audit: allow not equal op for audit by executable

[ Upstream commit 23bcc480dac204c7dbdf49d96b2c918ed98223c2 ]

Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.

See: https://github.com/linux-audit/audit-kernel/issues/53

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..cd4f413 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -406,7 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
                        return -EINVAL;
                break;
        case AUDIT_EXE:
-               if (f->op != Audit_equal)
+               if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
                if (entry->rule.listnr != AUDIT_FILTER_EXIT)
                        return -EINVAL;

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2cd5256..c2aaf53 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -469,6 +469,8 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_EXE:
                        result = audit_exe_compare(tsk, rule->exe);
+                       if (f->op == Audit_not_equal)
+                               result = !result;
                        break;
                case AUDIT_UID:
                        result = audit_uid_comparator(cred->uid, f->op, f->uid);