Re: [PATCH v2] audit: allow not equal op for audit by executable
On Mon, Apr 9, 2018 at 4:00 AM, Ondrej Mosnacek <omosnace(a)redhat.com> wrote:
From: Ondrej Mosnáček <omosnace(a)redhat.com>
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
This looks better, thanks.
I think we should also add a test for this added to the exec_name
tests, could you also do that please?
* https://github.com/linux-audit/audit-testsuite/blob/master/tests/exec_nam...
You can send the audit-testsuite patch either to this mailing list or
as a PR against the GitHub project.
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct
audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op,
f->uid);
--
2.14.3
--
paul moore
www.paul-moore.com