x0040 > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > @@ -347,7 +348,8 @@ enum { > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > - AUDIT_FEATURE_BITMAP_FILTER_FS) > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > > /* deprecated: AUDIT_VERSION_* */ > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index d7a807e81451..a0c5a3ec6e60 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) return -EINVAL; > break; > case AUDIT_EXE: > - if (f->op != Audit_equal) > + if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > return -EINVAL; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4e0a4ac803db..479c031ec54c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > break; > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > + if (f->op == Audit_not_equal) > + result = !result; > break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, f->uid); ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 14:32 ` Steve Grubb @ 2018-04-06 14:45 ` Richard Guy Briggs 2018-04-06 15:19 ` Steve Grubb 2018-04-06 15:01 ` Ondrej Mosnacek 1 sibling, 1 reply; 10+ messages in thread From: Richard Guy Briggs @ 2018-04-06 14:45 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2018-04-06 10:32, Steve Grubb wrote: > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote: > > Current implementation of auditing by executable name only implements > > the 'equal' operator. This patch extends it to also support the 'not > > equal' operator. > > > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > What would an audit rule that uses this new capability look like? auditctl -a exit,always ... -F exe!=/path/to/exec > -Steve > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > > > Hi Paul, > > > > this turned out to be easier than I anticipated so I'm sending the patch > > already :) I hope I got everything right. Note that the userspace tools > > also need to be updated to check the feature bit and allow/disallow the > > operator based on that. > > > > Ondrej > > > > include/uapi/linux/audit.h | 18 ++++++++++-------- > > kernel/auditfilter.c | 2 +- > > kernel/auditsc.c | 2 ++ > > 3 files changed, 13 insertions(+), 9 deletions(-) > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index 4e61a9e05132..03393f7e8932 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -333,13 +333,14 @@ enum { > > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > > #define AUDIT_STATUS_LOST 0x0040 > > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > > > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > > @@ -347,7 +348,8 @@ enum { > > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > > - AUDIT_FEATURE_BITMAP_FILTER_FS) > > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > > + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > > > > /* deprecated: AUDIT_VERSION_* */ > > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > > index d7a807e81451..a0c5a3ec6e60 100644 > > --- a/kernel/auditfilter.c > > +++ b/kernel/auditfilter.c > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, > > struct audit_field *f) return -EINVAL; > > break; > > case AUDIT_EXE: > > - if (f->op != Audit_equal) > > + if (f->op != Audit_not_equal && f->op != Audit_equal) > > return -EINVAL; > > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > > return -EINVAL; > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 4e0a4ac803db..479c031ec54c 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > > break; > > case AUDIT_EXE: > > result = audit_exe_compare(tsk, rule->exe); > > + if (f->op == Audit_not_equal) > > + result = !result; > > break; > > case AUDIT_UID: > > result = audit_uid_comparator(cred->uid, f->op, f->uid); > > > > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 14:45 ` Richard Guy Briggs @ 2018-04-06 15:19 ` Steve Grubb 2018-04-06 16:40 ` Richard Guy Briggs 0 siblings, 1 reply; 10+ messages in thread From: Steve Grubb @ 2018-04-06 15:19 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote: > On 2018-04-06 10:32, Steve Grubb wrote: > > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote: > > > Current implementation of auditing by executable name only implements > > > the 'equal' operator. This patch extends it to also support the 'not > > > equal' operator. > > > > > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > > > What would an audit rule that uses this new capability look like? > > auditctl -a exit,always ... -F exe!=/path/to/exec Does this mean, audit the syscall for any application except the one mentioned? If so, how does this compare to auditctl -a exit,never ... -F exe=/path/to/exec auditctl -a exit,always ... -Steve > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > --- > > > > > > Hi Paul, > > > > > > this turned out to be easier than I anticipated so I'm sending the > > > patch > > > already :) I hope I got everything right. Note that the userspace tools > > > also need to be updated to check the feature bit and allow/disallow the > > > operator based on that. > > > > > > Ondrej > > > > > > include/uapi/linux/audit.h | 18 ++++++++++-------- > > > kernel/auditfilter.c | 2 +- > > > kernel/auditsc.c | 2 ++ > > > 3 files changed, 13 insertions(+), 9 deletions(-) > > > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > > index 4e61a9e05132..03393f7e8932 100644 > > > --- a/include/uapi/linux/audit.h > > > +++ b/include/uapi/linux/audit.h > > > @@ -333,13 +333,14 @@ enum { > > > > > > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > > > #define AUDIT_STATUS_LOST 0x0040 > > > > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > > > > > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | > > > \ > > > > > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > > > > > > @@ -347,7 +348,8 @@ enum { > > > > > > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > > > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > > > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > > > > > > - AUDIT_FEATURE_BITMAP_FILTER_FS) > > > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > > > + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > > > > > > /* deprecated: AUDIT_VERSION_* */ > > > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > > > > > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > > > index d7a807e81451..a0c5a3ec6e60 100644 > > > --- a/kernel/auditfilter.c > > > +++ b/kernel/auditfilter.c > > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry > > > *entry, struct audit_field *f) return -EINVAL; > > > > > > break; > > > > > > case AUDIT_EXE: > > > - if (f->op != Audit_equal) > > > + if (f->op != Audit_not_equal && f->op != Audit_equal) > > > > > > return -EINVAL; > > > > > > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > > > > > > return -EINVAL; > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index 4e0a4ac803db..479c031ec54c 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct > > > *tsk, > > > > > > break; > > > > > > case AUDIT_EXE: > > > result = audit_exe_compare(tsk, rule->exe); > > > > > > + if (f->op == Audit_not_equal) > > > + result = !result; > > > > > > break; > > > > > > case AUDIT_UID: > > > result = audit_uid_comparator(cred->uid, f->op, f->uid); > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 15:19 ` Steve Grubb @ 2018-04-06 16:40 ` Richard Guy Briggs 0 siblings, 0 replies; 10+ messages in thread From: Richard Guy Briggs @ 2018-04-06 16:40 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2018-04-06 11:19, Steve Grubb wrote: > On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote: > > On 2018-04-06 10:32, Steve Grubb wrote: > > > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote: > > > > Current implementation of auditing by executable name only implements > > > > the 'equal' operator. This patch extends it to also support the 'not > > > > equal' operator. > > > > > > > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > > > > > What would an audit rule that uses this new capability look like? > > > > auditctl -a exit,always ... -F exe!=/path/to/exec > > Does this mean, audit the syscall for any application except the one > mentioned? If so, how does this compare to > > auditctl -a exit,never ... -F exe=/path/to/exec > auditctl -a exit,always ... Two rules instead of one? > -Steve > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > > --- > > > > > > > > Hi Paul, > > > > > > > > this turned out to be easier than I anticipated so I'm sending the > > > > patch > > > > already :) I hope I got everything right. Note that the userspace tools > > > > also need to be updated to check the feature bit and allow/disallow the > > > > operator based on that. > > > > > > > > Ondrej > > > > > > > > include/uapi/linux/audit.h | 18 ++++++++++-------- > > > > kernel/auditfilter.c | 2 +- > > > > kernel/auditsc.c | 2 ++ > > > > 3 files changed, 13 insertions(+), 9 deletions(-) > > > > > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > > > index 4e61a9e05132..03393f7e8932 100644 > > > > --- a/include/uapi/linux/audit.h > > > > +++ b/include/uapi/linux/audit.h > > > > @@ -333,13 +333,14 @@ enum { > > > > > > > > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > > > > #define AUDIT_STATUS_LOST 0x0040 > > > > > > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > > > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > > > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 > > > > > > > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | > > > > \ > > > > > > > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > > > > > > > > @@ -347,7 +348,8 @@ enum { > > > > > > > > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > > > > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > > > > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > > > > > > > > - AUDIT_FEATURE_BITMAP_FILTER_FS) > > > > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > > > > + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) > > > > > > > > /* deprecated: AUDIT_VERSION_* */ > > > > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > > > > > > > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > > > > index d7a807e81451..a0c5a3ec6e60 100644 > > > > --- a/kernel/auditfilter.c > > > > +++ b/kernel/auditfilter.c > > > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry > > > > *entry, struct audit_field *f) return -EINVAL; > > > > > > > > break; > > > > > > > > case AUDIT_EXE: > > > > - if (f->op != Audit_equal) > > > > + if (f->op != Audit_not_equal && f->op != Audit_equal) > > > > > > > > return -EINVAL; > > > > > > > > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > > > > > > > > return -EINVAL; > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index 4e0a4ac803db..479c031ec54c 100644 > > > > --- a/kernel/auditsc.c > > > > +++ b/kernel/auditsc.c > > > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct > > > > *tsk, > > > > > > > > break; > > > > > > > > case AUDIT_EXE: > > > > result = audit_exe_compare(tsk, rule->exe); > > > > > > > > + if (f->op == Audit_not_equal) > > > > + result = !result; > > > > > > > > break; > > > > > > > > case AUDIT_UID: > > > > result = audit_uid_comparator(cred->uid, f->op, f->uid); > > > > - RGB > > > > -- > > Richard Guy Briggs <rgb@redhat.com> > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > Remote, Ottawa, Red Hat Canada > > IRC: rgb, SunRaycer > > Voice: +1.647.777.2635, Internal: (81) 32635 > > > > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] audit: allow not equal op for audit by executable 2018-04-06 14:32 ` Steve Grubb 2018-04-06 14:45 ` Richard Guy Briggs @ 2018-04-06 15:01 ` Ondrej Mosnacek 1 sibling, 0 replies; 10+ messages in thread From: Ondrej Mosnacek @ 2018-04-06 15:01 UTC (permalink / raw) To: Steve Grubb; +Cc: Richard Guy Briggs, linux-audit 2018-04-06 16:32 GMT+02:00 Steve Grubb <sgrubb@redhat.com>: > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote: >> Current implementation of auditing by executable name only implements >> the 'equal' operator. This patch extends it to also support the 'not >> equal' operator. >> >> See: https://github.com/linux-audit/audit-kernel/issues/53 > > What would an audit rule that uses this new capability look like? The GitHub issue links to the following original user request: https://www.redhat.com/archives/linux-audit/2017-June/msg00029.html The desired rule would then look exactly as the user expected: -a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F exe!=/path/to/application -F key=voicemail_watch > -Steve > >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> >> --- >> >> Hi Paul, >> >> this turned out to be easier than I anticipated so I'm sending the patch >> already :) I hope I got everything right. Note that the userspace tools >> also need to be updated to check the feature bit and allow/disallow the >> operator based on that. >> >> Ondrej >> >> include/uapi/linux/audit.h | 18 ++++++++++-------- >> kernel/auditfilter.c | 2 +- >> kernel/auditsc.c | 2 ++ >> 3 files changed, 13 insertions(+), 9 deletions(-) >> >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h >> index 4e61a9e05132..03393f7e8932 100644 >> --- a/include/uapi/linux/audit.h >> +++ b/include/uapi/linux/audit.h >> @@ -333,13 +333,14 @@ enum { >> #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 >> #define AUDIT_STATUS_LOST 0x0040 >> >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 >> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 >> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 >> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 >> -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 >> -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 >> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 >> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 >> +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 >> +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080 >> >> #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ >> AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ >> @@ -347,7 +348,8 @@ enum { >> AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ >> AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ >> AUDIT_FEATURE_BITMAP_LOST_RESET | \ >> - AUDIT_FEATURE_BITMAP_FILTER_FS) >> + AUDIT_FEATURE_BITMAP_FILTER_FS | \ >> + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ) >> >> /* deprecated: AUDIT_VERSION_* */ >> #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c >> index d7a807e81451..a0c5a3ec6e60 100644 >> --- a/kernel/auditfilter.c >> +++ b/kernel/auditfilter.c >> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, >> struct audit_field *f) return -EINVAL; >> break; >> case AUDIT_EXE: >> - if (f->op != Audit_equal) >> + if (f->op != Audit_not_equal && f->op != Audit_equal) >> return -EINVAL; >> if (entry->rule.listnr != AUDIT_FILTER_EXIT) >> return -EINVAL; >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c >> index 4e0a4ac803db..479c031ec54c 100644 >> --- a/kernel/auditsc.c >> +++ b/kernel/auditsc.c >> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, >> break; >> case AUDIT_EXE: >> result = audit_exe_compare(tsk, rule->exe); >> + if (f->op == Audit_not_equal) >> + result = !result; >> break; >> case AUDIT_UID: >> result = audit_uid_comparator(cred->uid, f->op, f->uid); > > > > -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-04-06 21:21 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-04-06 8:43 [PATCH] audit: allow not equal op for audit by executable Ondrej Mosnacek 2018-04-06 10:37 ` Richard Guy Briggs 2018-04-06 11:10 ` Ondrej Mosnacek 2018-04-06 11:53 ` Richard Guy Briggs 2018-04-06 21:21 ` Paul Moore 2018-04-06 14:32 ` Steve Grubb 2018-04-06 14:45 ` Richard Guy Briggs 2018-04-06 15:19 ` Steve Grubb 2018-04-06 16:40 ` Richard Guy Briggs 2018-04-06 15:01 ` Ondrej Mosnacek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox