2018-05-01 22:06 GMT+02:00 Paul Moore <paul(a)paul-moore.com>:
On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek
<omosnace(a)redhat.com> wrote:
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general rule]
> # Filter out events with executable name /bin/exe1 or /bin/exe2:
> auditctl -a exclude,always -F exe=/bin/exe1
> auditctl -a exclude,always -F exe=/bin/exe2
>
> See:
https://github.com/linux-audit/audit-kernel/issues/54
>
> Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
> ---
> kernel/auditfilter.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
Looks reasonable, do you have a working test for this?
Sure, I listed all the related patches (test suite and userspace) in
the GHAK issue. Anyway, the testsuite patch can be found here:
https://github.com/linux-audit/audit-testsuite/pull/68
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index a0c5a3ec6e60..8c9abbf20d42 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct
audit_field *f)
> case AUDIT_EXE:
> if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> - if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> - return -EINVAL;
> break;
> }
> return 0;
> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
> f->type, f->op,
f->lsm_rule, NULL);
> }
> break;
> + case AUDIT_EXE:
> + result = audit_exe_compare(current, e->rule.exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
> + break;
> default:
> goto unlock_and_return;
> }
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.