Re: [PATCH v2] audit: allow not equal op for audit by executable
On Mon, Apr 9, 2018 at 4:00 AM, Ondrej Mosnacek wrote: > From: Ondrej Mosnáček > > Current implementation of auditing by executable name only implements > the 'equal' operator. This patch extends it to also support the 'not > equal' operator. > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > Signed-off-by: Ondrej Mosnacek > --- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) Merged into audit/next, thanks. > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index d7a807e81451..a0c5a3ec6e60 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) > return -EINVAL; > break; > case AUDIT_EXE: > - if (f->op != Audit_equal) > + if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > return -EINVAL; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4e0a4ac803db..479c031ec54c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > break; > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > + if (f->op == Audit_not_equal) > + result = !result; > break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, > f->uid); > -- > 2.14.3 > -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2] audit: allow not equal op for audit by executable
On 2018-04-09 10:00, Ondrej Mosnacek wrote: > From: Ondrej Mosnáček > > Current implementation of auditing by executable name only implements > the 'equal' operator. This patch extends it to also support the 'not > equal' operator. > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > Signed-off-by: Ondrej Mosnacek Looks good to me. Reveiwed-by: Richard Guy Briggs > --- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index d7a807e81451..a0c5a3ec6e60 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) > return -EINVAL; > break; > case AUDIT_EXE: > - if (f->op != Audit_equal) > + if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > return -EINVAL; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4e0a4ac803db..479c031ec54c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > break; > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > + if (f->op == Audit_not_equal) > + result = !result; > break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, f->uid); > -- > 2.14.3 > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2] audit: allow not equal op for audit by executable
On Mon, Apr 9, 2018 at 4:00 AM, Ondrej Mosnacek wrote: > From: Ondrej Mosnáček > > Current implementation of auditing by executable name only implements > the 'equal' operator. This patch extends it to also support the 'not > equal' operator. > > See: https://github.com/linux-audit/audit-kernel/issues/53 > > Signed-off-by: Ondrej Mosnacek > --- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) This looks better, thanks. I think we should also add a test for this added to the exec_name tests, could you also do that please? * https://github.com/linux-audit/audit-testsuite/blob/master/tests/exec_name/test You can send the audit-testsuite patch either to this mailing list or as a PR against the GitHub project. > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index d7a807e81451..a0c5a3ec6e60 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) > return -EINVAL; > break; > case AUDIT_EXE: > - if (f->op != Audit_equal) > + if (f->op != Audit_not_equal && f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > return -EINVAL; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4e0a4ac803db..479c031ec54c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, > break; > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > + if (f->op == Audit_not_equal) > + result = !result; > break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, > f->uid); > -- > 2.14.3 > -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit