Commit 06d6d1ad authored by Ondrej Mosnáček's avatar Ondrej Mosnáček Committed by Greg Kroah-Hartman

audit: allow not equal op for audit by executable

[ Upstream commit 23bcc480 ]

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53Signed-off-by: 's avatarOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e7cb8f11
......@@ -407,7 +407,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
if (f->op != Audit_equal)
if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
......
......@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
if (f->op == Audit_not_equal)
result = !result;
break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment