[PATCH v2] audit: allow not equal op for audit by executable
Paul Moore
paul at paul-moore.com
Tue Apr 24 16:19:14 UTC 2018
On Mon, Apr 9, 2018 at 4:00 AM, Ondrej Mosnacek <omosnace at redhat.com> wrote:
> From: Ondrej Mosnáček <omosnace at redhat.com>
>
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
>
> See: https://github.com/linux-audit/audit-kernel/issues/53
>
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
> kernel/auditfilter.c | 2 +-
> kernel/auditsc.c | 2 ++
> 2 files changed, 3 insertions(+), 1 deletion(-)
Merged into audit/next, thanks.
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> return -EINVAL;
> break;
> case AUDIT_EXE:
> - if (f->op != Audit_equal)
> + if (f->op != Audit_not_equal && f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
> break;
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> + if (f->op == Audit_not_equal)
> + result = !result;
> break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, f->uid);
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list