5:40 a.m.
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.
An example rule would look like:
-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Note: "always,path" will log the PATH record anyways and add latency.
See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_add_rule_data.3 | 3 +++
lib/errormsg.h | 5 +++++
lib/fieldtab.h | 2 ++
lib/flagtab.h | 2 ++
lib/libaudit.c | 26 ++++++++++++++++++++++++--
lib/libaudit.h | 10 ++++++++++
lib/private.h | 1 +
src/auditctl-listing.c | 6 ++++--
src/auditctl.c | 14 +++++++++++++-
9 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
.LP
.PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
* Authors:
* Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
{ -32, 0, "field data is missing" },
{ -33, 2, "-C field incompatible" },
{ -34, 2, "-C value incompatible" },
+ { -35, 1, "field is not valid for the filter" },
+ { -36, 1, "filter is not supported ty kernel" },
};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_DATAMISSING 32
#define EAU_COMPFIELDINCOMPAT 33
#define EAU_COMPVALINCOMPAT 34
+#define EAU_FIELDUNAVAIL 35
+#define EAU_FILTERNOSUPPORT 36
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_PID, "pid" )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_FSTYPE, "fstype" )
_S(AUDIT_OBJ_UID, "obj_uid" )
_S(AUDIT_OBJ_GID, "obj_gid" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_FILTER_TASK, "task" )
_S(AUDIT_FILTER_EXIT, "exit" )
_S(AUDIT_FILTER_USER, "user" )
_S(AUDIT_FILTER_EXCLUDE, "exclude" )
+_S(AUDIT_FILTER_PATH, "path" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
}
}
+ /* PATH filter can be used only with FSTYPE field */
+ if (flags == AUDIT_FILTER_PATH) {
+ uint32_t features = audit_get_features();
+ if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+ return -EAU_FILTERNOSUPPORT;
+ } else {
+ switch(field) {
+ case AUDIT_FSTYPE:
+ _audit_filterpathadded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
+ return -EAU_FIELDUNAVAIL;
+ }
+ }
+ }
+
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded))
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
return -EAU_EXITONLY;
/* fallthrough */
default:
- if (field == AUDIT_INODE) {
+ if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
if (!(op == AUDIT_NOT_EQUAL ||
op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
+ if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+ return -EAU_FIELDUNAVAIL;
if (field == AUDIT_INODE)
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
#define AUDIT_KEY_SEPARATOR 0x01
/* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in __audit_inode_child */
+#endif
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
- ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int
*sc)
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
- ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
return 0;
/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
_audit_archadded = 0;
_audit_exeadded = 0;
_audit_filterexcladded = 0;
+ _audit_filterpathadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
*filter = AUDIT_FILTER_EXIT;
else if (strcmp(str, "user") == 0)
*filter = AUDIT_FILTER_USER;
+ else if (strcmp(str, "path") == 0)
+ *filter = AUDIT_FILTER_PATH;
else if (strcmp(str, "exclude") == 0) {
*filter = AUDIT_FILTER_EXCLUDE;
exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
audit_msg(LOG_ERR,
"Error: syscall auditing being added to user list");
return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH)) {
+ audit_msg(LOG_ERR,
+ "Error: syscall auditing being added to path list");
+ return -1;
} else if (exclude) {
audit_msg(LOG_ERR,
"Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded) ||
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded) ||
(add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
--
1.7.1
7:28 p.m.
Hello,
This patch needs to be refactored to match the current count of error messages
in err_msgtab.
What error message is emitted when run on a kernel that does not support the
new filter?
On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
Tracefs or debugfs were causing hundreds to thousands of PATH records
to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.
An example rule would look like:
-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Are we sure path is the best name for this filter? Is there something more
precise like filesystem?
Note: "always,path" will log the PATH record anyways and
add latency.
See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_add_rule_data.3 | 3 +++
lib/errormsg.h | 5 +++++
lib/fieldtab.h | 2 ++
lib/flagtab.h | 2 ++
lib/libaudit.c | 26 ++++++++++++++++++++++++--
lib/libaudit.h | 10 ++++++++++
lib/private.h | 1 +
src/auditctl-listing.c | 6 ++++--
src/auditctl.c | 14 +++++++++++++-
9 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
I don't think this is real clear. Maybe some others need touching up here as
well. But we should say something someone with a casual knowledge of audit
would understand.
.LP
.PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
* Authors:
* Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
{ -32, 0, "field data is missing" },
{ -33, 2, "-C field incompatible" },
{ -34, 2, "-C value incompatible" },
+ { -35, 1, "field is not valid for the filter" },
+ { -36, 1, "filter is not supported ty kernel" },
};
Numbers need re-aligning.
-Steve
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_DATAMISSING 32
#define EAU_COMPFIELDINCOMPAT 33
#define EAU_COMPVALINCOMPAT 34
+#define EAU_FIELDUNAVAIL 35
+#define EAU_FILTERNOSUPPORT 36
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_PID, "pid" )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_FSTYPE, "fstype" )
_S(AUDIT_OBJ_UID, "obj_uid" )
_S(AUDIT_OBJ_GID, "obj_gid" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_FILTER_TASK, "task" )
_S(AUDIT_FILTER_EXIT, "exit" )
_S(AUDIT_FILTER_USER, "user" )
_S(AUDIT_FILTER_EXCLUDE, "exclude" )
+_S(AUDIT_FILTER_PATH, "path" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, }
}
+ /* PATH filter can be used only with FSTYPE field */
+ if (flags == AUDIT_FILTER_PATH) {
+ uint32_t features = audit_get_features();
+ if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+ return -EAU_FILTERNOSUPPORT;
+ } else {
+ switch(field) {
+ case AUDIT_FSTYPE:
+ _audit_filterpathadded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
+ return -EAU_FIELDUNAVAIL;
+ }
+ }
+ }
+
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, }
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded))
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, return -EAU_EXITONLY;
/* fallthrough */
default:
- if (field == AUDIT_INODE) {
+ if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
if (!(op == AUDIT_NOT_EQUAL ||
op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
+ if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+ return -EAU_FIELDUNAVAIL;
if (field == AUDIT_INODE)
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
#define AUDIT_KEY_SEPARATOR 0x01
/* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in
__audit_inode_child
*/ +#endif
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
- ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data
*r, unsigned int *sc) /* Rules on the following filters do not take a
syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
- ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
return 0;
/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
_audit_archadded = 0;
_audit_exeadded = 0;
_audit_filterexcladded = 0;
+ _audit_filterpathadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
*filter = AUDIT_FILTER_EXIT;
else if (strcmp(str, "user") == 0)
*filter = AUDIT_FILTER_USER;
+ else if (strcmp(str, "path") == 0)
+ *filter = AUDIT_FILTER_PATH;
else if (strcmp(str, "exclude") == 0) {
*filter = AUDIT_FILTER_EXCLUDE;
exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
audit_msg(LOG_ERR,
"Error: syscall auditing being added to user list");
return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH)) {
+ audit_msg(LOG_ERR,
+ "Error: syscall auditing being added to path list");
+ return -1;
} else if (exclude) {
audit_msg(LOG_ERR,
"Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded) ||
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded) ||
(add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
9:45 p.m.
On 2017-06-12 20:28, Steve Grubb wrote:
Hello,
Hi (swapping in this task after > 2 months...)
This patch needs to be refactored to match the current count of error
messages
in err_msgtab.
What error message is emitted when run on a kernel that does not support the
new filter?
-36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
> Tracefs or debugfs were causing hundreds to thousands of PATH records to
> be associated with the init_module and finit_module SYSCALL records on a
> few modules when the following rule was in place for startup:
> -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
>
> Add the new "path" filter list anchored in __audit_inode_child() to
> filter out PATH records from uninteresting filesystem types, "fstype",
> keying on their kernel hexadecimal 4-octet magic identifier.
>
> An example rule would look like:
> -a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> -a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Are we sure path is the best name for this filter? Is there something more
precise like filesystem?
It is filesystem type that we are filtering, but there may be a use case
to filter on another factor later, so like the "type" filter that really
is the "exclude" filter, let's not make that mistake again.
I wrestled with that for a while and kept coming back to "path" filter
due to the fact that it was a path record that was affected. At the
moment it is only active on audit_inode_child, but I could potentially
see it being active on audit_inode as well.
> Note: "always,path" will log the PATH record anyways
and add latency.
>
> See: https://github.com/linux-audit/audit-userspace/issues/15
> See: https://github.com/linux-audit/audit-kernel/issues/8
> Test case: https://github.com/linux-audit/audit-testsuite/issues/42
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> docs/audit_add_rule_data.3 | 3 +++
> lib/errormsg.h | 5 +++++
> lib/fieldtab.h | 2 ++
> lib/flagtab.h | 2 ++
> lib/libaudit.c | 26 ++++++++++++++++++++++++--
> lib/libaudit.h | 10 ++++++++++
> lib/private.h | 1 +
> src/auditctl-listing.c | 6 ++++--
> src/auditctl.c | 14 +++++++++++++-
> 9 files changed, 64 insertions(+), 5 deletions(-)
>
> diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> index 2321f39..4867e8c 100644
> --- a/docs/audit_add_rule_data.3
> +++ b/docs/audit_add_rule_data.3
> @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
> .TP
> \(bu
> AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> +.TP
> +\(bu
> +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
I don't think this is real clear. Maybe some others need touching up here as
well. But we should say something someone with a casual knowledge of audit
would understand.
Agreed. How about "Apply rule when adding PATH auxiliary records to SYSCALL
events."
> .LP
>
> .PP
> diff --git a/lib/errormsg.h b/lib/errormsg.h
> index 50c7d50..2a6e4d6 100644
> --- a/lib/errormsg.h
> +++ b/lib/errormsg.h
> @@ -20,6 +20,7 @@
> * Authors:
> * Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
> * Steve Grubb <sgrubb(a)redhat.com>
> + * Richard Guy Briggs <rgb(a)redhat.com>
> */
>
> struct msg_tab {
> @@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
> { -32, 0, "field data is missing" },
> { -33, 2, "-C field incompatible" },
> { -34, 2, "-C value incompatible" },
> + { -35, 1, "field is not valid for the filter" },
> + { -36, 1, "filter is not supported ty kernel" },
> };
Numbers need re-aligning.
Probably...
-Steve
> #define EAU_OPMISSING 1
> #define EAU_FIELDUNKNOWN 2
> @@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
> #define EAU_DATAMISSING 32
> #define EAU_COMPFIELDINCOMPAT 33
> #define EAU_COMPVALINCOMPAT 34
> +#define EAU_FIELDUNAVAIL 35
> +#define EAU_FILTERNOSUPPORT 36
> #endif
> diff --git a/lib/fieldtab.h b/lib/fieldtab.h
> index 0c5e39d..c425d5b 100644
> --- a/lib/fieldtab.h
> +++ b/lib/fieldtab.h
> @@ -18,6 +18,7 @@
> *
> * Authors:
> * Steve Grubb <sgrubb(a)redhat.com>
> + * Richard Guy Briggs <rgb(a)redhat.com>
> */
>
> _S(AUDIT_PID, "pid" )
> @@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
> _S(AUDIT_PERM, "perm" )
> _S(AUDIT_DIR, "dir" )
> _S(AUDIT_FILETYPE, "filetype" )
> +_S(AUDIT_FSTYPE, "fstype" )
> _S(AUDIT_OBJ_UID, "obj_uid" )
> _S(AUDIT_OBJ_GID, "obj_gid" )
> _S(AUDIT_FIELD_COMPARE, "field_compare" )
> diff --git a/lib/flagtab.h b/lib/flagtab.h
> index 4b04692..ed3e729 100644
> --- a/lib/flagtab.h
> +++ b/lib/flagtab.h
> @@ -18,8 +18,10 @@
> *
> * Authors:
> * Steve Grubb <sgrubb(a)redhat.com>
> + * Richard Guy Briggs <rgb(a)redhat.com>
> */
> _S(AUDIT_FILTER_TASK, "task" )
> _S(AUDIT_FILTER_EXIT, "exit" )
> _S(AUDIT_FILTER_USER, "user" )
> _S(AUDIT_FILTER_EXCLUDE, "exclude" )
> +_S(AUDIT_FILTER_PATH, "path" )
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index 028483d..f28238a 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -19,6 +19,7 @@
> * Authors:
> * Steve Grubb <sgrubb(a)redhat.com>
> * Rickard E. (Rik) Faith <faith(a)redhat.com>
> + * Richard Guy Briggs <rgb(a)redhat.com>
> */
>
> #include "config.h"
> @@ -86,6 +87,7 @@ int _audit_archadded = 0;
> int _audit_syscalladded = 0;
> int _audit_exeadded = 0;
> int _audit_filterexcladded = 0;
> +int _audit_filterpathadded = 0;
> unsigned int _audit_elf = 0U;
> static struct libaudit_conf config;
>
> @@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> }
>
> + /* PATH filter can be used only with FSTYPE field */
> + if (flags == AUDIT_FILTER_PATH) {
> + uint32_t features = audit_get_features();
> + if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
> + return -EAU_FILTERNOSUPPORT;
> + } else {
> + switch(field) {
> + case AUDIT_FSTYPE:
> + _audit_filterpathadded = 1;
> + case AUDIT_FILTERKEY:
> + break;
> + default:
> + return -EAU_FIELDUNAVAIL;
> + }
> + }
> + }
> +
> rule->fields[rule->field_count] = field;
> rule->fieldflags[rule->field_count] = op;
> switch (field)
> @@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> if (field == AUDIT_FILTERKEY &&
> !(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded || _audit_filterexcladded))
> + _audit_exeadded || _audit_filterexcladded ||
> + _audit_filterpathadded))
> return -EAU_KEYDEP;
> vlen = strlen(v);
> if (field == AUDIT_FILTERKEY &&
> @@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -EAU_EXITONLY;
> /* fallthrough */
> default:
> - if (field == AUDIT_INODE) {
> + if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
> if (!(op == AUDIT_NOT_EQUAL ||
> op == AUDIT_EQUAL))
> return -EAU_OPEQNOTEQ;
> @@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, if (!isdigit((char)*(v)))
> return -EAU_FIELDVALNUM;
>
> + if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
> + return -EAU_FIELDUNAVAIL;
> if (field == AUDIT_INODE)
> rule->values[rule->field_count] =
> strtoul(v, NULL, 0);
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index e5c7a4d..e9c4973 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -277,6 +277,9 @@ extern "C" {
> #define AUDIT_KEY_SEPARATOR 0x01
>
> /* These are used in filter control */
> +#ifndef AUDIT_FILTER_PATH
> +#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in
__audit_inode_child
> */ +#endif
> #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
> #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
> #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
> @@ -305,6 +308,9 @@ extern "C" {
> #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
> #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
> #endif
> +#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
> +#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
> +#endif
>
> /* Defines for interfield comparison update */
> #ifndef AUDIT_OBJ_UID
> @@ -324,6 +330,10 @@ extern "C" {
> #define AUDIT_SESSIONID 25
> #endif
>
> +#ifndef AUDIT_FSTYPE
> +#define AUDIT_FSTYPE 26
> +#endif
> +
> #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
> #define AUDIT_COMPARE_UID_TO_OBJ_UID 1
> #endif
> diff --git a/lib/private.h b/lib/private.h
> index 855187b..117d6e3 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -140,6 +140,7 @@ extern int _audit_archadded;
> extern int _audit_syscalladded;
> extern int _audit_exeadded;
> extern int _audit_filterexcladded;
> +extern int _audit_filterpathadded;
> extern unsigned int _audit_elf;
>
> #ifdef __cplusplus
> diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
> index 3bc8e71..e8640dd 100644
> --- a/src/auditctl-listing.c
> +++ b/src/auditctl-listing.c
> @@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
>
> if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
> ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
> - ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
> + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
> + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
> for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
> if (r->mask[i] != (uint32_t)~0) {
> all = 0;
> @@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data
> *r, unsigned int *sc) /* Rules on the following filters do not take a
> syscall */
> if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
> ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
> - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
> + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
> + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
> return 0;
>
> /* See if its all or specific syscalls */
> diff --git a/src/auditctl.c b/src/auditctl.c
> index c785087..c7e8f0f 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -19,6 +19,7 @@
> * Authors:
> * Steve Grubb <sgrubb(a)redhat.com>
> * Rickard E. (Rik) Faith <faith(a)redhat.com>
> + * Richard Guy Briggs <rgb(a)redhat.com>
> */
>
> #include "config.h"
> @@ -75,6 +76,7 @@ static int reset_vars(void)
> _audit_archadded = 0;
> _audit_exeadded = 0;
> _audit_filterexcladded = 0;
> + _audit_filterpathadded = 0;
> _audit_elf = 0;
> add = AUDIT_FILTER_UNSET;
> del = AUDIT_FILTER_UNSET;
> @@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
> *filter = AUDIT_FILTER_EXIT;
> else if (strcmp(str, "user") == 0)
> *filter = AUDIT_FILTER_USER;
> + else if (strcmp(str, "path") == 0)
> + *filter = AUDIT_FILTER_PATH;
> else if (strcmp(str, "exclude") == 0) {
> *filter = AUDIT_FILTER_EXCLUDE;
> exclude = 1;
> @@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
> audit_msg(LOG_ERR,
> "Error: syscall auditing being added to user list");
> return -1;
> + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_PATH || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_PATH)) {
> + audit_msg(LOG_ERR,
> + "Error: syscall auditing being added to path list");
> + return -1;
> } else if (exclude) {
> audit_msg(LOG_ERR,
> "Error: syscall auditing cannot be put on exclude list");
> @@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
> break;
> case 'k':
> if (!(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded || _audit_filterexcladded) ||
> + _audit_exeadded || _audit_filterexcladded ||
> + _audit_filterpathadded) ||
> (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> audit_msg(LOG_ERR,
> "key option needs a watch or syscall given prior to it");
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
9:49 a.m.
On Mon, Jun 12, 2017 at 10:45 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2017-06-12 20:28, Steve Grubb wrote:
> Hello,
Hi (swapping in this task after > 2 months...)
> This patch needs to be refactored to match the current count of error messages
> in err_msgtab.
>
> What error message is emitted when run on a kernel that does not support the
> new filter?
-36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> > few modules when the following rule was in place for startup:
> > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> >
> > Add the new "path" filter list anchored in __audit_inode_child() to
> > filter out PATH records from uninteresting filesystem types,
"fstype",
> > keying on their kernel hexadecimal 4-octet magic identifier.
> >
> > An example rule would look like:
> > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs
>
> Are we sure path is the best name for this filter? Is there something more
> precise like filesystem?
It is filesystem type that we are filtering, but there may be a use case
to filter on another factor later, so like the "type" filter that really
is the "exclude" filter, let's not make that mistake again.
I wrestled with that for a while and kept coming back to "path" filter
due to the fact that it was a path record that was affected. At the
moment it is only active on audit_inode_child, but I could potentially
see it being active on audit_inode as well.
FWIW, I too struggled a bit with that name when looking at the kernel
code. I'm not a fan of "path" in this case, but I can't think of
anything substantially better.
--
paul moore
www.paul-moore.com
4:25 p.m.
Hello,
On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote:
On 2017-06-12 20:28, Steve Grubb wrote:
> This patch needs to be refactored to match the current count of error
> messages in err_msgtab.
>
> What error message is emitted when run on a kernel that does not support
> the new filter?
-36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
And now that the other error message macros have been applied...
> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs
wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> >
> > few modules when the following rule was in place for startup:
> > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> >
> > Add the new "path" filter list anchored in __audit_inode_child() to
> > filter out PATH records from uninteresting filesystem types,
"fstype",
> > keying on their kernel hexadecimal 4-octet magic identifier.
> >
> > An example rule would look like:
> > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs
>
> Are we sure path is the best name for this filter? Is there something more
> precise like filesystem?
It is filesystem type that we are filtering, but there may be a use case
to filter on another factor later, so like the "type" filter that really
is the "exclude" filter, let's not make that mistake again.
What else could this filter have its hands on? Could it audit mounting/
unmounting of certain file systems?
I wrestled with that for a while and kept coming back to
"path" filter
due to the fact that it was a path record that was affected.
I don't like having path as a filter and path as a field option. Path is
getting too overloaded.
At the moment it is only active on audit_inode_child, but I could
potentially see it being active on audit_inode as well.
I'd lean towards filesystem for the filter name.
-Steve
> > Note: "always,path" will log the PATH record
anyways and add latency.
> >
> > See: https://github.com/linux-audit/audit-userspace/issues/15
> > See: https://github.com/linux-audit/audit-kernel/issues/8
> > Test case: https://github.com/linux-audit/audit-testsuite/issues/42
> >
> > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> > ---
> >
> > docs/audit_add_rule_data.3 | 3 +++
> > lib/errormsg.h | 5 +++++
> > lib/fieldtab.h | 2 ++
> > lib/flagtab.h | 2 ++
> > lib/libaudit.c | 26 ++++++++++++++++++++++++--
> > lib/libaudit.h | 10 ++++++++++
> > lib/private.h | 1 +
> > src/auditctl-listing.c | 6 ++++--
> > src/auditctl.c | 14 +++++++++++++-
> > 9 files changed, 64 insertions(+), 5 deletions(-)
> >
> > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> > index 2321f39..4867e8c 100644
> > --- a/docs/audit_add_rule_data.3
> > +++ b/docs/audit_add_rule_data.3
> > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
> >
> > .TP
> > \(bu
> > AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> >
> > +.TP
> > +\(bu
> > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
>
> I don't think this is real clear. Maybe some others need touching up here
> as well. But we should say something someone with a casual knowledge of
> audit would understand.
Agreed. How about "Apply rule when adding PATH auxiliary records to SYSCALL
events."
I updated this man page. It needs to say when its applicable, whether events
are normally accepted or blocked with no rule applied, and what the typical
use case is.
-Steve
10:15 p.m.
On 2017-06-13 17:25, Steve Grubb wrote:
Hello,
On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote:
> On 2017-06-12 20:28, Steve Grubb wrote:
> > This patch needs to be refactored to match the current count of error
> > messages in err_msgtab.
> >
> > What error message is emitted when run on a kernel that does not support
> > the new filter?
>
> -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
And now that the other error message macros have been applied...
Re-spinning...
> > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs
wrote:
> > > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > > be associated with the init_module and finit_module SYSCALL records on a
> > >
> > > few modules when the following rule was in place for startup:
> > > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
> > >
> > > Add the new "path" filter list anchored in __audit_inode_child()
to
> > > filter out PATH records from uninteresting filesystem types,
"fstype",
> > > keying on their kernel hexadecimal 4-octet magic identifier.
> > >
> > > An example rule would look like:
> > > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs
> > > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs
> >
> > Are we sure path is the best name for this filter? Is there something more
> > precise like filesystem?
>
> It is filesystem type that we are filtering, but there may be a use case
> to filter on another factor later, so like the "type" filter that really
> is the "exclude" filter, let's not make that mistake again.
What else could this filter have its hands on? Could it audit mounting/
unmounting of certain file systems?
I wasn't thinking so much of the filter point, but other filter fields
(like auid=-1? or a mount sub-tree? or ...?).
> I wrestled with that for a while and kept coming back to
"path" filter
> due to the fact that it was a path record that was affected.
I don't like having path as a filter and path as a field option. Path is
getting too overloaded.
Granted.
> At the moment it is only active on audit_inode_child, but I
could
> potentially see it being active on audit_inode as well.
I'd lean towards filesystem for the filter name.
I think I'm alright with that name. I'll re-spin the patch and see if
anything jumps out at me in the process.
Another place this might be used is for the CWD record.
-Steve
> > > Note: "always,path" will log the PATH record anyways and add
latency.
> > >
> > > See: https://github.com/linux-audit/audit-userspace/issues/15
> > > See: https://github.com/linux-audit/audit-kernel/issues/8
> > > Test case: https://github.com/linux-audit/audit-testsuite/issues/42
> > >
> > > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> > > ---
> > >
> > > docs/audit_add_rule_data.3 | 3 +++
> > > lib/errormsg.h | 5 +++++
> > > lib/fieldtab.h | 2 ++
> > > lib/flagtab.h | 2 ++
> > > lib/libaudit.c | 26 ++++++++++++++++++++++++--
> > > lib/libaudit.h | 10 ++++++++++
> > > lib/private.h | 1 +
> > > src/auditctl-listing.c | 6 ++++--
> > > src/auditctl.c | 14 +++++++++++++-
> > > 9 files changed, 64 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
> > > index 2321f39..4867e8c 100644
> > > --- a/docs/audit_add_rule_data.3
> > > +++ b/docs/audit_add_rule_data.3
> > > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
> > >
> > > .TP
> > > \(bu
> > > AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
> > >
> > > +.TP
> > > +\(bu
> > > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
> >
> > I don't think this is real clear. Maybe some others need touching up here
> > as well. But we should say something someone with a casual knowledge of
> > audit would understand.
>
> Agreed. How about "Apply rule when adding PATH auxiliary records to SYSCALL
> events."
I updated this man page. It needs to say when its applicable, whether events
are normally accepted or blocked with no rule applied, and what the typical
use case is.
Ok, I see the other examples.
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
2746
days inactive
2818
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
Paul Moore -
Richard Guy Briggs -
Steve Grubb