Re: [PATCH] audit: allow not equal op for audit by executable

On 2018-04-06 13:10, Ondrej Mosnacek wrote: > 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb(a)redhat.com&gt;: > > On 2018-04-06 10:43, Ondrej Mosnacek wrote: > >> Current implementation of auditing by executable name only implements > >> the 'equal' operator. This patch extends it to also support the 'not > >> equal' operator. > >> > >> See: https://github.com/linux-audit/audit-kernel/issues/53 > >> > >> Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com&gt; > >> --- > >> > >> Hi Paul, > >> > >> this turned out to be easier than I anticipated so I'm sending the patch > >> already :) I hope I got everything right. Note that the userspace tools > >> also need to be updated to check the feature bit and allow/disallow the > >> operator based on that. > > > > Do we really need to eat up a feature bit for this? The kernel will > > simply return -EINVAL if it isn't supported. That will make userspace > > implementation easier. > > The problem then would be that if someone tried to use the not equal > operator on an older kernel, he would get some generic error message > instead of the current "exe only takes = operator". You are right. I'm just not sure it is worth spending a feature bit on it.