From 21f104089cf3a8ee8eb295bafa47dff6ab1000ac Mon Sep 17 00:00:00 2001
From: David Balme <david.balme@windriver.com>
Date: Sun, 29 Jan 2017 18:14:25 -0500
Subject: [PATCH 1/1] tamper proof bash log

---
 misc/chattr.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/misc/chattr.c b/misc/chattr.c
index f130108..44db04b 100644
--- a/misc/chattr.c
+++ b/misc/chattr.c
@@ -188,6 +188,49 @@ static int decode_arg (int * i, int argc, char ** argv)
 	return 1;
 }
 
+//
+//  returns true (1) if name looks like
+//    bash.log
+//    bash.log*
+//    */bash.log
+//    */bash.log*
+//
+static int is_bash_log_file(const char * name) {
+	if (name == NULL) {
+		return 0;
+	}
+	char * srchresult = strstr(name, "bash.log");
+	if (srchresult != NULL) {
+		if (srchresult == name) {
+			// starts with scenario
+			return 1;
+		}
+        // contained scenario
+		// let's ensure preceding char is a /
+		srchresult --;
+		if (*srchresult == '/') {
+			return 1;
+		}
+		return 0;
+	}
+	return 0;
+}
+
+// returns true (1) if user is trying to remove append-only flag
+//         from bash.log file.
+static int is_remove_append_only_on_bash_log(const char * name, unsigned long flags, int rem) {
+	if (!rem) {
+		return 0; // no attribute remove operation specified
+	}
+	if (!(flags & EXT2_APPEND_FL)) { //
+		return 0;
+	}
+	// at this point we are trying to remove append only attribute!
+	// now check if its a bash.log file
+	return is_bash_log_file(name);
+}
+
+
 static int chattr_dir_proc(const char *, struct dirent *, void *);
 
 static int change_attributes(const char * name)
@@ -208,6 +251,11 @@ static int change_attributes(const char * name)
 					_("while reading flags on %s"), name);
 		return -1;
 	}
+
+	if (is_remove_append_only_on_bash_log(name, flags, rem)) {
+		return 0;
+	}
+
 	if (set) {
 		if (verbose) {
 			printf (_("Flags of %s set as "), name);
-- 
1.9.1