audit: enforce op for string fields

The field operator is ignored on several string fields. WATCH, DIR, PERM and FILETYPE field operators are completely ignored and meaningless since the op is not referenced in audit_filter_rules(). Range and bitwise operators are already addressed in ghak73. Honour the operator for WATCH, DIR, PERM, FILETYPE fields as is done in the EXE field. Please see github issue https://github.com/linux-audit/audit-kernel/issues/114 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Richard Guy Briggs <rgb@redhat.com> 2019-05-22 17:52:02 -0400
committer: Paul Moore <paul@paul-moore.com> 2019-05-28 17:46:43 -0400
commit: 0223fad3c98a9588c159a35dda2ef6e68ca27e3f (patch)
tree: 35db4ae7622bb91db2a049d0d01249f8c566754e /kernel/auditsc.c
parent: bf361231c295d92a28ca283ea713f56e93e55796 (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9134fe11ff6c..4effe01ebbe2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -601,12 +601,20 @@ static int audit_filter_rules(struct task_struct *tsk,
                        }
                        break;
                case AUDIT_WATCH:
-                        if (name)
+                        if (name) {
-                                result = audit_watch_compare(rule->watch, name->ino, name->dev);
+                                result = audit_watch_compare(rule->watch,
+                                                             name->ino,
+                                                             name->dev);
+                                if (f->op == Audit_not_equal)
+                                        result = !result;
+                        }
                        break;
                case AUDIT_DIR:
-                        if (ctx)
+                        if (ctx) {
                                result = match_tree_refs(ctx, rule->tree);
+                                if (f->op == Audit_not_equal)
+                                        result = !result;
+                        }
                        break;
                case AUDIT_LOGINUID:
                        result = audit_uid_comparator(audit_get_loginuid(tsk),
@@ -689,9 +697,13 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_PERM:
                        result = audit_match_perm(ctx, f->val);
+                        if (f->op == Audit_not_equal)
+                                result = !result;
                        break;
                case AUDIT_FILETYPE:
                        result = audit_match_filetype(ctx, f->val);
+                        if (f->op == Audit_not_equal)
+                                result = !result;
                        break;
                case AUDIT_FIELD_COMPARE:
                        result = audit_field_compare(tsk, cred, f, ctx, name);
author	Richard Guy Briggs <rgb@redhat.com>	2019-05-22 17:52:02 -0400
committer	Paul Moore <paul@paul-moore.com>	2019-05-28 17:46:43 -0400
commit	0223fad3c98a9588c159a35dda2ef6e68ca27e3f (patch)
tree	35db4ae7622bb91db2a049d0d01249f8c566754e /kernel/auditsc.c
parent	bf361231c295d92a28ca283ea713f56e93e55796 (diff)