Re: [PATCH ghak114 V1] audit: enforce op for string fields
On 2019-05-28 18:00, Paul Moore wrote:
On Wed, May 22, 2019 at 5:52 PM Richard Guy Briggs
<rgb(a)redhat.com> wrote:
>
> The field operator is ignored on several string fields. WATCH, DIR,
> PERM and FILETYPE field operators are completely ignored and meaningless
> since the op is not referenced in audit_filter_rules(). Range and
> bitwise operators are already addressed in ghak73.
>
> Honour the operator for WATCH, DIR, PERM, FILETYPE fields as is done in
> the EXE field.
>
> Please see github issue
> https://github.com/linux-audit/audit-kernel/issues/114
> ---
> kernel/auditsc.c | 18 +++++++++++++++---
> 1 file changed, 15 insertions(+), 3 deletions(-)
While the patch looks fine, it is missing your sign-off. If you reply
to this thread with it, I'll go ahead and add to the patch when
merging.
GHAK! Sorry about that!
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
It passed checkpatch.pl when that code was in the ghak73 patch. :-)
I'm sure everyone is tired of hearing me complain about people
not
checking their patches, but this is something that would have been
caught by running ./scripts/checkpatch.pl against your patch (the
entire patch, not just the code portion). If you aren't running your
full patch through checkpatch already, it is easy to do (there are
likely other ways too, these are just the two that I use):
* using git
# git format-patch --stdout -1 <commit_id> | ./scripts/checkpatch.pl -
* using stgit (my favorite)
# stg export -s <patch> | ./scripts/checkpatch.pl -
Nice, it even works for a series...
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 30aa07b0115f..087137d341a2 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -601,12 +601,20 @@ static int audit_filter_rules(struct task_struct *tsk,
> }
> break;
> case AUDIT_WATCH:
> - if (name)
> - result = audit_watch_compare(rule->watch,
name->ino, name->dev);
> + if (name) {
> + result = audit_watch_compare(rule->watch,
> + name->ino,
> + name->dev);
> + if (f->op == Audit_not_equal)
> + result = !result;
> + }
> break;
> case AUDIT_DIR:
> - if (ctx)
> + if (ctx) {
> result = match_tree_refs(ctx, rule->tree);
> + if (f->op == Audit_not_equal)
> + result = !result;
> + }
> break;
> case AUDIT_LOGINUID:
> result = audit_uid_comparator(audit_get_loginuid(tsk),
> @@ -684,9 +692,13 @@ static int audit_filter_rules(struct task_struct *tsk,
> break;
> case AUDIT_PERM:
> result = audit_match_perm(ctx, f->val);
> + if (f->op == Audit_not_equal)
> + result = !result;
> break;
> case AUDIT_FILETYPE:
> result = audit_match_filetype(ctx, f->val);
> + if (f->op == Audit_not_equal)
> + result = !result;
> break;
> case AUDIT_FIELD_COMPARE:
> result = audit_field_compare(tsk, cred, f, ctx, name);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635