[grsec] Suppress logging for RES_* ?
Zbyniu Krzystolik
zbyniu at geocarbon.pl
Mon Aug 20 18:10:19 EDT 2007
Mniej wiecej Tue, Aug 14, 2007 at 10:41:47PM +0200, zainteresowany Matija Nalis rzekl:
> I know it's possible to suppress logs for denied file access using 's'.
>
> It it possible to accomplish the same things for RES_AS and friends ?
>
> I want resource overstep logging enabled for whole site, except for few
> subjects that I know will constantly try to overstep resource limit, but I
> don't want to know about them.
By default no, but you can use attached patches.
Zbyniu
--
%% Absolutely nothing we trust %%
-------------- next part --------------
diff -upr gradm2/gradm_defs.h gradm2/gradm_defs.h
--- gradm2/gradm_defs.h 2007-08-01 22:30:35.000000000 +0200
+++ gradm2/gradm_defs.h 2007-08-20 22:10:42.554507497 +0200
@@ -133,7 +133,8 @@ enum {
GR_INHERITLEARN = 0x00004000,
GR_PROCFIND = 0x00008000,
GR_POVERRIDE = 0x00010000,
- GR_KERNELAUTH = 0x00020000
+ GR_KERNELAUTH = 0x00020000,
+ GR_SUB_SUPPRESS = 0x00040000
};
/* internal use only. not to be modified */
diff -upr gradm2/gradm_human.c gradm2/gradm_human.c
--- gradm2/gradm_human.c 2005-12-18 01:24:06.000000000 +0100
+++ gradm2/gradm_human.c 2007-08-20 22:14:24.835897269 +0200
@@ -65,7 +65,8 @@ static struct subj_mode_name_table {
GR_RELAXPTRACE, 'r'}, {
GR_INHERITLEARN, 'i'}, {
GR_POVERRIDE, 't'}, {
- GR_KERNELAUTH, 'a'}
+ GR_KERNELAUTH, 'a'}, {
+ GR_SUB_SUPPRESS, 's'}
};
void
diff -upr gradm2/gradm_parse.c gradm2/gradm_parse.c
--- gradm2/gradm_parse.c 2006-02-08 01:42:51.000000000 +0100
+++ gradm2/gradm_parse.c 2007-08-20 22:16:24.401013165 +0200
@@ -882,6 +882,9 @@ proc_subject_mode_conv(const char *mode)
case 'a':
retmode |= GR_KERNELAUTH;
break;
+ case 's':
+ retmode |= GR_SUB_SUPPRESS;
+ break;
default:
fprintf(stderr, "Invalid subject mode "
"\'%c\' found on line %lu "
diff -upr gradm2/gradm.l gradm2/gradm.l
--- gradm2/gradm.l 2007-02-09 23:44:40.000000000 +0100
+++ gradm2/gradm.l 2007-08-20 22:38:01.653805000 +0200
@@ -107,7 +107,7 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"
gradmlval.string = gr_strdup(gr_line);
return SUBJ_NAME;
}
-<SUBJECT_STATE>[TKCAOtolhpkvdbria]+ {
+<SUBJECT_STATE>[TKCAOtolhpkvdbrias]+ {
gradmlval.num = proc_subject_mode_conv(yytext);
return SUBJ_MODE;
}
-------------- next part --------------
--- linux-2.6.22/grsecurity/gracl_res.c 2007-08-19 22:18:42.313231500 +0200
+++ linux-2.6.22/grsecurity/gracl_res.c 2007-08-20 12:52:15.109283250 +0200
@@ -33,6 +33,9 @@ gr_log_resource(const struct task_struct
if (!gr_acl_is_enabled() && !grsec_resource_logging)
return;
+ if (gr_acl_is_enabled() && task->acl->mode & GR_SUB_SUPPRESS)
+ return;
+
preempt_disable();
if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
--- linux-2.6.22/include/linux/grdefs.h 2007-08-20 03:14:12.761315250 +0200
+++ linux-2.6.22/include/linux/grdefs.h 2007-08-20 12:42:27.764576500 +0200
@@ -85,6 +85,7 @@ enum {
GR_PROCFIND = 0x00008000,
GR_POVERRIDE = 0x00010000,
GR_KERNELAUTH = 0x00020000,
+ GR_SUB_SUPPRESS = 0x00040000,
};
enum {
More information about the grsecurity
mailing list