On 2019-05-28 18:00, Paul Moore wrote: > On Wed, May 22, 2019 at 5:52 PM Richard Guy Briggs <r...@redhat.com> wrote: > > > > The field operator is ignored on several string fields. WATCH, DIR, > > PERM and FILETYPE field operators are completely ignored and meaningless > > since the op is not referenced in audit_filter_rules(). Range and > > bitwise operators are already addressed in ghak73. > > > > Honour the operator for WATCH, DIR, PERM, FILETYPE fields as is done in > > the EXE field. > > > > Please see github issue > > https://github.com/linux-audit/audit-kernel/issues/114 > > --- > > kernel/auditsc.c | 18 +++++++++++++++--- > > 1 file changed, 15 insertions(+), 3 deletions(-) > > While the patch looks fine, it is missing your sign-off. If you reply > to this thread with it, I'll go ahead and add to the patch when > merging.
GHAK! Sorry about that! Signed-off-by: Richard Guy Briggs <r...@redhat.com> It passed checkpatch.pl when that code was in the ghak73 patch. :-) > I'm sure everyone is tired of hearing me complain about people not > checking their patches, but this is something that would have been > caught by running ./scripts/checkpatch.pl against your patch (the > entire patch, not just the code portion). If you aren't running your > full patch through checkpatch already, it is easy to do (there are > likely other ways too, these are just the two that I use): > > * using git > # git format-patch --stdout -1 <commit_id> | ./scripts/checkpatch.pl - > > * using stgit (my favorite) > # stg export -s <patch> | ./scripts/checkpatch.pl - Nice, it even works for a series... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 30aa07b0115f..087137d341a2 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -601,12 +601,20 @@ static int audit_filter_rules(struct task_struct *tsk, > > } > > break; > > case AUDIT_WATCH: > > - if (name) > > - result = audit_watch_compare(rule->watch, > > name->ino, name->dev); > > + if (name) { > > + result = audit_watch_compare(rule->watch, > > + name->ino, > > + name->dev); > > + if (f->op == Audit_not_equal) > > + result = !result; > > + } > > break; > > case AUDIT_DIR: > > - if (ctx) > > + if (ctx) { > > result = match_tree_refs(ctx, rule->tree); > > + if (f->op == Audit_not_equal) > > + result = !result; > > + } > > break; > > case AUDIT_LOGINUID: > > result = > > audit_uid_comparator(audit_get_loginuid(tsk), > > @@ -684,9 +692,13 @@ static int audit_filter_rules(struct task_struct *tsk, > > break; > > case AUDIT_PERM: > > result = audit_match_perm(ctx, f->val); > > + if (f->op == Audit_not_equal) > > + result = !result; > > break; > > case AUDIT_FILETYPE: > > result = audit_match_filetype(ctx, f->val); > > + if (f->op == Audit_not_equal) > > + result = !result; > > break; > > case AUDIT_FIELD_COMPARE: > > result = audit_field_compare(tsk, cred, f, ctx, > > name); > > -- > > 1.8.3.1 > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit