[PATCH] audit: allow not equal op for audit by executable

[PATCH] audit: allow not equal op for audit by executable

[Ondrej Mosnacek]

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---

Hi Paul,

this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.

Ondrej

 include/uapi/linux/audit.h | 18 ++++++++++--------
 kernel/auditfilter.c       |  2 +-
 kernel/auditsc.c           |  2 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
 #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
 #define AUDIT_STATUS_LOST		0x0040
 
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
 
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
 				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
 				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
 				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
 				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
-				  AUDIT_FEATURE_BITMAP_FILTER_FS)
+				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
+				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 			return -EINVAL;
 		break;
 	case AUDIT_EXE:
-		if (f->op != Audit_equal)
+		if (f->op != Audit_not_equal && f->op != Audit_equal)
 			return -EINVAL;
 		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
 			return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
 			break;
 		case AUDIT_EXE:
 			result = audit_exe_compare(tsk, rule->exe);
+			if (f->op == Audit_not_equal)
+				result = !result;
 			break;
 		case AUDIT_UID:
 			result = audit_uid_comparator(cred->uid, f->op, f->uid);
-- 
2.14.3

Re: [PATCH] audit: allow not equal op for audit by executable

[Richard Guy Briggs]

On 2018-04-06 10:43, Ondrej Mosnacek wrote:
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/53
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> 
> Hi Paul,
> 
> this turned out to be easier than I anticipated so I'm sending the patch
> already :) I hope I got everything right. Note that the userspace tools
> also need to be updated to check the feature bit and allow/disallow the
> operator based on that.

Do we really need to eat up a feature bit for this?  The kernel will
simply return -EINVAL if it isn't supported.  That will make userspace
implementation easier.

> Ondrej
> 
>  include/uapi/linux/audit.h | 18 ++++++++++--------
>  kernel/auditfilter.c       |  2 +-
>  kernel/auditsc.c           |  2 ++
>  3 files changed, 13 insertions(+), 9 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 4e61a9e05132..03393f7e8932 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,13 +333,14 @@ enum {
>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
>  #define AUDIT_STATUS_LOST		0x0040
>  
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
>  
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> @@ -347,7 +348,8 @@ enum {
>  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>  
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>  			return -EINVAL;
>  		break;
>  	case AUDIT_EXE:
> -		if (f->op != Audit_equal)
> +		if (f->op != Audit_not_equal && f->op != Audit_equal)
>  			return -EINVAL;
>  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>  			return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>  			break;
>  		case AUDIT_EXE:
>  			result = audit_exe_compare(tsk, rule->exe);
> +			if (f->op == Audit_not_equal)
> +				result = !result;
>  			break;
>  		case AUDIT_UID:
>  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
> -- 
> 2.14.3
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH] audit: allow not equal op for audit by executable

[Ondrej Mosnacek]

2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>:
> On 2018-04-06 10:43, Ondrej Mosnacek wrote:
>> Current implementation of auditing by executable name only implements
>> the 'equal' operator. This patch extends it to also support the 'not
>> equal' operator.
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/53
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> ---
>>
>> Hi Paul,
>>
>> this turned out to be easier than I anticipated so I'm sending the patch
>> already :) I hope I got everything right. Note that the userspace tools
>> also need to be updated to check the feature bit and allow/disallow the
>> operator based on that.
>
> Do we really need to eat up a feature bit for this?  The kernel will
> simply return -EINVAL if it isn't supported.  That will make userspace
> implementation easier.

The problem then would be that if someone tried to use the not equal
operator on an older kernel, he would get some generic error message
instead of the current "exe only takes = operator".

This is how it would be handled with the feature bit:
https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e

If the consensus is that it's not worth it, I will resend it without that part.

>> Ondrej
>>
>>  include/uapi/linux/audit.h | 18 ++++++++++--------
>>  kernel/auditfilter.c       |  2 +-
>>  kernel/auditsc.c           |  2 ++
>>  3 files changed, 13 insertions(+), 9 deletions(-)
>>
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 4e61a9e05132..03393f7e8932 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -333,13 +333,14 @@ enum {
>>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME       0x0020
>>  #define AUDIT_STATUS_LOST            0x0040
>>
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT   0x00000001
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME       0x00000002
>> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
>> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND  0x00000008
>> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER        0x00000010
>> -#define AUDIT_FEATURE_BITMAP_LOST_RESET              0x00000020
>> -#define AUDIT_FEATURE_BITMAP_FILTER_FS               0x00000040
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT           0x00000001
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME               0x00000002
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH         0x00000004
>> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND          0x00000008
>> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER                0x00000010
>> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                      0x00000020
>> +#define AUDIT_FEATURE_BITMAP_FILTER_FS                       0x00000040
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ     0x00000080
>>
>>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>>                                 AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>> @@ -347,7 +348,8 @@ enum {
>>                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>>                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>>                                 AUDIT_FEATURE_BITMAP_LOST_RESET | \
>> -                               AUDIT_FEATURE_BITMAP_FILTER_FS)
>> +                               AUDIT_FEATURE_BITMAP_FILTER_FS | \
>> +                               AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>>
>>  /* deprecated: AUDIT_VERSION_* */
>>  #define AUDIT_VERSION_LATEST                 AUDIT_FEATURE_BITMAP_ALL
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index d7a807e81451..a0c5a3ec6e60 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
>>                       return -EINVAL;
>>               break;
>>       case AUDIT_EXE:
>> -             if (f->op != Audit_equal)
>> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
>>                       return -EINVAL;
>>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>>                       return -EINVAL;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 4e0a4ac803db..479c031ec54c 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>>                       break;
>>               case AUDIT_EXE:
>>                       result = audit_exe_compare(tsk, rule->exe);
>> +                     if (f->op == Audit_not_equal)
>> +                             result = !result;
>>                       break;
>>               case AUDIT_UID:
>>                       result = audit_uid_comparator(cred->uid, f->op, f->uid);
>> --
>> 2.14.3
>>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH] audit: allow not equal op for audit by executable

[Richard Guy Briggs]

On 2018-04-06 13:10, Ondrej Mosnacek wrote:
> 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>:
> > On 2018-04-06 10:43, Ondrej Mosnacek wrote:
> >> Current implementation of auditing by executable name only implements
> >> the 'equal' operator. This patch extends it to also support the 'not
> >> equal' operator.
> >>
> >> See: https://github.com/linux-audit/audit-kernel/issues/53
> >>
> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> >> ---
> >>
> >> Hi Paul,
> >>
> >> this turned out to be easier than I anticipated so I'm sending the patch
> >> already :) I hope I got everything right. Note that the userspace tools
> >> also need to be updated to check the feature bit and allow/disallow the
> >> operator based on that.
> >
> > Do we really need to eat up a feature bit for this?  The kernel will
> > simply return -EINVAL if it isn't supported.  That will make userspace
> > implementation easier.
> 
> The problem then would be that if someone tried to use the not equal
> operator on an older kernel, he would get some generic error message
> instead of the current "exe only takes = operator".

You are right.  I'm just not sure it is worth spending a feature bit on
it.

> This is how it would be handled with the feature bit:
> https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e
> 
> If the consensus is that it's not worth it, I will resend it without that part.

I'd be interested to hear Paul and Steve's perspective.

> >> Ondrej
> >>
> >>  include/uapi/linux/audit.h | 18 ++++++++++--------
> >>  kernel/auditfilter.c       |  2 +-
> >>  kernel/auditsc.c           |  2 ++
> >>  3 files changed, 13 insertions(+), 9 deletions(-)
> >>
> >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> >> index 4e61a9e05132..03393f7e8932 100644
> >> --- a/include/uapi/linux/audit.h
> >> +++ b/include/uapi/linux/audit.h
> >> @@ -333,13 +333,14 @@ enum {
> >>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME       0x0020
> >>  #define AUDIT_STATUS_LOST            0x0040
> >>
> >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT   0x00000001
> >> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME       0x00000002
> >> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> >> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND  0x00000008
> >> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER        0x00000010
> >> -#define AUDIT_FEATURE_BITMAP_LOST_RESET              0x00000020
> >> -#define AUDIT_FEATURE_BITMAP_FILTER_FS               0x00000040
> >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT           0x00000001
> >> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME               0x00000002
> >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH         0x00000004
> >> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND          0x00000008
> >> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER                0x00000010
> >> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                      0x00000020
> >> +#define AUDIT_FEATURE_BITMAP_FILTER_FS                       0x00000040
> >> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ     0x00000080
> >>
> >>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> >>                                 AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> >> @@ -347,7 +348,8 @@ enum {
> >>                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> >>                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> >>                                 AUDIT_FEATURE_BITMAP_LOST_RESET | \
> >> -                               AUDIT_FEATURE_BITMAP_FILTER_FS)
> >> +                               AUDIT_FEATURE_BITMAP_FILTER_FS | \
> >> +                               AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> >>
> >>  /* deprecated: AUDIT_VERSION_* */
> >>  #define AUDIT_VERSION_LATEST                 AUDIT_FEATURE_BITMAP_ALL
> >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> >> index d7a807e81451..a0c5a3ec6e60 100644
> >> --- a/kernel/auditfilter.c
> >> +++ b/kernel/auditfilter.c
> >> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> >>                       return -EINVAL;
> >>               break;
> >>       case AUDIT_EXE:
> >> -             if (f->op != Audit_equal)
> >> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
> >>                       return -EINVAL;
> >>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> >>                       return -EINVAL;
> >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> >> index 4e0a4ac803db..479c031ec54c 100644
> >> --- a/kernel/auditsc.c
> >> +++ b/kernel/auditsc.c
> >> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> >>                       break;
> >>               case AUDIT_EXE:
> >>                       result = audit_exe_compare(tsk, rule->exe);
> >> +                     if (f->op == Audit_not_equal)
> >> +                             result = !result;
> >>                       break;
> >>               case AUDIT_UID:
> >>                       result = audit_uid_comparator(cred->uid, f->op, f->uid);
> >> --
> >> 2.14.3
> >>
> >
> > - RGB
> 
> Ondrej Mosnacek <omosnace at redhat dot com>

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH] audit: allow not equal op for audit by executable

[Steve Grubb]

On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/53

What would an audit rule that uses this new capability look like?

-Steve

> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> 
> Hi Paul,
> 
> this turned out to be easier than I anticipated so I'm sending the patch
> already :) I hope I got everything right. Note that the userspace tools
> also need to be updated to check the feature bit and allow/disallow the
> operator based on that.
> 
> Ondrej
> 
>  include/uapi/linux/audit.h | 18 ++++++++++--------
>  kernel/auditfilter.c       |  2 +-
>  kernel/auditsc.c           |  2 ++
>  3 files changed, 13 insertions(+), 9 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 4e61a9e05132..03393f7e8932 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,13 +333,14 @@ enum {
>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
>  #define AUDIT_STATUS_LOST		0x0040
> 
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
> 
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> @@ -347,7 +348,8 @@ enum {
>  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> 
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) return -EINVAL;
>  		break;
>  	case AUDIT_EXE:
> -		if (f->op != Audit_equal)
> +		if (f->op != Audit_not_equal && f->op != Audit_equal)
>  			return -EINVAL;
>  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>  			return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>  			break;
>  		case AUDIT_EXE:
>  			result = audit_exe_compare(tsk, rule->exe);
> +			if (f->op == Audit_not_equal)
> +				result = !result;
>  			break;
>  		case AUDIT_UID:
>  			result = audit_uid_comparator(cred->uid, f->op, f->uid);

Re: [PATCH] audit: allow not equal op for audit by executable

[Richard Guy Briggs]

On 2018-04-06 10:32, Steve Grubb wrote:
> On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> > Current implementation of auditing by executable name only implements
> > the 'equal' operator. This patch extends it to also support the 'not
> > equal' operator.
> > 
> > See: https://github.com/linux-audit/audit-kernel/issues/53
> 
> What would an audit rule that uses this new capability look like?

auditctl -a exit,always ... -F exe!=/path/to/exec

> -Steve
> 
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > 
> > Hi Paul,
> > 
> > this turned out to be easier than I anticipated so I'm sending the patch
> > already :) I hope I got everything right. Note that the userspace tools
> > also need to be updated to check the feature bit and allow/disallow the
> > operator based on that.
> > 
> > Ondrej
> > 
> >  include/uapi/linux/audit.h | 18 ++++++++++--------
> >  kernel/auditfilter.c       |  2 +-
> >  kernel/auditsc.c           |  2 ++
> >  3 files changed, 13 insertions(+), 9 deletions(-)
> > 
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 4e61a9e05132..03393f7e8932 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -333,13 +333,14 @@ enum {
> >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> >  #define AUDIT_STATUS_LOST		0x0040
> > 
> > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> > +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> > +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
> > 
> >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > @@ -347,7 +348,8 @@ enum {
> >  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> >  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> >  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> > -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> > +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> > +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> > 
> >  /* deprecated: AUDIT_VERSION_* */
> >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index d7a807e81451..a0c5a3ec6e60 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
> > struct audit_field *f) return -EINVAL;
> >  		break;
> >  	case AUDIT_EXE:
> > -		if (f->op != Audit_equal)
> > +		if (f->op != Audit_not_equal && f->op != Audit_equal)
> >  			return -EINVAL;
> >  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> >  			return -EINVAL;
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 4e0a4ac803db..479c031ec54c 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> >  			break;
> >  		case AUDIT_EXE:
> >  			result = audit_exe_compare(tsk, rule->exe);
> > +			if (f->op == Audit_not_equal)
> > +				result = !result;
> >  			break;
> >  		case AUDIT_UID:
> >  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
> 
> 
> 
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH] audit: allow not equal op for audit by executable

[Ondrej Mosnacek]

2018-04-06 16:32 GMT+02:00 Steve Grubb <sgrubb@redhat.com>:
> On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
>> Current implementation of auditing by executable name only implements
>> the 'equal' operator. This patch extends it to also support the 'not
>> equal' operator.
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/53
>
> What would an audit rule that uses this new capability look like?

The GitHub issue links to the following original user request:

https://www.redhat.com/archives/linux-audit/2017-June/msg00029.html

The desired rule would then look exactly as the user expected:

-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
exe!=/path/to/application -F key=voicemail_watch

> -Steve
>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> ---
>>
>> Hi Paul,
>>
>> this turned out to be easier than I anticipated so I'm sending the patch
>> already :) I hope I got everything right. Note that the userspace tools
>> also need to be updated to check the feature bit and allow/disallow the
>> operator based on that.
>>
>> Ondrej
>>
>>  include/uapi/linux/audit.h | 18 ++++++++++--------
>>  kernel/auditfilter.c       |  2 +-
>>  kernel/auditsc.c           |  2 ++
>>  3 files changed, 13 insertions(+), 9 deletions(-)
>>
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 4e61a9e05132..03393f7e8932 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -333,13 +333,14 @@ enum {
>>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME       0x0020
>>  #define AUDIT_STATUS_LOST            0x0040
>>
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT   0x00000001
>> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME       0x00000002
>> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
>> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND  0x00000008
>> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER        0x00000010
>> -#define AUDIT_FEATURE_BITMAP_LOST_RESET              0x00000020
>> -#define AUDIT_FEATURE_BITMAP_FILTER_FS               0x00000040
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT           0x00000001
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME               0x00000002
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH         0x00000004
>> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND          0x00000008
>> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER                0x00000010
>> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                      0x00000020
>> +#define AUDIT_FEATURE_BITMAP_FILTER_FS                       0x00000040
>> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ     0x00000080
>>
>>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>>                                 AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>> @@ -347,7 +348,8 @@ enum {
>>                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
>>                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
>>                                 AUDIT_FEATURE_BITMAP_LOST_RESET | \
>> -                               AUDIT_FEATURE_BITMAP_FILTER_FS)
>> +                               AUDIT_FEATURE_BITMAP_FILTER_FS | \
>> +                               AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>>
>>  /* deprecated: AUDIT_VERSION_* */
>>  #define AUDIT_VERSION_LATEST                 AUDIT_FEATURE_BITMAP_ALL
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index d7a807e81451..a0c5a3ec6e60 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
>> struct audit_field *f) return -EINVAL;
>>               break;
>>       case AUDIT_EXE:
>> -             if (f->op != Audit_equal)
>> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
>>                       return -EINVAL;
>>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>>                       return -EINVAL;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 4e0a4ac803db..479c031ec54c 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>>                       break;
>>               case AUDIT_EXE:
>>                       result = audit_exe_compare(tsk, rule->exe);
>> +                     if (f->op == Audit_not_equal)
>> +                             result = !result;
>>                       break;
>>               case AUDIT_UID:
>>                       result = audit_uid_comparator(cred->uid, f->op, f->uid);
>
>
>
>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH] audit: allow not equal op for audit by executable

[Steve Grubb]

On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote:
> On 2018-04-06 10:32, Steve Grubb wrote:
> > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> > > Current implementation of auditing by executable name only implements
> > > the 'equal' operator. This patch extends it to also support the 'not
> > > equal' operator.
> > > 
> > > See: https://github.com/linux-audit/audit-kernel/issues/53
> > 
> > What would an audit rule that uses this new capability look like?
> 
> auditctl -a exit,always ... -F exe!=/path/to/exec

Does this mean, audit the syscall for any application except the one 
mentioned? If so, how does this compare to

auditctl -a exit,never ... -F exe=/path/to/exec
auditctl -a exit,always ...

 -Steve

> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > 
> > > Hi Paul,
> > > 
> > > this turned out to be easier than I anticipated so I'm sending the
> > > patch
> > > already :) I hope I got everything right. Note that the userspace tools
> > > also need to be updated to check the feature bit and allow/disallow the
> > > operator based on that.
> > > 
> > > Ondrej
> > > 
> > >  include/uapi/linux/audit.h | 18 ++++++++++--------
> > >  kernel/auditfilter.c       |  2 +-
> > >  kernel/auditsc.c           |  2 ++
> > >  3 files changed, 13 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index 4e61a9e05132..03393f7e8932 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -333,13 +333,14 @@ enum {
> > > 
> > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > >  #define AUDIT_STATUS_LOST		0x0040
> > > 
> > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
> > > 
> > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > >  \
> > >  
> > >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > 
> > > @@ -347,7 +348,8 @@ enum {
> > > 
> > >  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> > >  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > >  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> > > 
> > > -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> > > +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> > > +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> > > 
> > >  /* deprecated: AUDIT_VERSION_* */
> > >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > > 
> > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > > index d7a807e81451..a0c5a3ec6e60 100644
> > > --- a/kernel/auditfilter.c
> > > +++ b/kernel/auditfilter.c
> > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
> > > *entry, struct audit_field *f) return -EINVAL;
> > > 
> > >  		break;
> > >  	
> > >  	case AUDIT_EXE:
> > > -		if (f->op != Audit_equal)
> > > +		if (f->op != Audit_not_equal && f->op != Audit_equal)
> > > 
> > >  			return -EINVAL;
> > >  		
> > >  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> > >  		
> > >  			return -EINVAL;
> > > 
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 4e0a4ac803db..479c031ec54c 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct
> > > *tsk,
> > > 
> > >  			break;
> > >  		
> > >  		case AUDIT_EXE:
> > >  			result = audit_exe_compare(tsk, rule->exe);
> > > 
> > > +			if (f->op == Audit_not_equal)
> > > +				result = !result;
> > > 
> > >  			break;
> > >  		
> > >  		case AUDIT_UID:
> > >  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH] audit: allow not equal op for audit by executable

[Richard Guy Briggs]

On 2018-04-06 11:19, Steve Grubb wrote:
> On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote:
> > On 2018-04-06 10:32, Steve Grubb wrote:
> > > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> > > > Current implementation of auditing by executable name only implements
> > > > the 'equal' operator. This patch extends it to also support the 'not
> > > > equal' operator.
> > > > 
> > > > See: https://github.com/linux-audit/audit-kernel/issues/53
> > > 
> > > What would an audit rule that uses this new capability look like?
> > 
> > auditctl -a exit,always ... -F exe!=/path/to/exec
> 
> Does this mean, audit the syscall for any application except the one 
> mentioned? If so, how does this compare to
> 
> auditctl -a exit,never ... -F exe=/path/to/exec
> auditctl -a exit,always ...

Two rules instead of one?

>  -Steve
> 
> > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > > ---
> > > > 
> > > > Hi Paul,
> > > > 
> > > > this turned out to be easier than I anticipated so I'm sending the
> > > > patch
> > > > already :) I hope I got everything right. Note that the userspace tools
> > > > also need to be updated to check the feature bit and allow/disallow the
> > > > operator based on that.
> > > > 
> > > > Ondrej
> > > > 
> > > >  include/uapi/linux/audit.h | 18 ++++++++++--------
> > > >  kernel/auditfilter.c       |  2 +-
> > > >  kernel/auditsc.c           |  2 ++
> > > >  3 files changed, 13 insertions(+), 9 deletions(-)
> > > > 
> > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > > index 4e61a9e05132..03393f7e8932 100644
> > > > --- a/include/uapi/linux/audit.h
> > > > +++ b/include/uapi/linux/audit.h
> > > > @@ -333,13 +333,14 @@ enum {
> > > > 
> > > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > > >  #define AUDIT_STATUS_LOST		0x0040
> > > > 
> > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
> > > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
> > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT		0x00000001
> > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME		0x00000002
> > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH		0x00000004
> > > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND		0x00000008
> > > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER		0x00000010
> > > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET			0x00000020
> > > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS			0x00000040
> > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ	0x00000080
> > > > 
> > > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > > >  \
> > > >  
> > > >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > > 
> > > > @@ -347,7 +348,8 @@ enum {
> > > > 
> > > >  				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> > > >  				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > > >  				  AUDIT_FEATURE_BITMAP_LOST_RESET | \
> > > > 
> > > > -				  AUDIT_FEATURE_BITMAP_FILTER_FS)
> > > > +				  AUDIT_FEATURE_BITMAP_FILTER_FS | \
> > > > +				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> > > > 
> > > >  /* deprecated: AUDIT_VERSION_* */
> > > >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > > > 
> > > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > > > index d7a807e81451..a0c5a3ec6e60 100644
> > > > --- a/kernel/auditfilter.c
> > > > +++ b/kernel/auditfilter.c
> > > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
> > > > *entry, struct audit_field *f) return -EINVAL;
> > > > 
> > > >  		break;
> > > >  	
> > > >  	case AUDIT_EXE:
> > > > -		if (f->op != Audit_equal)
> > > > +		if (f->op != Audit_not_equal && f->op != Audit_equal)
> > > > 
> > > >  			return -EINVAL;
> > > >  		
> > > >  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> > > >  		
> > > >  			return -EINVAL;
> > > > 
> > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > > index 4e0a4ac803db..479c031ec54c 100644
> > > > --- a/kernel/auditsc.c
> > > > +++ b/kernel/auditsc.c
> > > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct
> > > > *tsk,
> > > > 
> > > >  			break;
> > > >  		
> > > >  		case AUDIT_EXE:
> > > >  			result = audit_exe_compare(tsk, rule->exe);
> > > > 
> > > > +			if (f->op == Audit_not_equal)
> > > > +				result = !result;
> > > > 
> > > >  			break;
> > > >  		
> > > >  		case AUDIT_UID:
> > > >  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 
> 
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH] audit: allow not equal op for audit by executable

[Paul Moore]

On Fri, Apr 6, 2018 at 7:53 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2018-04-06 13:10, Ondrej Mosnacek wrote:
>> 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>:
>> > On 2018-04-06 10:43, Ondrej Mosnacek wrote:
>> >> Current implementation of auditing by executable name only implements
>> >> the 'equal' operator. This patch extends it to also support the 'not
>> >> equal' operator.
>> >>
>> >> See: https://github.com/linux-audit/audit-kernel/issues/53
>> >>
>> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> >> ---
>> >>
>> >> Hi Paul,
>> >>
>> >> this turned out to be easier than I anticipated so I'm sending the patch
>> >> already :) I hope I got everything right. Note that the userspace tools
>> >> also need to be updated to check the feature bit and allow/disallow the
>> >> operator based on that.
>> >
>> > Do we really need to eat up a feature bit for this?  The kernel will
>> > simply return -EINVAL if it isn't supported.  That will make userspace
>> > implementation easier.
>>
>> The problem then would be that if someone tried to use the not equal
>> operator on an older kernel, he would get some generic error message
>> instead of the current "exe only takes = operator".
>
> You are right.  I'm just not sure it is worth spending a feature bit on
> it.

We've gotten a bit carried away with our use of the feature bits and
we need to start engaging in a bit more discipline when it comes to
our feature bit "spending".

Ondrej, let's implement this without the feature bit.  While I agree
the generic error message isn't extremely useful, it still generates a
"safe" error condition that is transmitted back to the user.

Other than that, I think the patch looked fine to me; resend it and
I'll apply it once the merge window closes.

-- 
paul moore
www.paul-moore.com