* [PATCH] the exit field should not be used in entry list
@ 2008-07-28 0:44 zhangxiliang
2008-07-28 15:33 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: zhangxiliang @ 2008-07-28 0:44 UTC (permalink / raw)
To: sgrubb, Linux Audit
Hello Steve,
The entry list is applied to match fields before excuting syscall. When matching, the exit code of syscall is unknown.
So the exit field should not be used in entry list.
This is a patch for latest audit-1.7.4.
Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
---
lib/deprecated.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 7c7c808..4f0c14e 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -281,6 +281,8 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
}
break;
case AUDIT_EXIT:
+ if (flags == AUDIT_FILTER_ENTRY)
+ return -7;
vlen = strlen(v);
if (isdigit((char)*(v)))
rule->values[rule->field_count] =
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-07-28 15:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-28 0:44 [PATCH] the exit field should not be used in entry list zhangxiliang
2008-07-28 15:33 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.