audit: enforce op for string fields

The field operator is ignored on several string fields.  WATCH, DIR,
PERM and FILETYPE field operators are completely ignored and meaningless
since the op is not referenced in audit_filter_rules().  Range and
bitwise operators are already addressed in ghak73.

Honour the operator for WATCH, DIR, PERM, FILETYPE fields as is done in
the EXE field.

Please see github issue
https://github.com/linux-audit/audit-kernel/issues/114

Signed-off-by: Richard Guy Briggs <[email protected]>
Signed-off-by: Paul Moore <[email protected]>

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9134fe11ff6c561e960a08402c6ce5e7d9c85687..4effe01ebbe2b3ad1e0d5cf566909db533dcb610 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -601,12 +601,20 @@ static int audit_filter_rules(struct task_struct *tsk,
                        }
                        break;
                case AUDIT_WATCH:
-                       if (name)
-                               result = audit_watch_compare(rule->watch, name->ino, name->dev);
+                       if (name) {
+                               result = audit_watch_compare(rule->watch,
+                                                            name->ino,
+                                                            name->dev);
+                               if (f->op == Audit_not_equal)
+                                       result = !result;
+                       }
                        break;
                case AUDIT_DIR:
-                       if (ctx)
+                       if (ctx) {
                                result = match_tree_refs(ctx, rule->tree);
+                               if (f->op == Audit_not_equal)
+                                       result = !result;
+                       }
                        break;
                case AUDIT_LOGINUID:
                        result = audit_uid_comparator(audit_get_loginuid(tsk),
@@ -689,9 +697,13 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_PERM:
                        result = audit_match_perm(ctx, f->val);
+                       if (f->op == Audit_not_equal)
+                               result = !result;
                        break;
                case AUDIT_FILETYPE:
                        result = audit_match_filetype(ctx, f->val);
+                       if (f->op == Audit_not_equal)
+                               result = !result;
                        break;
                case AUDIT_FIELD_COMPARE:
                        result = audit_field_compare(tsk, cred, f, ctx, name);