[PATCH] audit: add fields to exclude filter by reusing user filter

From: Richard Guy Briggs
Date: Wed Jun 01 2016 - 18:51:09 EST


RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5

Re-factor audit_filter_type() to use audit_filter_user_rules() to enable
exclude filter to additionally filter on PID, UID, GID, AUID,
LOGINUID_SET, SUBJ_*.

Add check in audit_filter_user() to quit early if list is empty.

Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
---
kernel/auditfilter.c | 22 +++++++++-------------
1 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 96c9a1b..515c752 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1358,6 +1358,9 @@ int audit_filter_user(int type)
ret = 1; /* Audit by default */

rcu_read_lock();
+ if (list_empty(&audit_filter_list[AUDIT_FILTER_USER]))
+ goto unlock_and_return;
+
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
rc = audit_filter_user_rules(&e->rule, type, &state);
if (rc) {
@@ -1366,13 +1369,14 @@ int audit_filter_user(int type)
break;
}
}
+unlock_and_return:
rcu_read_unlock();
-
return ret;
}

int audit_filter_type(int type)
{
+ enum audit_state state = AUDIT_DISABLED;
struct audit_entry *e;
int result = 0;

@@ -1380,19 +1384,11 @@ int audit_filter_type(int type)
if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
goto unlock_and_return;

- list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
- list) {
- int i;
- for (i = 0; i < e->rule.field_count; i++) {
- struct audit_field *f = &e->rule.fields[i];
- if (f->type == AUDIT_MSGTYPE) {
- result = audit_comparator(type, f->op, f->val);
- if (!result)
- break;
- }
+ list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], list) {
+ if (audit_filter_user_rules(&e->rule, type, &state) == 1) {
+ result = 1;
+ break;
}
- if (result)
- goto unlock_and_return;
}
unlock_and_return:
rcu_read_unlock();
--
1.7.1