From 23bcc480dac204c7dbdf49d96b2c918ed98223c2 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnáček <omosnace@redhat.com>
Date: Mon, 9 Apr 2018 10:00:06 +0200
Subject: audit: allow not equal op for audit by executable

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 kernel/auditfilter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'kernel/auditfilter.c')

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 			return -EINVAL;
 		break;
 	case AUDIT_EXE:
-		if (f->op != Audit_equal)
+		if (f->op != Audit_not_equal && f->op != Audit_equal)
 			return -EINVAL;
 		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
 			return -EINVAL;
-- 
cgit v1.2.3