audit: allow other filter list types for AUDIT_EXE

This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.

This makes it possible to write rule lists such as:

    auditctl -a exit,always [some general rule]
    # Filter out events with executable name /bin/exe1 or /bin/exe2:
    auditctl -a exclude,always -F exe=/bin/exe1
    auditctl -a exclude,always -F exe=/bin/exe2

See: https://github.com/linux-audit/audit-kernel/issues/54

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index eaa320148d97214551c76d8454b944e281bd8737..6db9847ca031bc3280e6c633812470af079a31eb 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
        case AUDIT_EXE:
                if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
-               if (entry->rule.listnr != AUDIT_FILTER_EXIT)
-                       return -EINVAL;
                break;
        }
        return 0;
@@ -1360,6 +1358,11 @@ int audit_filter(int msgtype, unsigned int listtype)
                                                        f->type, f->op, f->lsm_rule, NULL);
                                }
                                break;
+                       case AUDIT_EXE:
+                               result = audit_exe_compare(current, e->rule.exe);
+                               if (f->op == Audit_not_equal)
+                                       result = !result;
+                               break;
                        default:
                                goto unlock_and_return;
                        }