From: Eric Paris <eparis@redhat.com> Subject: [RHEL5 PATCH] BZ 232967 allow audit filtering on bit & operations Date: Mon, 04 Jun 2007 17:00:14 -0400 Bugzilla: 232967 Message-Id: <1180990814.3950.49.camel@localhost.localdomain> Changelog: [audit] allow audit filtering on bit & operations BZ 232967 Right now the audit filter can match on = != > < >= blah blah blah. This allow the filter to also look at bitwise AND operations, & http://www.redhat.com/archives/linux-audit/2007-March/msg00032.html This patch has been in the LSPP kernel and working fine. It has been submitted upstream and should show up in the audit tree to get passed along to Linus shortly. -Eric --- linux-2.6.18.i686/kernel/auditfilter.c.pre.audit.bit.ops 2007-03-19 12:59:07.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditfilter.c 2007-03-19 14:09:28.000000000 -0400 @@ -419,6 +419,13 @@ static struct audit_entry *audit_rule_to case AUDIT_DEVMINOR: case AUDIT_EXIT: case AUDIT_SUCCESS: + /* bit ops are only useful on syscall args */ + if (f->op == AUDIT_BIT_MASK || + f->op == AUDIT_BIT_TEST) { + err = -EINVAL; + goto exit_free; + } + break; case AUDIT_ARG0: case AUDIT_ARG1: case AUDIT_ARG2: @@ -1535,6 +1542,10 @@ int audit_comparator(const u32 left, con return (left > right); case AUDIT_GREATER_THAN_OR_EQUAL: return (left >= right); + case AUDIT_BIT_MASK: + return (left & right); + case AUDIT_BIT_TEST: + return ((left & right) == right); } BUG(); return 0; --- linux-2.6.18.i686/include/linux/audit.h.pre.audit.bit.ops 2007-03-19 12:59:07.000000000 -0400 +++ linux-2.6.18.i686/include/linux/audit.h 2007-03-19 14:09:28.000000000 -0400 @@ -153,7 +153,7 @@ * are currently used in an audit field constant understood by the kernel. * If you are adding a new #define AUDIT_<whatever>, please ensure that * AUDIT_UNUSED_BITS is updated if need be. */ -#define AUDIT_UNUSED_BITS 0x0FFFFC00 +#define AUDIT_UNUSED_BITS 0x07FFFC00 /* Rule fields */ @@ -205,25 +205,29 @@ #define AUDIT_NEGATE 0x80000000 /* These are the supported operators. - * 4 2 1 - * = > < - * ------- - * 0 0 0 0 nonsense - * 0 0 1 1 < - * 0 1 0 2 > - * 0 1 1 3 != - * 1 0 0 4 = - * 1 0 1 5 <= - * 1 1 0 6 >= - * 1 1 1 7 all operators + * 4 2 1 8 + * = > < ? + * ---------- + * 0 0 0 0 00 nonsense + * 0 0 0 1 08 & bit mask + * 0 0 1 0 10 < + * 0 1 0 0 20 > + * 0 1 1 0 30 != + * 1 0 0 0 40 = + * 1 0 0 1 48 &= bit test + * 1 0 1 0 50 <= + * 1 1 0 0 60 >= + * 1 1 1 1 78 all operators */ +#define AUDIT_BIT_MASK 0x08000000 #define AUDIT_LESS_THAN 0x10000000 #define AUDIT_GREATER_THAN 0x20000000 #define AUDIT_NOT_EQUAL 0x30000000 #define AUDIT_EQUAL 0x40000000 +#define AUDIT_BIT_TEST (AUDIT_BIT_MASK|AUDIT_EQUAL) #define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL) #define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL) -#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL) +#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK) /* Status symbols */ /* Mask values */