[grsec] Suppress logging for RES_* ?

Mon Aug 20 18:10:19 EDT 2007

Mniej wiecej Tue, Aug 14, 2007 at 10:41:47PM +0200, zainteresowany Matija Nalis rzekl:
> I know it's possible to suppress logs for denied file access using 's'.
> 
> It it possible to accomplish the same things for RES_AS and friends ?
> 
> I want resource overstep logging enabled for whole site, except for few
> subjects that I know will constantly try to overstep resource limit, but I
> don't want to know about them.

By default no, but you can use attached patches.

Zbyniu
-- 
%% Absolutely nothing we trust %%
-------------- next part --------------
diff -upr gradm2/gradm_defs.h gradm2/gradm_defs.h

--- gradm2/gradm_defs.h	2007-08-01 22:30:35.000000000 +0200
+++ gradm2/gradm_defs.h	2007-08-20 22:10:42.554507497 +0200
@@ -133,7 +133,8 @@ enum {
 	GR_INHERITLEARN = 0x00004000,
 	GR_PROCFIND	= 0x00008000,
 	GR_POVERRIDE	= 0x00010000,
-	GR_KERNELAUTH	= 0x00020000
+	GR_KERNELAUTH	= 0x00020000,
+	GR_SUB_SUPPRESS	= 0x00040000
 };
 
 /* internal use only.  not to be modified */
diff -upr gradm2/gradm_human.c gradm2/gradm_human.c
--- gradm2/gradm_human.c	2005-12-18 01:24:06.000000000 +0100
+++ gradm2/gradm_human.c	2007-08-20 22:14:24.835897269 +0200
@@ -65,7 +65,8 @@ static struct subj_mode_name_table {
 	GR_RELAXPTRACE, 'r'}, {
 	GR_INHERITLEARN, 'i'}, {
 	GR_POVERRIDE, 't'}, {
-	GR_KERNELAUTH, 'a'}
+	GR_KERNELAUTH, 'a'}, {
+	GR_SUB_SUPPRESS, 's'}
 };
 
 void
diff -upr gradm2/gradm_parse.c gradm2/gradm_parse.c
--- gradm2/gradm_parse.c	2006-02-08 01:42:51.000000000 +0100
+++ gradm2/gradm_parse.c	2007-08-20 22:16:24.401013165 +0200
@@ -882,6 +882,9 @@ proc_subject_mode_conv(const char *mode)
 		case 'a':
 			retmode |= GR_KERNELAUTH;
 			break;
+		case 's':
+			retmode |= GR_SUB_SUPPRESS;
+			break;
 		default:
 			fprintf(stderr, "Invalid subject mode "
 				"\'%c\' found on line %lu "
diff -upr gradm2/gradm.l gradm2/gradm.l
--- gradm2/gradm.l	2007-02-09 23:44:40.000000000 +0100
+++ gradm2/gradm.l	2007-08-20 22:38:01.653805000 +0200
@@ -107,7 +107,7 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"
 					  gradmlval.string = gr_strdup(gr_line);
 					  return SUBJ_NAME;
 					}
-<SUBJECT_STATE>[TKCAOtolhpkvdbria]+	{
+<SUBJECT_STATE>[TKCAOtolhpkvdbrias]+	{
 					  gradmlval.num = proc_subject_mode_conv(yytext);
 					  return SUBJ_MODE;
 					}
-------------- next part --------------
--- linux-2.6.22/grsecurity/gracl_res.c	2007-08-19 22:18:42.313231500 +0200
+++ linux-2.6.22/grsecurity/gracl_res.c	2007-08-20 12:52:15.109283250 +0200
@@ -33,6 +33,9 @@ gr_log_resource(const struct task_struct
 	if (!gr_acl_is_enabled() && !grsec_resource_logging)
 		return;
 
+	if (gr_acl_is_enabled() && task->acl->mode & GR_SUB_SUPPRESS)
+		return;	
+
 	preempt_disable();
 
 	if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
--- linux-2.6.22/include/linux/grdefs.h	2007-08-20 03:14:12.761315250 +0200
+++ linux-2.6.22/include/linux/grdefs.h	2007-08-20 12:42:27.764576500 +0200
@@ -85,6 +85,7 @@ enum {
 	GR_PROCFIND	= 0x00008000,
 	GR_POVERRIDE	= 0x00010000,
 	GR_KERNELAUTH	= 0x00020000,
+	GR_SUB_SUPPRESS	= 0x00040000,
 };
 
 enum {
