On 2018-04-09 10:00, Ondrej Mosnacek wrote:
> From: Ondrej Mosnáček <omosn...@redhat.com>
> 
> Current implementation of auditing by executable name only implements
> the 'equal' operator. This patch extends it to also support the 'not
> equal' operator.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/53
> 
> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>

Looks good to me.  Reveiwed-by: Richard Guy Briggs <r...@redhat.com>

> ---
>  kernel/auditfilter.c | 2 +-
>  kernel/auditsc.c     | 2 ++
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index d7a807e81451..a0c5a3ec6e60 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, 
> struct audit_field *f)
>                       return -EINVAL;
>               break;
>       case AUDIT_EXE:
> -             if (f->op != Audit_equal)
> +             if (f->op != Audit_not_equal && f->op != Audit_equal)
>                       return -EINVAL;
>               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
>                       return -EINVAL;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4e0a4ac803db..479c031ec54c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
>                       break;
>               case AUDIT_EXE:
>                       result = audit_exe_compare(tsk, rule->exe);
> +                     if (f->op == Audit_not_equal)
> +                             result = !result;
>                       break;
>               case AUDIT_UID:
>                       result = audit_uid_comparator(cred->uid, f->op, f->uid);
> -- 
> 2.14.3
> 

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to