Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering
From: Richard Guy Briggs <hidden>
Date: 2019-05-30 20:37:38
Also in:
linux-api, linux-fsdevel, lkml, netfilter-devel
On 2019-05-30 10:34, Paul Moore wrote:
On Thu, May 30, 2019 at 10:20 AM Richard Guy Briggs [off-list ref] wrote:quoted
On 2019-05-29 18:16, Paul Moore wrote:quoted
On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs [off-list ref] wrote:quoted
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: https://github.com/linux-audit/audit-kernel/issues/91 Please see the github audit userspace issue for filter additions: https://github.com/linux-audit/audit-userspace/issues/40 Please see the github audit testsuiite issue for the test case: https://github.com/linux-audit/audit-testsuite/issues/64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <redacted> Acked-by: Serge Hallyn <serge@hallyn.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> --- include/linux/audit.h | 1 + include/uapi/linux/audit.h | 5 ++++- kernel/audit.h | 1 + kernel/auditfilter.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++ kernel/auditsc.c | 4 ++++ 5 files changed, 57 insertions(+), 1 deletion(-)...quoted
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 63f8b3f26fab..407b5bb3b4c6 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c@@ -1206,6 +1224,31 @@ int audit_comparator(u32 left, u32 op, u32 right) } } +int audit_comparator64(u64 left, u32 op, u64 right) +{ + switch (op) { + case Audit_equal: + return (left == right); + case Audit_not_equal: + return (left != right); + case Audit_lt: + return (left < right); + case Audit_le: + return (left <= right); + case Audit_gt: + return (left > right); + case Audit_ge: + return (left >= right); + case Audit_bitmask: + return (left & right); + case Audit_bittest: + return ((left & right) == right); + default: + BUG();A little birdy mentioned the BUG() here as a potential issue and while I had ignored it in earlier patches because this is likely a cut-n-paste from another audit comparator function, I took a closer look this time. It appears as though we will never have an invalid op value as audit_data_to_entry()/audit_to_op() ensure that the op value is a a known good value. Removing the BUG() from all the audit comparators is a separate issue, but I think it would be good to remove it from this newly added comparator; keeping it so that we return "0" in the default case seems reasoanble.Fair enough. That BUG(); can be removed.Please send a fixup patch for this.
The fixup patch is trivial. The rebase to v5.2-rc1 audit/next had merge conflicts with four recent patchsets. It may be simpler to submit a new patchset and look at a diff of the two sets. I'm testing the rebase now.
paul moore www.paul-moore.com
- RGB -- Richard Guy Briggs [off-list ref] Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635