Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 29c1372d authored by Ondrej Mosnáček's avatar Ondrej Mosnáček Committed by Paul Moore
Browse files

audit: allow other filter list types for AUDIT_EXE 

This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.

This makes it possible to write rule lists such as:

    auditctl -a exit,always [some general rule]
    # Filter out events with executable name /bin/exe1 or /bin/exe2:
    auditctl -a exclude,always -F exe=/bin/exe1
    auditctl -a exclude,always -F exe=/bin/exe2

See: https://github.com/linux-audit/audit-kernel/issues/54



Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent ce397d21
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment