audit: allow other filter list types for AUDIT_EXE
This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.
This makes it possible to write rule lists such as:
auditctl -a exit,always [some general rule]
# Filter out events with executable name /bin/exe1 or /bin/exe2:
auditctl -a exclude,always -F exe=/bin/exe1
auditctl -a exclude,always -F exe=/bin/exe2
See: https://github.com/linux-audit/audit-kernel/issues/54
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Ondrej Mosnáček
committed by
Paul Moore
Paul Moore
parent
ce397d215c
commit
29c1372d6a
@@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
|
|||||||
case AUDIT_EXE:
|
case AUDIT_EXE:
|
||||||
if (f->op != Audit_not_equal && f->op != Audit_equal)
|
if (f->op != Audit_not_equal && f->op != Audit_equal)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
|
|
||||||
return -EINVAL;
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
@@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype)
|
|||||||
f->type, f->op, f->lsm_rule, NULL);
|
f->type, f->op, f->lsm_rule, NULL);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case AUDIT_EXE:
|
||||||
|
result = audit_exe_compare(current, e->rule.exe);
|
||||||
|
if (f->op == Audit_not_equal)
|
||||||
|
result = !result;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
goto unlock_and_return;
|
goto unlock_and_return;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user