On 2017-06-12 20:05, Steve Grubb wrote: > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > > The exclude rules did not permit a filterkey to be added. This isn't as > > important for the exclude filter compared to the others since no records are > > generated with that key, but still helps identify rules in the rules list > > configuration. > > How long ago did thkernel start allowing this? I'm trying to decide if this > is > generally applicable or needs some kind of versioning.
I wasn't aware it was disallowed previously. I'll try to dig out if that was previously refused. > Thanks, > -Steve > > > Allow filterkeys to be used with the exclude filter. > > > > See: https://github.com/linux-audit/audit-userspace/issues/14 > > > > Signed-off-by: Richard Guy Briggs <[email protected]> > > --- > > lib/libaudit.c | 13 +++++++++++-- > > lib/private.h | 1 + > > src/auditctl.c | 5 +++-- > > 3 files changed, 15 insertions(+), 4 deletions(-) > > > > diff --git a/lib/libaudit.c b/lib/libaudit.c > > index b1f8f9c..028483d 100644 > > --- a/lib/libaudit.c > > +++ b/lib/libaudit.c > > @@ -85,6 +85,7 @@ int _audit_permadded = 0; > > int _audit_archadded = 0; > > int _audit_syscalladded = 0; > > int _audit_exeadded = 0; > > +int _audit_filterexcladded = 0; > > unsigned int _audit_elf = 0U; > > static struct libaudit_conf config; > > > > @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) { > > uint32_t features = audit_get_features(); > > if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) { > > - if (field != AUDIT_MSGTYPE) > > + switch(field) { > > + case AUDIT_MSGTYPE: > > + _audit_filterexcladded = 1; > > + case AUDIT_FILTERKEY: > > + break; > > + default: > > return -EAU_FIELDNOSUPPORT; > > + } > > } else { > > switch(field) { > > case AUDIT_PID: > > @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, case AUDIT_SUBJ_TYPE: > > case AUDIT_SUBJ_SEN: > > case AUDIT_SUBJ_CLR: > > + _audit_filterexcladded = 1; > > + case AUDIT_FILTERKEY: > > break; > > default: > > return -EAU_MSGTYPECREDEXCLUDE; > > @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, } > > if (field == AUDIT_FILTERKEY && > > !(_audit_syscalladded || _audit_permadded || > > - _audit_exeadded)) > > + _audit_exeadded || _audit_filterexcladded)) > > return -EAU_KEYDEP; > > vlen = strlen(v); > > if (field == AUDIT_FILTERKEY && > > diff --git a/lib/private.h b/lib/private.h > > index cde1906..855187b 100644 > > --- a/lib/private.h > > +++ b/lib/private.h > > @@ -139,6 +139,7 @@ extern int _audit_permadded; > > extern int _audit_archadded; > > extern int _audit_syscalladded; > > extern int _audit_exeadded; > > +extern int _audit_filterexcladded; > > extern unsigned int _audit_elf; > > > > #ifdef __cplusplus > > diff --git a/src/auditctl.c b/src/auditctl.c > > index 04765f4..c785087 100644 > > --- a/src/auditctl.c > > +++ b/src/auditctl.c > > @@ -74,6 +74,7 @@ static int reset_vars(void) > > _audit_permadded = 0; > > _audit_archadded = 0; > > _audit_exeadded = 0; > > + _audit_filterexcladded = 0; > > _audit_elf = 0; > > add = AUDIT_FILTER_UNSET; > > del = AUDIT_FILTER_UNSET; > > @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[]) > > break; > > case 'k': > > if (!(_audit_syscalladded || _audit_permadded || > > - _audit_exeadded) || (add==AUDIT_FILTER_UNSET && > > - del==AUDIT_FILTER_UNSET)) { > > + _audit_exeadded || _audit_filterexcladded) || > > + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { > > audit_msg(LOG_ERR, > > "key option needs a watch or syscall given prior to it"); > > retval = -1; > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
