audit: allow not equal op for audit by executable

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e814514cea81694bb73667b7b34247ab84..a0c5a3ec6e60a32464ed5fffa3acae2458e98403 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
                        return -EINVAL;
                break;
        case AUDIT_EXE:
-               if (f->op != Audit_equal)
+               if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
                if (entry->rule.listnr != AUDIT_FILTER_EXIT)
                        return -EINVAL;

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db72499f67822233f6db70d7b6f3b8..479c031ec54c4027d40b5028f21d88a3505b5529 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_EXE:
                        result = audit_exe_compare(tsk, rule->exe);
+                       if (f->op == Audit_not_equal)
+                               result = !result;
                        break;
                case AUDIT_UID:
                        result = audit_uid_comparator(cred->uid, f->op, f->uid);