Commit 23bcc480 authored by Ondrej Mosnáček's avatar Ondrej Mosnáček Committed by Paul Moore
Browse files

audit: allow not equal op for audit by executable 

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53



Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent d96f92f4

kernel/auditfilter.c

+1 −1
Original line number Diff line number Diff line
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 
			return -EINVAL;

		break;

	case AUDIT_EXE:

		if (f->op != Audit_equal)

		if (f->op != Audit_not_equal && f->op != Audit_equal)

			return -EINVAL;

		if (entry->rule.listnr != AUDIT_FILTER_EXIT)

			return -EINVAL;

kernel/auditsc.c

+2 −0
Original line number Diff line number Diff line
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, 
			break;

		case AUDIT_EXE:

			result = audit_exe_compare(tsk, rule->exe);

			if (f->op == Audit_not_equal)

				result = !result;

			break;

		case AUDIT_UID:

			result = audit_uid_comparator(cred->uid, f->op, f->uid);

CRA Git | Maintained and supported by SUSTech CRA and CCSE