Discussion:
[PATCH] audit: allow not equal op for audit by executable
Ondrej Mosnacek
2018-04-06 08:43:00 UTC
Permalink
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <***@redhat.com>
---

Hi Paul,

this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.

Ondrej

include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040

-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080

#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)

/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
2.14.3
Richard Guy Briggs
2018-04-06 10:37:06 UTC
Permalink
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Do we really need to eat up a feature bit for this? The kernel will
simply return -EINVAL if it isn't supported. That will make userspace
implementation easier.
Post by Ondrej Mosnacek
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
2.14.3
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Ondrej Mosnacek
2018-04-06 11:10:40 UTC
Permalink
Post by Richard Guy Briggs
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Do we really need to eat up a feature bit for this? The kernel will
simply return -EINVAL if it isn't supported. That will make userspace
implementation easier.
The problem then would be that if someone tried to use the not equal
operator on an older kernel, he would get some generic error message
instead of the current "exe only takes = operator".

This is how it would be handled with the feature bit:
https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e

If the consensus is that it's not worth it, I will resend it without that part.
Post by Richard Guy Briggs
Post by Ondrej Mosnacek
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
2.14.3
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
Richard Guy Briggs
2018-04-06 11:53:15 UTC
Permalink
Post by Ondrej Mosnacek
Post by Richard Guy Briggs
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Do we really need to eat up a feature bit for this? The kernel will
simply return -EINVAL if it isn't supported. That will make userspace
implementation easier.
The problem then would be that if someone tried to use the not equal
operator on an older kernel, he would get some generic error message
instead of the current "exe only takes = operator".
You are right. I'm just not sure it is worth spending a feature bit on
it.
Post by Ondrej Mosnacek
https://github.com/WOnder93/audit-userspace/commit/c2260940e0216042efa11f24384d70772e619e8e
If the consensus is that it's not worth it, I will resend it without that part.
I'd be interested to hear Paul and Steve's perspective.
Post by Ondrej Mosnacek
Post by Richard Guy Briggs
Post by Ondrej Mosnacek
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
2.14.3
- RGB
Ondrej Mosnacek <omosnace at redhat dot com>
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Paul Moore
2018-04-06 21:21:32 UTC
Permalink
Post by Richard Guy Briggs
Post by Ondrej Mosnacek
Post by Richard Guy Briggs
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Do we really need to eat up a feature bit for this? The kernel will
simply return -EINVAL if it isn't supported. That will make userspace
implementation easier.
The problem then would be that if someone tried to use the not equal
operator on an older kernel, he would get some generic error message
instead of the current "exe only takes = operator".
You are right. I'm just not sure it is worth spending a feature bit on
it.
We've gotten a bit carried away with our use of the feature bits and
we need to start engaging in a bit more discipline when it comes to
our feature bit "spending".

Ondrej, let's implement this without the feature bit. While I agree
the generic error message isn't extremely useful, it still generates a
"safe" error condition that is transmitted back to the user.

Other than that, I think the patch looked fine to me; resend it and
I'll apply it once the merge window closes.
--
paul moore
www.paul-moore.com
Steve Grubb
2018-04-06 14:32:34 UTC
Permalink
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
What would an audit rule that uses this new capability look like?

-Steve
Post by Ondrej Mosnacek
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
struct audit_field *f) return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
Richard Guy Briggs
2018-04-06 14:45:37 UTC
Permalink
Post by Steve Grubb
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
What would an audit rule that uses this new capability look like?
auditctl -a exit,always ... -F exe!=/path/to/exec
Post by Steve Grubb
-Steve
Post by Ondrej Mosnacek
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
struct audit_field *f) return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Steve Grubb
2018-04-06 15:19:21 UTC
Permalink
Post by Richard Guy Briggs
Post by Steve Grubb
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
What would an audit rule that uses this new capability look like?
auditctl -a exit,always ... -F exe!=/path/to/exec
Does this mean, audit the syscall for any application except the one
mentioned? If so, how does this compare to

auditctl -a exit,never ... -F exe=/path/to/exec
auditctl -a exit,always ...

-Steve
Post by Richard Guy Briggs
Post by Steve Grubb
Post by Ondrej Mosnacek
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
*entry, struct audit_field *f) return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Richard Guy Briggs
2018-04-06 16:40:50 UTC
Permalink
Post by Steve Grubb
Post by Richard Guy Briggs
Post by Steve Grubb
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
What would an audit rule that uses this new capability look like?
auditctl -a exit,always ... -F exe!=/path/to/exec
Does this mean, audit the syscall for any application except the one
mentioned? If so, how does this compare to
auditctl -a exit,never ... -F exe=/path/to/exec
auditctl -a exit,always ...
Two rules instead of one?
Post by Steve Grubb
-Steve
Post by Richard Guy Briggs
Post by Steve Grubb
Post by Ondrej Mosnacek
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
*entry, struct audit_field *f) return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Ondrej Mosnacek
2018-04-06 15:01:17 UTC
Permalink
Post by Steve Grubb
Post by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
What would an audit rule that uses this new capability look like?
The GitHub issue links to the following original user request:

https://www.redhat.com/archives/linux-audit/2017-June/msg00029.html

The desired rule would then look exactly as the user expected:

-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
exe!=/path/to/application -F key=voicemail_watch
Post by Steve Grubb
-Steve
Post by Ondrej Mosnacek
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry,
struct audit_field *f) return -EINVAL;
break;
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
Loading...