[PATCH 3/4] Add the checking of exclude filter list for the field which is not AUDIT_MSGTYPE
by zhangxiliang
Hello Steve,
When field is not AUDIT_MSGTYPE, it is invalid for exclude filter list.
I think the fields shoud be check before sending to kernel.
I add checking and error message "-18" to realize it.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 3 +++
lib/libaudit.c | 3 +++
src/auditctl.c | 5 +++++
3 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 695e5d6..e7047df 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -440,6 +440,9 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
if (field == AUDIT_PPID && (flags != AUDIT_FILTER_EXIT
|| flags != AUDIT_FILTER_ENTRY))
return -17;
+
+ if (flags == AUDIT_FILTER_EXCLUDE)
+ return -18;
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 5b276f1..4d20261 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1085,6 +1085,9 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (field == AUDIT_PPID && (flags != AUDIT_FILTER_EXIT
|| flags != AUDIT_FILTER_ENTRY))
return -17;
+
+ if (flags == AUDIT_FILTER_EXCLUDE)
+ return -18;
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
diff --git a/src/auditctl.c b/src/auditctl.c
index 2e64d28..0d38ac1 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -794,6 +794,11 @@ static int setopt(int count, char *vars[])
"Field %s can only be used with exit and entry filter list\n", optarg);
retval = -1;
break;
+ case -18:
+ fprintf(stderr,
+ "Field %s can not be used with exclude filter list\n", optarg);
+ retval = -1;
+ break;
default:
retval = -1;
break;
--
Regards
Zhang Xiliang
16 years, 4 months
[PATCH 2/4] Add the checking for field AUDIT_FILETYPE and AUDIT_PPID
by zhangxiliang
Hello Steve,
When field is AUDIT_FILETYPET and AUDIT_PPID, it can only used for AUDIT_FILTER_EXIT and AUDIT_FILTER_ENTRY.
I think the fields shoud be check before send audit rule to kernel.
I add checking and error message "-17" to realize it.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 6 ++++++
lib/libaudit.c | 7 +++++++
src/auditctl.c | 5 +++++
3 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 4ad8253..695e5d6 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -403,6 +403,8 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
audit_archadded = 1;
break;
case AUDIT_FILETYPE:
+ if (flags != AUDIT_FILTER_EXIT || flags != AUDIT_FILTER_ENTRY)
+ return -17;
rule->values[rule->field_count] =
audit_name_to_ftype(v);
if (rule->values[rule->field_count] < 0) {
@@ -435,6 +437,10 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
if (!(op == AUDIT_NEGATE || op == 0))
return -13;
}
+ if (field == AUDIT_PPID && (flags != AUDIT_FILTER_EXIT
+ || flags != AUDIT_FILTER_ENTRY))
+ return -17;
+
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
}
diff --git a/lib/libaudit.c b/lib/libaudit.c
index d439c2f..5b276f1 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1063,6 +1063,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
break;
case AUDIT_FILETYPE:
+ if (flags != AUDIT_FILTER_EXIT || flags != AUDIT_FILTER_ENTRY)
+ return -17;
rule->values[rule->field_count] =
audit_name_to_ftype(v);
if (rule->values[rule->field_count] < 0) {
@@ -1079,6 +1081,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (!(op == AUDIT_NEGATE || op == AUDIT_EQUAL))
return -13;
}
+
+ if (field == AUDIT_PPID && (flags != AUDIT_FILTER_EXIT
+ || flags != AUDIT_FILTER_ENTRY))
+ return -17;
+
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
}
diff --git a/src/auditctl.c b/src/auditctl.c
index 5b6de26..2e64d28 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -789,6 +789,11 @@ static int setopt(int count, char *vars[])
"-F unknown file type - %s\n", optarg);
retval = -1;
break;
+ case -17:
+ fprintf(stderr,
+ "Field %s can only be used with exit and entry filter list\n", optarg);
+ retval = -1;
+ break;
default:
retval = -1;
break;
--
Regards
Zhang Xiliang
16 years, 4 months
[PATCH 1/4] Fix the bug of the error message for -7 when checking field
by zhangxiliang
Hello Steve,
When field is AUDIT_EXIT, AUDIT_SUCCESS and so on, the entry,user,task,exclude filter list should be invalid on anything.
So I think using "flags != AUDIT_FILTER_EXIT" is better than "flags == AUDIT_FILTER_ENTRY".
The error message for "-7" is not suit in some conditions.
For example,
1, auditctl -a task,always -F perm=r
Error message is "Field perm cannot be checked at syscall entry".
It should be task filter list.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 5 ++---
lib/libaudit.c | 4 ++--
src/auditctl.c | 2 +-
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 4f0c14e..4ad8253 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -281,7 +281,7 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
}
break;
case AUDIT_EXIT:
- if (flags == AUDIT_FILTER_ENTRY)
+ if (flags != AUDIT_FILTER_EXIT)
return -7;
vlen = strlen(v);
if (isdigit((char)*(v)))
@@ -427,8 +427,7 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
return -10;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS...AUDIT_SUCCESS:
-
- if (flags == AUDIT_FILTER_ENTRY)
+ if (flags != AUDIT_FILTER_EXIT)
return -7;
/* fallthrough */
default:
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 563b8ad..d439c2f 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -870,7 +870,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
break;
case AUDIT_EXIT:
- if (flags == AUDIT_FILTER_ENTRY)
+ if (flags != AUDIT_FILTER_EXIT)
return -7;
vlen = strlen(v);
if (isdigit((char)*(v)))
@@ -1071,7 +1071,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS...AUDIT_SUCCESS:
- if (flags == AUDIT_FILTER_ENTRY)
+ if (flags != AUDIT_FILTER_EXIT)
return -7;
/* fallthrough */
default:
diff --git a/src/auditctl.c b/src/auditctl.c
index d740509..5b6de26 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -739,7 +739,7 @@ static int setopt(int count, char *vars[])
break;
case -7:
fprintf(stderr,
- "Field %s cannot be checked at syscall entry\n",
+ "Field %s can only be used with exit filter list\n",
optarg);
retval = -1;
break;
--
Regards
Zhang Xiliang
16 years, 4 months
audit-viewer "comm" question
by LC Bruzenak
After reading Steve's info about the "comm" field being clipped at 16
chars, I was surprised to see a longer string inside the audit-viewer
"comm" field.
I have taken a screen shot, but won't post it unless asked (it's 41K).
The "comm" field there is: "/usr/libexec/gnome-settings-daemon", which
of course is longer than 16 chars.
The same event in ausearch shows a NULL "comm" field, but the rest of
the info lines up with the GUI:
[root@hugo ~]# ausearch -ts today -i -a 126492
----
type=USER_AVC msg=audit(08/04/2008 16:04:24.152:126492) : user pid=23501
uid=root auid=unset subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
msg='avc: denied { receive } for comm=(null) event=X11:PropertyNotify
scontext=user_u:user_r:user_t:s0-s15:c0.c1023
tcontext=user_u:object_r:property_xevent_t:s4:c0,c2,c11,c200.c511
tclass=x_event : exe=/usr/bin/Xorg (sauid=root hostname=?, addr=?,
terminal=?)'
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 4 months
possible "comm"
by LC Bruzenak
While looking through some audit events in the audit-viewer I saw what I
thought might be a display error (see below "comm="), however when I
look at the event using ausearch I see the same thing:
# ausearch -ts recent -i -a 50457
----
type=SOCKADDR msg=audit(07/31/2008 15:37:43.602:50457) : saddr=inet
host:127.0.0.1 serv:16001
type=SYSCALL msg=audit(07/31/2008 15:37:43.602:50457) : arch=x86_64
syscall=connect success=no exit=-111(Connection refused) a0=10
a1=2f96d30 a2=10 a3=7fff13ee75dc items=0 ppid=22794 pid=23014 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts3 ses=818 comm=/usr/share/audi exe=/usr/bin/python
subj=root:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(07/31/2008 15:37:43.602:50457) : avc: denied
{ recvfrom } for pid=23014 comm=/usr/share/audi saddr=127.0.0.1
src=16001 daddr=127.0.0.1 dest=58356 netif=lo
scontext=root:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=root:auditadm_r:auditadm_t:s15:c0.c1023 tclass=association
The
exe=/usr/bin/python.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 4 months
the format string of printf to print audit status is wrong
by Yu Zhiguo
Hello Steve,
all audit status's type is __u32, so '%u' should be used
in format string of printf rather than '%d', otherwise the
value outputted to user will be wraparound.
For example:
# auditctl -r 4294967295
AUDIT_STATUS: enabled=1 flag=1 pid=8999 rate_limit=-1 backlog_limit=320
lost=2241 backlog=0
but it should be
# auditctl -r 4294967295
AUDIT_STATUS: enabled=1 flag=1 pid=8999 rate_limit=4294967295
backlog_limit=320 lost=2270 backlog=0
This is the patch. Can you apply it?
Signed-off-by: Yu Zhiguo<yuzg(a)cn.fujitsu.com>
---
src/auditctl.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index d740509..5416e9b 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1349,8 +1349,8 @@ static int audit_print_reply(struct audit_reply *rep)
printed = 1;
return 0;
case AUDIT_GET:
- printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
- " rate_limit=%d backlog_limit=%d lost=%d backlog=%d\n",
+ printf("AUDIT_STATUS: enabled=%u flag=%u pid=%u"
+ " rate_limit=%u backlog_limit=%u lost=%u backlog=%u\n",
rep->status->enabled, rep->status->failure,
rep->status->pid, rep->status->rate_limit,
rep->status->backlog_limit, rep->status->lost,
16 years, 4 months
[PATCH] Fix the kernel panic of audit_filter_task when key field is set
by zhangxiliang
When calling audit_filter_task(), it calls audit_filter_rules() with audit_context is NULL.
If the key field is set, the result in audit_filter_rules() will be set to 1 and
ctx->filterkey will be set to key.
But the ctx is NULL in this condition, so kernel will panic.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4699950..012c94e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -610,7 +610,7 @@ static int audit_filter_rules(struct task_struct *tsk,
if (!result)
return 0;
}
- if (rule->filterkey)
+ if (rule->filterkey && ctx)
ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
switch (rule->action) {
case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
16 years, 4 months
[PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages
by zhangxiliang
In the audit message which type is "AUDIT_CONFIG_CHANGE", the output format should contain "auid" field.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
kernel/auditfilter.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 98c50cc..8a184f5 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1022,8 +1022,9 @@ static void audit_update_watch(struct audit_parent *parent,
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "auid=%u", current->loginuid);
audit_log_format(ab,
- "op=updated rules specifying path=");
+ " op=updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n",
dev, ino);
@@ -1058,7 +1059,8 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "op=remove rule path=");
+ audit_log_format(ab, "auid=%u", current->loginuid);
+ audit_log_format(ab, " op=remove rule path=");
audit_log_untrustedstring(ab, w->path);
if (r->filterkey) {
audit_log_format(ab, " key=");
--
1.5.4.2
--
Regards
Zhang Xiliang
16 years, 4 months