audit: allow not equal op for audit by executable
Current implementation of auditing by executable name only implements the 'equal' operator. This patch extends it to also support the 'not equal' operator. See: https://github.com/linux-audit/audit-kernel/issues/53 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Родитель
d96f92f4aa
Коммит
23bcc480da
|
@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
|
|||
return -EINVAL;
|
||||
break;
|
||||
case AUDIT_EXE:
|
||||
if (f->op != Audit_equal)
|
||||
if (f->op != Audit_not_equal && f->op != Audit_equal)
|
||||
return -EINVAL;
|
||||
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
|
||||
return -EINVAL;
|
||||
|
|
|
@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
|
|||
break;
|
||||
case AUDIT_EXE:
|
||||
result = audit_exe_compare(tsk, rule->exe);
|
||||
if (f->op == Audit_not_equal)
|
||||
result = !result;
|
||||
break;
|
||||
case AUDIT_UID:
|
||||
result = audit_uid_comparator(cred->uid, f->op, f->uid);
|
||||
|
|
Загрузка…
Ссылка в новой задаче