Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] audit tools: add filterkey support
@ 2006-06-14 22:49 Amy Griffis
  2006-06-26 12:49 ` Steve
  0 siblings, 1 reply; 3+ messages in thread
From: Amy Griffis @ 2006-06-14 22:49 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Hi Steve,

Here is the userspace patch I used to test the kernel filterkey patch.

Hope this helps,
Amy

---

 lib/fieldtab.h |    1 +
 lib/libaudit.c |   13 +++++++------
 lib/libaudit.h |    4 ++++
 src/auditctl.c |    5 +++++
 4 files changed, 17 insertions(+), 6 deletions(-)

acece4c427812119ec1aac24fe5e8b58902985a9
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a74754f 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -53,3 +53,4 @@ _S(AUDIT_ARG1,     "a1"       )
 _S(AUDIT_ARG2,     "a2"       )
 _S(AUDIT_ARG3,     "a3"       )
 
+_S(AUDIT_FILTERKEY, "filterkey")
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..48022df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru
 		case AUDIT_SE_SEN:
 		case AUDIT_SE_CLR:
 		case AUDIT_WATCH:
+		case AUDIT_FILTERKEY:
 			return -10;
 		case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
 			if (flags == AUDIT_FILTER_ENTRY)
@@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud
 				else
 					return -8;
 			break;
+		case AUDIT_WATCH:
+			/* Watch is invalid on anything but exit */
+			if (flags != AUDIT_FILTER_EXIT)
+				return -7;
+			/* fallthrough */
 		case AUDIT_SE_USER:
 		case AUDIT_SE_ROLE:
 		case AUDIT_SE_TYPE:
 		case AUDIT_SE_SEN:
 		case AUDIT_SE_CLR:
-		case AUDIT_WATCH:
-			/* Watch is invalid on anything but exit */
-			if ((flags != AUDIT_FILTER_EXIT) &&
-					(field == AUDIT_WATCH))
-				return -7;
-
+		case AUDIT_FILTERKEY:
 			rule->values[rule->field_count] = strlen(v);
 			offset = rule->buflen;
 			rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..c9e2ea4 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -214,6 +214,10 @@ extern "C" {
 #define AUDIT_WATCH     105	/* This is a field in syscall rule */
 #endif
 
+#ifndef AUDIT_FILTERKEY
+#define AUDIT_FILTERKEY 210
+#endif
+
 /* This is new list defines from audit.h */
 #ifndef AUDIT_FILTER_USER
 #define AUDIT_FILTER_USER       0x00    /* Apply rule to user-generated messages */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..168253f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -967,6 +967,11 @@ static int audit_print_reply(struct audi
 						  rep->ruledata->values[i],
 						  &rep->ruledata->buf[boffset]);
 						boffset += rep->ruledata->values[i];
+					} else if (field == AUDIT_FILTERKEY) {
+						printf(" filterkey=%.*s",
+						  rep->ruledata->values[i],
+						  &rep->ruledata->buf[boffset]);
+						boffset += rep->ruledata->values[i];
 					} else {
 						printf(" %s%s%d", name, 
 							audit_operator_to_symbol(op),
-- 
1.2.GIT

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] audit tools: add filterkey support
  2006-06-14 22:49 [PATCH] audit tools: add filterkey support Amy Griffis
@ 2006-06-26 12:49 ` Steve
  2006-06-26 12:57   ` Steve
  0 siblings, 1 reply; 3+ messages in thread
From: Steve @ 2006-06-26 12:49 UTC (permalink / raw)
  To: linux-audit

> Here is the userspace patch I used to test the kernel filterkey patch.

I have applied the filterkey patch to audit 1.2.3-1 and am receiving 
some strange dispatch events.  Look at the auid below:

Jun 26 08:42:58 otslab11 user_actions[2559]: type=1300, payload size=283
Jun 26 08:42:58 otslab11 user_actions[2559]: 
data="audit(1151325777.277:54): arch=40000003 syscall=5 success=yes 
exit=3 a0=bfea0c58 a1=8000 a2=0 a3=8000 items=1 ppid=2329 pid=2578 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts1 comm="cat" exe="/bin/cat" subj=user_u:system_r:unconfined_t:s0 
key=(null)"
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1307, payload size=38
Jun 26 08:42:58 otslab11 user_actions[2559]: 
data="audit(1151325777.277:54):  cwd="/root""
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1302, payload size=146
Jun 26 08:42:58 otslab11 user_actions[2559]: 
data="audit(1151325777.277:54): item=0 name="/tmp/test.c" inode=5358299 
dev=03:02 mode=0100666 ouid=500 ogid=500 rdev=00:00 
obj=user_u:object_r:tmp_t:s0"

I haven't determined how to assign a key to a rule yet (maybe that is 
part of the problem).

I am using the 2.6.17-1.2293.2.2_FC6.lspp.38.i686 kernel.

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] audit tools: add filterkey support
  2006-06-26 12:49 ` Steve
@ 2006-06-26 12:57   ` Steve
  0 siblings, 0 replies; 3+ messages in thread
From: Steve @ 2006-06-26 12:57 UTC (permalink / raw)
  To: linux-audit

> I haven't determined how to assign a key to a rule yet (maybe that is 
> part of the problem).

I was able to assign a key using filterkey=MY_RULE_0 and the auid is 
still off.

data="audit(1151326486.828:62): arch=40000003 syscall=195 success=yes 
exit=0 a0=9b09080 a1=806a760 a2=8f1ff4 a3=0 items=1 ppid=2329 pid=2696 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts1 comm="nano" exe="/usr/bin/nano" 
subj=user_u:system_r:unconfined_t:s0 key="MY_RULE_0""

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-26 12:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-14 22:49 [PATCH] audit tools: add filterkey support Amy Griffis
2006-06-26 12:49 ` Steve
2006-06-26 12:57   ` Steve

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox