From: Ondrej Mosnáček <omosn...@redhat.com>

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
---
 kernel/auditfilter.c | 2 +-
 kernel/auditsc.c     | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
struct audit_field *f)
                        return -EINVAL;
                break;
        case AUDIT_EXE:
-               if (f->op != Audit_equal)
+               if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
                if (entry->rule.listnr != AUDIT_FILTER_EXIT)
                        return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_EXE:
                        result = audit_exe_compare(tsk, rule->exe);
+                       if (f->op == Audit_not_equal)
+                               result = !result;
                        break;
                case AUDIT_UID:
                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
-- 
2.14.3

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to