diff options
| author | Ondrej Mosnáček <omosnace@redhat.com> | 2018-04-09 10:00:06 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-08-06 16:24:38 +0200 |
| commit | 2dde48178ba5e66a2ac7235eaebad5655ae6db3e (patch) | |
| tree | c1c882fbd2812034c83fc94798cdd18134da9652 /kernel | |
| parent | 7315e0d38a29792cbb32b84e17e413412171e1e1 (diff) | |
| download | linux-stable-2dde48178ba5e66a2ac7235eaebad5655ae6db3e.tar.gz linux-stable-2dde48178ba5e66a2ac7235eaebad5655ae6db3e.tar.bz2 linux-stable-2dde48178ba5e66a2ac7235eaebad5655ae6db3e.zip | |
audit: allow not equal op for audit by executable
[ Upstream commit 23bcc480dac204c7dbdf49d96b2c918ed98223c2 ]
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/auditfilter.c | 2 | ||||
| -rw-r--r-- | kernel/auditsc.c | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index b8ff9e193753..b57f929f1b46 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -406,7 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) return -EINVAL; break; case AUDIT_EXE: - if (f->op != Audit_equal) + if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; if (entry->rule.listnr != AUDIT_FILTER_EXIT) return -EINVAL; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7444f95f3ee9..0fe8b337291a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -470,6 +470,8 @@ static int audit_filter_rules(struct task_struct *tsk, break; case AUDIT_EXE: result = audit_exe_compare(tsk, rule->exe); + if (f->op == Audit_not_equal) + result = !result; break; case AUDIT_UID: result = audit_uid_comparator(cred->uid, f->op, f->uid); |