diff options
author | Ondrej Mosnáček <omosnace@redhat.com> | 2018-05-30 10:45:24 +0200 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2018-06-19 09:33:42 -0400 |
commit | 29c1372d6a9b872acf479ba2744e4e7f043981c0 (patch) | |
tree | 05bbfde74456e7b8aaccd618a5c05dd5cc10d02c | |
parent | ce397d215ccd07b8ae3f71db689aedb85d56ab40 (diff) | |
download | linux-29c1372d6a9b872acf479ba2744e4e7f043981c0.tar.bz2 |
audit: allow other filter list types for AUDIT_EXE
This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.
This makes it possible to write rule lists such as:
auditctl -a exit,always [some general rule]
# Filter out events with executable name /bin/exe1 or /bin/exe2:
auditctl -a exclude,always -F exe=/bin/exe1
auditctl -a exclude,always -F exe=/bin/exe2
See: https://github.com/linux-audit/audit-kernel/issues/54
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | kernel/auditfilter.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index eaa320148d97..6db9847ca031 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_EXE: if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; - if (entry->rule.listnr != AUDIT_FILTER_EXIT) - return -EINVAL; break; } return 0; @@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype) f->type, f->op, f->lsm_rule, NULL); } break; + case AUDIT_EXE: + result = audit_exe_compare(current, e->rule.exe); + if (f->op == Audit_not_equal) + result = !result; + break; default: goto unlock_and_return; } |