RFE: add additional fields for use in audit filter exclude rules https://github.com/linux-audit/audit-kernel/issues/5 Enable the exclude filter to additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- trunk/docs/auditctl.8 | 2 +- trunk/lib/errormsg.h | 2 +- trunk/lib/libaudit.c | 24 ++++++++++++++++++++---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8 index ceb6c40..540ff70 100644 --- a/trunk/docs/auditctl.8 +++ b/trunk/docs/auditctl.8 @@ -76,7 +76,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded. .TP .B exclude -Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. +Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, login user ID set, message type or subject context. .RE The following describes the valid \fIactions\fP for the rule: diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h index c678315..84bfdb3 100644 --- a/trunk/lib/errormsg.h +++ b/trunk/lib/errormsg.h @@ -66,7 +66,7 @@ static const struct msg_tab err_msgtab[] = { { -28, 2, "Too many fields in rule:" }, { -29, 1, "only takes = operator" }, { -30, 2, "Field option not supported by kernel:" }, - { -31, 1, "can only be used with exit and user filter lists" }, + { -31, 1, "can only be used with exit, user and exclude filter lists" }, { -32, 2, "-F value should be boolean 0 or 1 for" }, }; #endif diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c index 236f8bc..798b3c8 100644 --- a/trunk/lib/libaudit.c +++ b/trunk/lib/libaudit.c @@ -1400,9 +1400,24 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if ((field = audit_name_to_field(f)) < 0) return -2; - /* Exclude filter can be used only with MSGTYPE field */ - if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE) - return -12; + /* Exclude filter can be used only with MSGTYPE and cred fields */ + if (flags == AUDIT_FILTER_EXCLUDE) + switch(field) { + case AUDIT_PID: + case AUDIT_UID: + case AUDIT_GID: + case AUDIT_LOGINUID: + case AUDIT_LOGINUID_SET: + case AUDIT_MSGTYPE: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: + break; + default: + return -12; + } rule->fields[rule->field_count] = field; rule->fieldflags[rule->field_count] = op; @@ -1630,7 +1645,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, case AUDIT_LOGINUID_SET: if(!features) return -30; - if (flags != AUDIT_FILTER_USER && + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && flags != AUDIT_FILTER_EXIT) return -31; if (isdigit((char)*(v))) { -- 1.7.1

On Thursday, August 18, 2016 2:33:20 PM EDT Richard Guy Briggs wrote: One question, why is this being and'ed directly? I was told that we have to go through AUDIT_FEATURE_TO_MASK() to convert the value to a mask which can then be and'ed. Is this macro now deprecated? -Steve