Re: [PATCH] audit: allow not equal op for audit by executable
2018-04-06 16:32 GMT+02:00 Steve Grubb <sgrubb(a)redhat.com>:
On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
>
> See: https://github.com/linux-audit/audit-kernel/issues/53
What would an audit rule that uses this new capability look like?
The GitHub issue links to the following original user request:
https://www.redhat.com/archives/linux-audit/2017-June/msg00029.html
The desired rule would then look exactly as the user expected:
-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
exe!=/path/to/application -F key=voicemail_watch
-Steve
> Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
> ---
>
> Hi Paul,
>
> this turned out to be easier than I anticipated so I'm sending the patch
> already :) I hope I got everything right. Note that the userspace tools
> also need to be updated to check the feature bit and allow/disallow the
> operator based on that.
>
> Ondrej
>
> include/uapi/linux/audit.h | 18 ++++++++++--------
> kernel/auditfilter.c | 2 +-
> kernel/auditsc.c | 2 ++
> 3 files changed, 13 insertions(+), 9 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 4e61a9e05132..03393f7e8932 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,13 +333,14 @@ enum {
> #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> #define AUDIT_STATUS_LOST 0x0040
>
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
> -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
> -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
> -#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
> -#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
> +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
> +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
> +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
>
> #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> @@ -347,7 +348,8 @@ enum {
> AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> AUDIT_FEATURE_BITMAP_LOST_RESET | \
> - AUDIT_FEATURE_BITMAP_FILTER_FS)
> + AUDIT_FEATURE_BITMAP_FILTER_FS | \
> + AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
>
> /* deprecated: AUDIT_VERSION_* */
> #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) return -EINVAL;
> break;
> case AUDIT_EXE:
> - if (f->op != Audit_equal)
> + if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> break;
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
> break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op,
f->uid);
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.