On 2018-05-30 10:45, Ondrej Mosnacek wrote: > This patch removes the restriction of the AUDIT_EXE field to only > SYSCALL filter and teaches audit_filter to recognize this field. > > This makes it possible to write rule lists such as: > > auditctl -a exit,always [some general rule] > # Filter out events with executable name /bin/exe1 or /bin/exe2: > auditctl -a exclude,always -F exe=/bin/exe1 > auditctl -a exclude,always -F exe=/bin/exe2 > > See: https://github.com/linux-audit/audit-kernel/issues/54 > > Signed-off-by: Ondrej Mosnacek <[email protected]>
Reviewed-by: Richard Guy Briggs <[email protected]> > --- > kernel/auditfilter.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index eaa320148d97..6db9847ca031 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) > case AUDIT_EXE: > if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > - if (entry->rule.listnr != AUDIT_FILTER_EXIT) > - return -EINVAL; > break; > } > return 0; > @@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype) > f->type, f->op, > f->lsm_rule, NULL); > } > break; > + case AUDIT_EXE: > + result = audit_exe_compare(current, > e->rule.exe); > + if (f->op == Audit_not_equal) > + result = !result; > + break; > default: > goto unlock_and_return; > } > -- > 2.17.0 > - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
