On Wed, May 30, 2018 at 4:45 AM Ondrej Mosnacek <[email protected]> wrote: > > This patch removes the restriction of the AUDIT_EXE field to only > SYSCALL filter and teaches audit_filter to recognize this field. > > This makes it possible to write rule lists such as: > > auditctl -a exit,always [some general rule] > # Filter out events with executable name /bin/exe1 or /bin/exe2: > auditctl -a exclude,always -F exe=/bin/exe1 > auditctl -a exclude,always -F exe=/bin/exe2 > > See: https://github.com/linux-audit/audit-kernel/issues/54 > > Signed-off-by: Ondrej Mosnacek <[email protected]> > --- > kernel/auditfilter.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-)
Merged, thanks. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
