[PATCH v2] audit: allow not equal op for audit by executable
Richard Guy Briggs
rgb at redhat.com
Mon Apr 9 19:22:48 UTC 2018
On 2018-04-09 10:00, Ondrej Mosnacek wrote:
> From: Ondrej Mosnáček <omosnace at redhat.com>
>
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
>
> See: https://github.com/linux-audit/audit-kernel/issues/53
>
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
Looks good to me. Reveiwed-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> kernel/auditfilter.c | 2 +-
> kernel/auditsc.c | 2 ++
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> return -EINVAL;
> break;
> case AUDIT_EXE:
> - if (f->op != Audit_equal)
> + if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> break;
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
> break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, f->uid);
> --
> 2.14.3
>
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list