Re: [PATCH] filterexcl: allow filterkey

On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > The exclude rules did not permit a filterkey to be added. This isn't as > important for the exclude filter compared to the others since no records are > generated with that key, but still helps identify rules in the rules list > configuration. How long ago did thkernel start allowing this? I'm trying to decide if this is generally applicable or needs some kind of versioning.

Thanks, -Steve > Allow filterkeys to be used with the exclude filter. > > See: https://github.com/linux-audit/audit-userspace/issues/14 > > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > --- > lib/libaudit.c | 13 +++++++++++-- > lib/private.h | 1 + > src/auditctl.c | 5 +++-- > 3 files changed, 15 insertions(+), 4 deletions(-) > > diff --git a/lib/libaudit.c b/lib/libaudit.c > index b1f8f9c..028483d 100644 > --- a/lib/libaudit.c > +++ b/lib/libaudit.c > @@ -85,6 +85,7 @@ int _audit_permadded = 0; > int _audit_archadded = 0; > int _audit_syscalladded = 0; > int _audit_exeadded = 0; > +int _audit_filterexcladded = 0; > unsigned int _audit_elf = 0U; > static struct libaudit_conf config; > > @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) { > uint32_t features = audit_get_features(); > if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) { > - if (field != AUDIT_MSGTYPE) > + switch(field) { > + case AUDIT_MSGTYPE: > + _audit_filterexcladded = 1; > + case AUDIT_FILTERKEY: > + break; > + default: > return -EAU_FIELDNOSUPPORT; > + } > } else { > switch(field) { > case AUDIT_PID: > @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, case AUDIT_SUBJ_TYPE: > case AUDIT_SUBJ_SEN: > case AUDIT_SUBJ_CLR: > + _audit_filterexcladded = 1; > + case AUDIT_FILTERKEY: > break; > default: > return -EAU_MSGTYPECREDEXCLUDE; > @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, } > if (field == AUDIT_FILTERKEY && > !(_audit_syscalladded || _audit_permadded || > - _audit_exeadded)) > + _audit_exeadded || _audit_filterexcladded)) > return -EAU_KEYDEP; > vlen = strlen(v); > if (field == AUDIT_FILTERKEY && > diff --git a/lib/private.h b/lib/private.h > index cde1906..855187b 100644 > --- a/lib/private.h > +++ b/lib/private.h > @@ -139,6 +139,7 @@ extern int _audit_permadded; > extern int _audit_archadded; > extern int _audit_syscalladded; > extern int _audit_exeadded; > +extern int _audit_filterexcladded; > extern unsigned int _audit_elf; > > #ifdef __cplusplus > diff --git a/src/auditctl.c b/src/auditctl.c > index 04765f4..c785087 100644 > --- a/src/auditctl.c > +++ b/src/auditctl.c > @@ -74,6 +74,7 @@ static int reset_vars(void) > _audit_permadded = 0; > _audit_archadded = 0; > _audit_exeadded = 0; > + _audit_filterexcladded = 0; > _audit_elf = 0; > add = AUDIT_FILTER_UNSET; > del = AUDIT_FILTER_UNSET; > @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[]) > break; > case 'k': > if (!(_audit_syscalladded || _audit_permadded || > - _audit_exeadded) || (add==AUDIT_FILTER_UNSET && > - del==AUDIT_FILTER_UNSET)) { > + _audit_exeadded || _audit_filterexcladded) || > + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { > audit_msg(LOG_ERR, > "key option needs a watch or syscall given prior to it"); > retval = -1; -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit