[RFC PATCH] audit: make sure we never skip the multicast broadcast
by Paul Moore
From: Paul Moore <paul(a)paul-moore.com>
When the auditd connection is reset, either intentionally or due to
a failure, any records that were in the main backlog queue would not
be sent in a multicast broadcast. This patch fixes this problem by
not flushing the main backlog queue on a connection reset, the main
kauditd_thread() will take care of that normally.
Resolves: https://github.com/linux-audit/audit-kernel/issues/41
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/audit.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e1e2b3abfb93..7cad70214b81 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -605,11 +605,10 @@ static void auditd_reset(const struct auditd_connection *ac)
if (ac_old)
call_rcu(&ac_old->rcu, auditd_conn_free);
- /* flush all of the main and retry queues to the hold queue */
+ /* flush the retry queue to the hold queue, but don't touch the main
+ * queue since we need to process that normally for multicast */
while ((skb = skb_dequeue(&audit_retry_queue)))
kauditd_hold_skb(skb);
- while ((skb = skb_dequeue(&audit_queue)))
- kauditd_hold_skb(skb);
}
/**
7 years, 4 months
[PATCH] audit-testsuite: look for both open(2) and openat(2)
by Paul Moore
From: root <root(a)rawhide-1.lan>
More and more tools and libraries are using openat(2) whenever
possible so we need to make sure we check for both syscalls.
This fixes the test suite on current versions of Fedora Rawhide.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
tests/file_create/test | 4 +++-
tests/filter_sessionid/test | 2 +-
tests/syscalls_file/test | 8 ++++----
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/tests/file_create/test b/tests/file_create/test
index 08dc3ce..26a226d 100755
--- a/tests/file_create/test
+++ b/tests/file_create/test
@@ -78,7 +78,9 @@ while ( $line = <$fh_out> ) {
# test if we generate a SYSCALL record
if ( $line =~ /^type=SYSCALL / ) {
- if ( $line =~ / syscall=open / and $line =~ / success=yes / ) {
+ if ( ( $line =~ / syscall=open / or $line =~ / syscall=openat / )
+ and $line =~ / success=yes / )
+ {
$found_syscall = 1;
}
}
diff --git a/tests/filter_sessionid/test b/tests/filter_sessionid/test
index de1eb72..6873bed 100755
--- a/tests/filter_sessionid/test
+++ b/tests/filter_sessionid/test
@@ -65,7 +65,7 @@ chomp($pid);
# test for the SYSCALL message
$result = system(
-"ausearch -i -m SYSCALL -sc open -p $pid --session $sessionid -k $key > $stdout 2> $stderr"
+"ausearch -i -m SYSCALL -sc open -sc openat -p $pid --session $sessionid -k $key > $stdout 2> $stderr"
);
ok( $result, 0 );
diff --git a/tests/syscalls_file/test b/tests/syscalls_file/test
index 53d28ba..316f823 100755
--- a/tests/syscalls_file/test
+++ b/tests/syscalls_file/test
@@ -62,10 +62,10 @@ my $found_create = 0;
while ( $line = <$fh_out> ) {
# test if we generate a SYSCALL record
- if ( $line =~ /^type=SYSCALL / ) {
- if ( $line =~ / syscall=open / ) {
- $found_syscall = 1;
- }
+ if ( $line =~ /^type=SYSCALL /
+ and ( $line =~ / syscall=open / or $line =~ / syscall=openat / ) )
+ {
+ $found_syscall = 1;
}
}
ok($found_syscall);
7 years, 4 months
[PATCH] filter: add path filter with fstype
by Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.
An example rule would look like:
-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Note: "always,path" will log the PATH record anyways and add latency.
See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_add_rule_data.3 | 3 +++
lib/errormsg.h | 5 +++++
lib/fieldtab.h | 2 ++
lib/flagtab.h | 2 ++
lib/libaudit.c | 26 ++++++++++++++++++++++++--
lib/libaudit.h | 10 ++++++++++
lib/private.h | 1 +
src/auditctl-listing.c | 6 ++++--
src/auditctl.c | 14 +++++++++++++-
9 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
.LP
.PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
* Authors:
* Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
{ -32, 0, "field data is missing" },
{ -33, 2, "-C field incompatible" },
{ -34, 2, "-C value incompatible" },
+ { -35, 1, "field is not valid for the filter" },
+ { -36, 1, "filter is not supported ty kernel" },
};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_DATAMISSING 32
#define EAU_COMPFIELDINCOMPAT 33
#define EAU_COMPVALINCOMPAT 34
+#define EAU_FIELDUNAVAIL 35
+#define EAU_FILTERNOSUPPORT 36
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_PID, "pid" )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_FSTYPE, "fstype" )
_S(AUDIT_OBJ_UID, "obj_uid" )
_S(AUDIT_OBJ_GID, "obj_gid" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_FILTER_TASK, "task" )
_S(AUDIT_FILTER_EXIT, "exit" )
_S(AUDIT_FILTER_USER, "user" )
_S(AUDIT_FILTER_EXCLUDE, "exclude" )
+_S(AUDIT_FILTER_PATH, "path" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
}
+ /* PATH filter can be used only with FSTYPE field */
+ if (flags == AUDIT_FILTER_PATH) {
+ uint32_t features = audit_get_features();
+ if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+ return -EAU_FILTERNOSUPPORT;
+ } else {
+ switch(field) {
+ case AUDIT_FSTYPE:
+ _audit_filterpathadded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
+ return -EAU_FIELDUNAVAIL;
+ }
+ }
+ }
+
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded))
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_EXITONLY;
/* fallthrough */
default:
- if (field == AUDIT_INODE) {
+ if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
if (!(op == AUDIT_NOT_EQUAL ||
op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
+ if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+ return -EAU_FIELDUNAVAIL;
if (field == AUDIT_INODE)
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
#define AUDIT_KEY_SEPARATOR 0x01
/* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in __audit_inode_child */
+#endif
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
- ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
- ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
return 0;
/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
_audit_archadded = 0;
_audit_exeadded = 0;
_audit_filterexcladded = 0;
+ _audit_filterpathadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
*filter = AUDIT_FILTER_EXIT;
else if (strcmp(str, "user") == 0)
*filter = AUDIT_FILTER_USER;
+ else if (strcmp(str, "path") == 0)
+ *filter = AUDIT_FILTER_PATH;
else if (strcmp(str, "exclude") == 0) {
*filter = AUDIT_FILTER_EXCLUDE;
exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
audit_msg(LOG_ERR,
"Error: syscall auditing being added to user list");
return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH)) {
+ audit_msg(LOG_ERR,
+ "Error: syscall auditing being added to path list");
+ return -1;
} else if (exclude) {
audit_msg(LOG_ERR,
"Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded) ||
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded) ||
(add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
--
1.7.1
7 years, 4 months
[PATCH] auditctl: add sessionid to manpage
by Richard Guy Briggs
SessionID support was added in audit-userspace 2.7, commit:
5d89887 2016-10-19 ("In libaudit, add support for rules using sessionid")
The auditctl(8) manpage update was missed at that time. Add it.
See: https://github.com/linux-audit/audit-userspace/issues/24
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/auditctl.8 | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/docs/auditctl.8 b/docs/auditctl.8
index d3388f2..05e389e 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -207,6 +207,9 @@ Process ID
.B ppid
Parent's Process ID
.TP
+.B sessionid
+User's login session ID
+.TP
.B subj_user
Program's SE Linux User
.TP
--
1.7.1
7 years, 4 months
[PATCH] gitignore: ignore normalizer generated files
by Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
index ba296d3..dc566b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,8 @@ audisp/audispd
audisp/plugins/remote/audisp-remote
audisp/plugins/zos-remote/audispd-zos-remote
auparse/*tabs.h
+auparse/normalize_*_maps.h
+auparse/gen_normalize_*_map
auparse/epoll_ctls.h
auparse/strsplit.c
bindings/swig/python/audit.py
--
1.7.1
7 years, 4 months
[PATCH] errormsg: convert all raw error codes in table to macro values
by Richard Guy Briggs
Use the newly created error code macros in the error code text translation table.
See: https://github.com/linux-audit/audit-userspace/issues/11
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/errormsg.h | 70 ++++++++++++++++++++++++++++----------------------------
1 files changed, 35 insertions(+), 35 deletions(-)
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 159d8f6..91d8252 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -35,41 +35,6 @@ struct msg_tab {
};
#ifndef NO_TABLES
-static const struct msg_tab err_msgtab[] = {
- { -1, 2, "-F missing operation for" },
- { -2, 2, "-F unknown field:" },
- { -3, 1, "must be before -S" },
- { -4, 1, "machine type not found" },
- { -5, 1, "elf mapping not found" },
- { -6, 1, "requested bit level not supported by machine" },
- { -7, 1, "can only be used with exit filter list" },
- { -8, 2, "-F unknown message type -" },
- { -9, 0, "msgtype field can only be used with exclude or user filter list" },
- { -10, 0, "Failed upgrading rule" },
- { -11, 0, "String value too long" },
- { -12, 0, "Only msgtype, *uid, *gid, pid, and subj* fields can be used with exclude filter" },
- { -13, 1, "only takes = or != operators" },
- { -14, 0, "Permission can only contain \'rwxa\'" },
- { -15, 2, "-F unknown errno -"},
- { -16, 2, "-F unknown file type - " },
- { -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Deprecated don't reuse
- { -19, 0, "Key field needs a watch, syscall or exe path given prior to it" },
- { -20, 2, "-F missing value after operation for" },
- { -21, 2, "-F value should be number for" },
- { -22, 2, "-F missing field name before operator for" },
- { -23, 2, "" }, // Deprecated don't reuse
- { -24, 2, "-C missing field name before operator for" },
- { -25, 2, "-C missing value after operation for "},
- { -26, 2, "-C unknown field:" },
- { -27, 2, "-C unknown right hand value for comparison with:" },
- { -28, 2, "Too many fields in rule:" },
- { -29, 1, "only takes = operator" },
- { -30, 2, "Field option not supported by kernel:" },
- { -31, 1, "must be used with exclude, user, or exit filter" },
- { -32, 0, "filter is missing from rule" },
- { -33, 2, "-C incompatible comparison" },
-};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
#define EAU_ARCHMISPLACED 3
@@ -101,4 +66,39 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_FIELDNOFILTER 31
#define EAU_FILTERMISSING 32
#define EAU_COMPINCOMPAT 33
+static const struct msg_tab err_msgtab[] = {
+ { -EAU_OPMISSING, 2, "-F missing operation for" },
+ { -EAU_FIELDUNKNOWN, 2, "-F unknown field:" },
+ { -EAU_ARCHMISPLACED, 1, "must be before -S" },
+ { -EAU_ARCHUNKNOWN, 1, "machine type not found" },
+ { -EAU_ELFUNKNOWN, 1, "elf mapping not found" },
+ { -EAU_ARCHNOBIT, 1, "requested bit level not supported by machine" },
+ { -EAU_EXITONLY, 1, "can only be used with exit filter list" },
+ { -EAU_MSGTYPEUNKNOWN, 2, "-F unknown message type -" },
+ { -EAU_MSGTYPEEXCLUDEUSER, 0, "msgtype field can only be used with exclude or user filter list" },
+ { -EAU_UPGRADEFAIL, 0, "Failed upgrading rule" },
+ { -EAU_STRTOOLONG, 0, "String value too long" },
+ { -EAU_MSGTYPECREDEXCLUDE, 0, "Only msgtype, *uid, *gid, pid, and subj* fields can be used with exclude filter" },
+ { -EAU_OPEQNOTEQ, 1, "only takes = or != operators" },
+ { -EAU_PERMRWXA, 0, "Permission can only contain \'rwxa\'" },
+ { -EAU_ERRUNKNOWN, 2, "-F unknown errno -"},
+ { -EAU_FILETYPEUNKNOWN, 2, "-F unknown file type - " },
+ { -EAU_EXITENTRYONLY, 1, "can only be used with exit and entry filter list" },
+ { -18, 1, "" }, // Deprecated don't reuse
+ { -EAU_KEYDEP, 0, "Key field needs a watch, syscall or exe path given prior to it" },
+ { -EAU_FIELDVALMISSING, 2, "-F missing value after operation for" },
+ { -EAU_FIELDVALNUM, 2, "-F value should be number for" },
+ { -EAU_FIELDNAME, 2, "-F missing field name before operator for" },
+ { -23, 2, "" }, // Deprecated don't reuse
+ { -EAU_COMPFIELDNAME, 2, "-C missing field name before operator for" },
+ { -EAU_COMPVAL, 2, "-C missing value after operation for "},
+ { -EAU_COMPFIELDUNKNOWN, 2, "-C unknown field:" },
+ { -EAU_COMPVALUNKNOWN, 2, "-C unknown right hand value for comparison with:" },
+ { -EAU_FIELDTOOMANY, 2, "Too many fields in rule:" },
+ { -EAU_OPEQ, 1, "only takes = operator" },
+ { -EAU_FIELDNOSUPPORT, 2, "Field option not supported by kernel:" },
+ { -EAU_FIELDNOFILTER, 1, "must be used with exclude, user, or exit filter" },
+ { -EAU_FILTERMISSING, 0, "filter is missing from rule" },
+ { -EAU_COMPINCOMPAT, 2, "-C incompatible comparison" },
+};
#endif
--
1.7.1
7 years, 4 months
[PATCH] filterexcl: allow filterkey
by Richard Guy Briggs
The exclude rules did not permit a filterkey to be added. This isn't as
important for the exclude filter compared to the others since no records are
generated with that key, but still helps identify rules in the rules list
configuration.
Allow filterkeys to be used with the exclude filter.
See: https://github.com/linux-audit/audit-userspace/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/libaudit.c | 13 +++++++++++--
lib/private.h | 1 +
src/auditctl.c | 5 +++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b1f8f9c..028483d 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -85,6 +85,7 @@ int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
+int _audit_filterexcladded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags == AUDIT_FILTER_EXCLUDE) {
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
- if (field != AUDIT_MSGTYPE)
+ switch(field) {
+ case AUDIT_MSGTYPE:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
return -EAU_FIELDNOSUPPORT;
+ }
} else {
switch(field) {
case AUDIT_PID:
@@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
break;
default:
return -EAU_MSGTYPECREDEXCLUDE;
@@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded))
+ _audit_exeadded || _audit_filterexcladded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/lib/private.h b/lib/private.h
index cde1906..855187b 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -139,6 +139,7 @@ extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
+extern int _audit_filterexcladded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl.c b/src/auditctl.c
index 04765f4..c785087 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -74,6 +74,7 @@ static int reset_vars(void)
_audit_permadded = 0;
_audit_archadded = 0;
_audit_exeadded = 0;
+ _audit_filterexcladded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
- del==AUDIT_FILTER_UNSET)) {
+ _audit_exeadded || _audit_filterexcladded) ||
+ (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
retval = -1;
--
1.7.1
7 years, 4 months
[PATCH] auparse: do not interpret fE as a capability field
by Richard Guy Briggs
The file effective capability is a boolean. It is being interpreted as the
capability "chown" by auparse. Just print its raw value.
An example from an execve syscall:
type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin
Fixed:
type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=1 old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin
See: https://github.com/linux-audit/audit-userspace/issues/18
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
auparse/typetab.h | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/auparse/typetab.h b/auparse/typetab.h
index be82796..32283c6 100644
--- a/auparse/typetab.h
+++ b/auparse/typetab.h
@@ -93,7 +93,6 @@ _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" )
_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" )
_S(AUPARSE_TYPE_CAP_BITMAP, "fp" )
_S(AUPARSE_TYPE_CAP_BITMAP, "fi" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "fe" )
_S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" )
_S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" )
_S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" )
--
1.7.1
7 years, 4 months
[PATCH] filterkey: add errormsg reporting
by Richard Guy Briggs
Call errormsg after processing filterkey to speed up debugging.
See: https://github.com/linux-audit/audit-userspace/issues/13
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
src/auditctl.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index e112b16..04765f4 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1091,8 +1091,10 @@ process_keys:
} else {
/* Add this to the rule */
int ret = audit_rule_fieldpair_data(&rule_new, cmd, flags);
- if (ret < 0)
+ if (ret != 0) {
+ audit_number_to_errmsg(ret, cmd);
retval = -1;
+ }
free(cmd);
}
}
--
1.7.1
7 years, 4 months
[PATCH] audit: style fix
by Derek Robson
Fixed checkpatch.pl warnings of "function definition argument FOO
should also have an identifier name"
Signed-off-by: Derek Robson <robsonde(a)gmail.com>
---
kernel/audit.h | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index ddfce2ea4891..90b891eea204 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -247,13 +247,13 @@ struct audit_netlink_list {
struct sk_buff_head q;
};
-int audit_send_list(void *);
+int audit_send_list(void *_dest);
extern int selinux_audit_rule_update(void);
extern struct mutex audit_filter_mutex;
-extern int audit_del_rule(struct audit_entry *);
-extern void audit_free_rule_rcu(struct rcu_head *);
+extern int audit_del_rule(struct audit_entry *entry);
+extern void audit_free_rule_rcu(struct rcu_head *head);
extern struct list_head audit_filter_list[];
extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
@@ -301,17 +301,17 @@ extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark
#endif /* CONFIG_AUDIT_WATCH */
#ifdef CONFIG_AUDIT_TREE
-extern struct audit_chunk *audit_tree_lookup(const struct inode *);
-extern void audit_put_chunk(struct audit_chunk *);
-extern bool audit_tree_match(struct audit_chunk *, struct audit_tree *);
-extern int audit_make_tree(struct audit_krule *, char *, u32);
-extern int audit_add_tree_rule(struct audit_krule *);
-extern int audit_remove_tree_rule(struct audit_krule *);
+extern struct audit_chunk *audit_tree_lookup(const struct inode *inode);
+extern void audit_put_chunk(struct audit_chunk *chunk);
+extern bool audit_tree_match(struct audit_chunk *chunk, struct audit_tree *tree);
+extern int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op);
+extern int audit_add_tree_rule(struct audit_krule *rule);
+extern int audit_remove_tree_rule(struct audit_krule *rule);
extern void audit_trim_trees(void);
extern int audit_tag_tree(char *old, char *new);
-extern const char *audit_tree_path(struct audit_tree *);
-extern void audit_put_tree(struct audit_tree *);
-extern void audit_kill_trees(struct list_head *);
+extern const char *audit_tree_path(struct audit_tree *tree);
+extern void audit_put_tree(struct audit_tree *tree);
+extern void audit_kill_trees(struct list_head *list);
#else
#define audit_remove_tree_rule(rule) BUG()
#define audit_add_tree_rule(rule) -EINVAL
@@ -323,7 +323,7 @@ extern void audit_kill_trees(struct list_head *);
#define audit_kill_trees(list) BUG()
#endif
-extern char *audit_unpack_string(void **, size_t *, size_t);
+extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
extern pid_t audit_sig_pid;
extern kuid_t audit_sig_uid;
@@ -333,7 +333,7 @@ extern int audit_filter(int msgtype, unsigned int listtype);
#ifdef CONFIG_AUDITSYSCALL
extern int audit_signal_info(int sig, struct task_struct *t);
-extern void audit_filter_inodes(struct task_struct *, struct audit_context *);
+extern void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx);
extern struct list_head *audit_killed_trees(void);
#else
#define audit_signal_info(s,t) AUDIT_DISABLED
--
2.13.0
7 years, 4 months