Re: [RFC PATCH 1/2] audit: allow other filter list types for AUDIT_EXE

On Wed, May 30, 2018 at 4:45 AM, Ondrej Mosnacek <omosnace(a)redhat.com&gt; wrote: > This patch removes the restriction of the AUDIT_EXE field to only > SYSCALL filter and teaches audit_filter to recognize this field. > > This makes it possible to write rule lists such as: > > auditctl -a exit,always [some general rule] > # Filter out events with executable name /bin/exe1 or /bin/exe2: > auditctl -a exclude,always -F exe=/bin/exe1 > auditctl -a exclude,always -F exe=/bin/exe2 > > See: https://github.com/linux-audit/audit-kernel/issues/54 > > Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com&gt; > --- > kernel/auditfilter.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) Thanks for your patience Ondrej. Having reflected a bit on things from the recent IMA audit discussion, my current thinking is to go ahead and merge this patch into audit/next once the merge window closes.

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index eaa320148d97..6db9847ca031 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) > case AUDIT_EXE: > if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > - if (entry->rule.listnr != AUDIT_FILTER_EXIT) > - return -EINVAL; > break; > } > return 0; > @@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype) > f->type, f->op, f->lsm_rule, NULL); > } > break; > + case AUDIT_EXE: > + result = audit_exe_compare(current, e->rule.exe); > + if (f->op == Audit_not_equal) > + result = !result; > + break; > default: > goto unlock_and_return; > } > -- > 2.17.0 -- paul moore www.paul-moore.com