audit: allow other filter list types for AUDIT_EXE - linux.git - dakr's fork of kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

diff options

author	Ondrej Mosnáček <omosnace@redhat.com>	2018-05-30 10:45:24 +0200
committer	Paul Moore <paul@paul-moore.com>	2018-06-19 09:33:42 -0400
commit	29c1372d6a9b872acf479ba2744e4e7f043981c0 (patch)
tree	05bbfde74456e7b8aaccd618a5c05dd5cc10d02c /net/802
parent	ce397d215ccd07b8ae3f71db689aedb85d56ab40 (diff)

audit: allow other filter list types for AUDIT_EXE

This patch removes the restriction of the AUDIT_EXE field to only SYSCALL filter and teaches audit_filter to recognize this field. This makes it possible to write rule lists such as: auditctl -a exit,always [some general rule] # Filter out events with executable name /bin/exe1 or /bin/exe2: auditctl -a exclude,always -F exe=/bin/exe1 auditctl -a exclude,always -F exe=/bin/exe2 See: https://github.com/linux-audit/audit-kernel/issues/54 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>

Diffstat (limited to 'net/802')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: