Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
---

Hi Paul,

this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.

Ondrej

 include/uapi/linux/audit.h | 18 ++++++++++--------
 kernel/auditfilter.c       |  2 +-
 kernel/auditsc.c           |  2 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
 #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
 #define AUDIT_STATUS_LOST              0x0040
 
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH   0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND    0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER  0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET                0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS         0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT             0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME         0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH           0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND            0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER          0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET                        0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS                 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ       0x00000080
 
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
                                  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
                                  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
                                  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
                                  AUDIT_FEATURE_BITMAP_LOST_RESET | \
-                                 AUDIT_FEATURE_BITMAP_FILTER_FS)
+                                 AUDIT_FEATURE_BITMAP_FILTER_FS | \
+                                 AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST           AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
struct audit_field *f)
                        return -EINVAL;
                break;
        case AUDIT_EXE:
-               if (f->op != Audit_equal)
+               if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
                if (entry->rule.listnr != AUDIT_FILTER_EXIT)
                        return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_EXE:
                        result = audit_exe_compare(tsk, rule->exe);
+                       if (f->op == Audit_not_equal)
+                               result = !result;
                        break;
                case AUDIT_UID:
                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
-- 
2.14.3

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to