• Eric Paris's avatar
    audit: make filetype matching consistent with other filters · 5ef30ee5
    Eric Paris authored
    Every other filter that matches part of the inodes list collected by audit
    will match against any of the inodes on that list.  The filetype matching
    however had a strange way of doing things.  It allowed userspace to
    indicated if it should match on the first of the second name collected by
    the kernel.  Name collection ordering seems like a kernel internal and
    making userspace rules get that right just seems like a bad idea.  As it
    turns out the userspace audit writers had no idea it was doing this and
    thus never overloaded the value field.  The kernel always checked the first
    name collected which for the tested rules was always correct.
    
    This patch just makes the filetype matching like the major, minor, inode,
    and LSM rules in that it will match against any of the names collected.  It
    also changes the rule validation to reject the old unused rule types.
    
    Noone knew it was there.  Noone used it.  Why keep around the extra code?
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    5ef30ee5
auditsc.c 66.5 KB