Commit 6b2d2065 authored by Ondrej Mosnáček's avatar Ondrej Mosnáček Committed by Kleber Sacilotto de Souza

audit: allow not equal op for audit by executable

BugLink: https://bugs.launchpad.net/bugs/1791953

[ Upstream commit 23bcc480 ]

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 567a5c2d
...@@ -406,7 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) ...@@ -406,7 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL; return -EINVAL;
break; break;
case AUDIT_EXE: case AUDIT_EXE:
if (f->op != Audit_equal) if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL; return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT) if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL; return -EINVAL;
......
...@@ -470,6 +470,8 @@ static int audit_filter_rules(struct task_struct *tsk, ...@@ -470,6 +470,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break; break;
case AUDIT_EXE: case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe); result = audit_exe_compare(tsk, rule->exe);
if (f->op == Audit_not_equal)
result = !result;
break; break;
case AUDIT_UID: case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid); result = audit_uid_comparator(cred->uid, f->op, f->uid);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment