Allow exclude and user filter by executable name (linux-audit#48)

This patch removes the restriction that excludes the AUDIT_EXE field from the exclude filter list. It also clarifies in the documentation that this field can be used also with these filter lists ('auditctl -a user,always -F exe=/something' works even without this patch). Relevant kernel patch that enables exclude filter for AUDIT_EXE: https://www.redhat.com/archives/linux-audit/2018-April/msg00114.html Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
caidongyun · Jan 23, 2019 · be59adc · be59adc
1 parent c34481d
commit be59adc
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -59,6 +59,7 @@
 - Add tests to configure.ac for openldap support
 - Make systemd support files use /run rather than /var/run (Christian Hesse)
 - Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
 
 2.8.3
 - Correct msg function name in LRU debug code

diff --git a/docs/auditctl.8 b/docs/auditctl.8
@@ -78,10 +78,10 @@ Add a rule to the per task list. This rule list is used only at the time a task
 Add a rule to the syscall exit list. This list is used upon exit from a system call to determine if an audit event should be created.
 .TP
 .B user
-Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
+Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, msgtype, and executable name. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
 .TP
 .B exclude
-Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type or subject context.  The action is ignored and uses its default of "never".
+Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type, subject context, or executable name. The action is ignored and uses its default of "never".
 .RE
 
 The following describes the valid \fIactions\fP for the rule:
@@ -145,7 +145,7 @@ Effective Group ID. May be numeric or the groups name.
 Effective User ID. May be numeric or the user account name.
 .TP
 .B exe
-Absolute path to application that while executing this rule will apply to. This can only be used on the exit list. It supports = and != operators. Note that you can only use this once for each rule.
+Absolute path to application that while executing this rule will apply to. It supports = and != operators. Note that you can only use this once for each rule.
 .TP
 .B exit
 Exit value from a syscall. If the exit code is an errno, you may use the text representation, too.

diff --git a/lib/libaudit.c b/lib/libaudit.c
@@ -1448,7 +1448,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 	if ((field = audit_name_to_field(f)) < 0) 
 		return -EAU_FIELDUNKNOWN;
 
-	/* Exclude filter can be used only with MSGTYPE and cred fields */
+	/* Exclude filter can be used only with MSGTYPE, cred and EXE fields */
 	if (flags == AUDIT_FILTER_EXCLUDE) {
 		uint32_t features = audit_get_features();
 		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
@@ -1466,6 +1466,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 				case AUDIT_SUBJ_TYPE:
 				case AUDIT_SUBJ_SEN:
 				case AUDIT_SUBJ_CLR:
+				case AUDIT_EXE:
 					break;
 				default:
 					return -EAU_MSGTYPECREDEXCLUDE;