This patch removes the restriction of the AUDIT_EXE field to only SYSCALL filter and teaches audit_filter to recognize this field. This makes it possible to write rule lists such as: auditctl -a exit,always [some general rule] # Filter out events with executable name /bin/exe1 or /bin/exe2: auditctl -a exclude,always -F exe=/bin/exe1 auditctl -a exclude,always -F exe=/bin/exe2 See: https://github.com/linux-audit/audit-kernel/issues/54 Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com&gt; --- kernel/auditfilter.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a0c5a3ec6e60..8c9abbf20d42 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_EXE: if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; - if (entry->rule.listnr != AUDIT_FILTER_EXIT) - return -EINVAL; break; } return 0; @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype) f->type, f->op, f->lsm_rule, NULL); } break; + case AUDIT_EXE: + result = audit_exe_compare(current, e->rule.exe); + if (f->op == Audit_not_equal) + result = !result; + break; default: goto unlock_and_return; } -- 2.14.3

2018-05-01 22:06 GMT+02:00 Paul Moore <paul(a)paul-moore.com&gt;: > On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek <omosnace(a)redhat.com&gt; wrote: >> This patch removes the restriction of the AUDIT_EXE field to only >> SYSCALL filter and teaches audit_filter to recognize this field. >> >> This makes it possible to write rule lists such as: >> >> auditctl -a exit,always [some general rule] >> # Filter out events with executable name /bin/exe1 or /bin/exe2: >> auditctl -a exclude,always -F exe=/bin/exe1 >> auditctl -a exclude,always -F exe=/bin/exe2 >> >> See: https://github.com/linux-audit/audit-kernel/issues/54 >> >> Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com&gt; >> --- >> kernel/auditfilter.c | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) > > Looks reasonable, do you have a working test for this? Sure, I listed all the related patches (test suite and userspace) in the GHAK issue. Anyway, the testsuite patch can be found here: https://github.com/linux-audit/audit-testsuite/pull/68

>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c >> index a0c5a3ec6e60..8c9abbf20d42 100644 >> --- a/kernel/auditfilter.c >> +++ b/kernel/auditfilter.c >> @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) >> case AUDIT_EXE: >> if (f->op != Audit_not_equal && f->op != Audit_equal) >> return -EINVAL; >> - if (entry->rule.listnr != AUDIT_FILTER_EXIT) >> - return -EINVAL; >> break; >> } >> return 0; >> @@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype) >> f->type, f->op, f->lsm_rule, NULL); >> } >> break; >> + case AUDIT_EXE: >> + result = audit_exe_compare(current, e->rule.exe); >> + if (f->op == Audit_not_equal) >> + result = !result; >> + break; >> default: >> goto unlock_and_return; >> } >> -- >> 2.14.3 >> > > > > -- > paul moore > www.paul-moore.com -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc.