From: Ondrej Mosnáček Date: Mon, 9 Apr 2018 08:00:06 +0000 (+0200) Subject: audit: allow not equal op for audit by executable X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=23bcc480dac204c7dbdf49d96b2c918ed98223c2;p=linux.git audit: allow not equal op for audit by executable Current implementation of auditing by executable name only implements the 'equal' operator. This patch extends it to also support the 'not equal' operator. See: https://github.com/linux-audit/audit-kernel/issues/53 Signed-off-by: Ondrej Mosnacek Reviewed-by: Richard Guy Briggs Signed-off-by: Paul Moore --- diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index d7a807e814514..a0c5a3ec6e60a 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) return -EINVAL; break; case AUDIT_EXE: - if (f->op != Audit_equal) + if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; if (entry->rule.listnr != AUDIT_FILTER_EXIT) return -EINVAL; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4e0a4ac803db7..479c031ec54c4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, break; case AUDIT_EXE: result = audit_exe_compare(tsk, rule->exe); + if (f->op == Audit_not_equal) + result = !result; break; case AUDIT_UID: result = audit_uid_comparator(cred->uid, f->op, f->uid);