5:21 p.m.
On 2018-05-31 17:29, Steve Grubb wrote:
On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote:
> The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
> where or when the filter is applied and obsolete due to its available
> filter fields having been expanded.
>
> Userspace has already renamed it from AUDIT_FILTER_TYPE to
> AUDIT_FILTER_EXCLUDE without checking if it already exists.
Historically speaking, this is not why it is the way it is. But I think it
doesn't mean that you cannot do something like this:
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
I was originally hoping to do that, but that then causes a build error
on any previous version of audit userspace.
It's easy then to add a #ifndef to the userspace code so that
there is an
easy migration. I also do not see any compiler warnings with the above in
both /usr/include/linux/audit.h and /usr/include/libaudit.h.
I know it would be easy to fix and going forward userspace could adopt
the kernel one with
#ifndef AUDIT_FILTER_EXCL
#define AUDIT_FILTER_EXCL AUDIT_FILTER_TYPE
#endif
I do have a minor preference for the shorter AUDIT_FILTER_EXCL.
The only place in userspace that AUDIT_FILTER_TYPE is used is grabbing
the value from the kernel to set AUDIT_FILTER_EXCLUDE, and in two bits
of documentation (since that is the published API for libaudit).
Might it make sense to still make AUDIT_FILTER_TYPE available for
libaudit users, but change over the documentation to use one of the
newer forms?
-Steve
> In order to
> not cause userspace compile problems from duplicate definitions and to
> more accurately and inclusively rename it in the kernel, while providing
> a migration path for userspace, rename it to AUDIT_FILTER_EXCL.
>
> See: https://github.com/linux-audit/audit-kernel/issues/89
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> include/uapi/linux/audit.h | 3 ++-
> kernel/audit.c | 2 +-
> kernel/auditfilter.c | 10 +++++-----
> 3 files changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 04f9bd2..45dd7ef 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -156,8 +156,9 @@
> #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */
> #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
> #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
> -#define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */
> +#define AUDIT_FILTER_EXCL 0x05 /* Apply rule at audit_log_start */
> #define AUDIT_FILTER_FS 0x06 /* Apply rule at __audit_inode_child */
> +#define AUDIT_FILTER_TYPE AUDIT_FILTER_EXCL /* obsolete misleading naming
> */
>
> #define AUDIT_NR_FILTERS 7
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3a18e59..089cede 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1754,7 +1754,7 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, if (audit_initialized !=
> AUDIT_INITIALIZED)
> return NULL;
>
> - if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
> + if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCL)))
> return NULL;
>
> /* NOTE: don't ever fail/sleep on these two conditions:
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index eaa3201..f17a42f5 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -264,7 +264,7 @@ static inline struct audit_entry
> *audit_to_entry_common(struct audit_rule_data * case AUDIT_FILTER_TASK:
> #endif
> case AUDIT_FILTER_USER:
> - case AUDIT_FILTER_TYPE:
> + case AUDIT_FILTER_EXCL:
> case AUDIT_FILTER_FS:
> ;
> }
> @@ -337,7 +337,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) {
> switch(f->type) {
> case AUDIT_MSGTYPE:
> - if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
> + if (entry->rule.listnr != AUDIT_FILTER_EXCL &&
> entry->rule.listnr != AUDIT_FILTER_USER)
> return -EINVAL;
> break;
> @@ -931,7 +931,7 @@ static inline int audit_add_rule(struct audit_entry
> *entry) /* If any of these, don't count towards total */
> switch(entry->rule.listnr) {
> case AUDIT_FILTER_USER:
> - case AUDIT_FILTER_TYPE:
> + case AUDIT_FILTER_EXCL:
> case AUDIT_FILTER_FS:
> dont_count = 1;
> }
> @@ -1013,7 +1013,7 @@ int audit_del_rule(struct audit_entry *entry)
> /* If any of these, don't count towards total */
> switch(entry->rule.listnr) {
> case AUDIT_FILTER_USER:
> - case AUDIT_FILTER_TYPE:
> + case AUDIT_FILTER_EXCL:
> case AUDIT_FILTER_FS:
> dont_count = 1;
> }
> @@ -1369,7 +1369,7 @@ int audit_filter(int msgtype, unsigned int listtype)
> break;
> }
> if (result > 0) {
> - if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
> + if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCL)
> ret = 0;
> break;
> }
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635