This patch set extends the previous AUDIT_EXE patch by also doing a similar thing with the AUDIT_DIR field.
I am sending it as RFC since this change requires passing audit_context to audit_filter and I'm not sure if I should also pass it when doing the AUDIT_FILTER_USER filtering. The call site does not have the ctx variable, although I suppose it could be extracted from the current task somehow, but I'm not sure if it even makes sense to use it in that place. I am not enabling AUDIT_DIR for AUDIT_FILTER_USER in this patch, but if it makes sense I will do that in the final patch. Paul/Richard, please advise. See the FIXME in the second patch for the problematic location. Ondrej Mosnacek (2): audit: allow other filter list types for AUDIT_EXE [WIP] audit: allow other filter list types for AUDIT_DIR kernel/audit.c | 5 +++-- kernel/audit.h | 32 +++++++++++++++++++++++++++++++- kernel/audit_tree.c | 4 +++- kernel/auditfilter.c | 13 ++++++++++--- kernel/auditsc.c | 28 ---------------------------- 5 files changed, 47 insertions(+), 35 deletions(-) -- 2.17.0 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
