Thread (81 messages) 81 messages, 8 authors, 2019-07-18

Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering

From: Paul Moore <paul@paul-moore.com>
Date: 2019-05-29 22:16:36
Also in: linux-api, linux-fsdevel, lkml, netfilter-devel 

On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs [off-list ref] wrote:
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.

Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.

The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID.

Please see the github audit kernel issue for the contid filter feature:
  https://github.com/linux-audit/audit-kernel/issues/91
Please see the github audit userspace issue for filter additions:
  https://github.com/linux-audit/audit-userspace/issues/40
Please see the github audit testsuiite issue for the test case:
  https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <redacted>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 include/linux/audit.h      |  1 +
 include/uapi/linux/audit.h |  5 ++++-
 kernel/audit.h             |  1 +
 kernel/auditfilter.c       | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 kernel/auditsc.c           |  4 ++++
 5 files changed, 57 insertions(+), 1 deletion(-)
...
quoted hunk ↗ jump to hunk
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f26fab..407b5bb3b4c6 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1206,6 +1224,31 @@ int audit_comparator(u32 left, u32 op, u32 right)
        }
 }

+int audit_comparator64(u64 left, u32 op, u64 right)
+{
+       switch (op) {
+       case Audit_equal:
+               return (left == right);
+       case Audit_not_equal:
+               return (left != right);
+       case Audit_lt:
+               return (left < right);
+       case Audit_le:
+               return (left <= right);
+       case Audit_gt:
+               return (left > right);
+       case Audit_ge:
+               return (left >= right);
+       case Audit_bitmask:
+               return (left & right);
+       case Audit_bittest:
+               return ((left & right) == right);
+       default:
+               BUG();
A little birdy mentioned the BUG() here as a potential issue and while
I had ignored it in earlier patches because this is likely a
cut-n-paste from another audit comparator function, I took a closer
look this time.  It appears as though we will never have an invalid op
value as audit_data_to_entry()/audit_to_op() ensure that the op value
is a a known good value.  Removing the BUG() from all the audit
comparators is a separate issue, but I think it would be good to
remove it from this newly added comparator; keeping it so that we
return "0" in the default case seems reasoanble.

+               return 0;
+       }
+}
--
paul moore
www.paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help