On Wed, May 30, 2018 at 4:45 AM, Ondrej Mosnacek <[email protected]> wrote: > This patch removes the restriction of the AUDIT_EXE field to only > SYSCALL filter and teaches audit_filter to recognize this field. > > This makes it possible to write rule lists such as: > > auditctl -a exit,always [some general rule] > # Filter out events with executable name /bin/exe1 or /bin/exe2: > auditctl -a exclude,always -F exe=/bin/exe1 > auditctl -a exclude,always -F exe=/bin/exe2 > > See: https://github.com/linux-audit/audit-kernel/issues/54 > > Signed-off-by: Ondrej Mosnacek <[email protected]> > --- > kernel/auditfilter.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-)
Thanks for your patience Ondrej. Having reflected a bit on things from the recent IMA audit discussion, my current thinking is to go ahead and merge this patch into audit/next once the merge window closes. > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index eaa320148d97..6db9847ca031 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) > case AUDIT_EXE: > if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > - if (entry->rule.listnr != AUDIT_FILTER_EXIT) > - return -EINVAL; > break; > } > return 0; > @@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype) > f->type, f->op, > f->lsm_rule, NULL); > } > break; > + case AUDIT_EXE: > + result = audit_exe_compare(current, > e->rule.exe); > + if (f->op == Audit_not_equal) > + result = !result; > + break; > default: > goto unlock_and_return; > } > -- > 2.17.0 -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
