[PATCH] allow audit filtering on bit & operations

Right now the audit filter can match on = != > < >= blah blah blah.
This allow the filter to also look at bitwise AND operations, &

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 11 insertions, 0 deletions

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 0ea96bab91cc..359645cff5b2 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -456,6 +456,13 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                 case AUDIT_DEVMINOR:
                 case AUDIT_EXIT:
                 case AUDIT_SUCCESS:
+                        /* bit ops are only useful on syscall args */
+                        if (f->op == AUDIT_BIT_MASK ||
+                                                f->op == AUDIT_BIT_TEST) {
+                                err = -EINVAL;
+                                goto exit_free;
+                        }
+                        break;
                 case AUDIT_ARG0:
                 case AUDIT_ARG1:
                 case AUDIT_ARG2:
@@ -1566,6 +1573,10 @@ int audit_comparator(const u32 left, const u32 op, const u32 right)
                 return (left > right);
         case AUDIT_GREATER_THAN_OR_EQUAL:
                 return (left >= right);
+        case AUDIT_BIT_MASK:
+                return (left & right);
+        case AUDIT_BIT_TEST:
+                return ((left & right) == right);
         }
         BUG();
         return 0;