[PATCH] the exit field should not be used in entry list

[PATCH] the exit field should not be used in entry list

[zhangxiliang]

Hello Steve,

The entry list is applied to match fields before excuting syscall. When matching, the exit code of syscall is unknown.
So the exit field should not be used in entry list.
This is a patch for latest audit-1.7.4. 

Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
---
 lib/deprecated.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/lib/deprecated.c b/lib/deprecated.c
index 7c7c808..4f0c14e 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -281,6 +281,8 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
 			}
 			break;
 		case AUDIT_EXIT:
+			if (flags == AUDIT_FILTER_ENTRY)
+				return -7;
 			vlen = strlen(v);
 			if (isdigit((char)*(v)))
 				rule->values[rule->field_count] =
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] the exit field should not be used in entry list

[Steve Grubb]

Hi,

On Sunday 27 July 2008 20:44:17 zhangxiliang wrote:
> The entry list is applied to match fields before excuting syscall. When
> matching, the exit code of syscall is unknown. So the exit field should not
> be used in entry list.

Looks good. Applied. I also checked the code in libaudit.c and fixed it to do 
the same thing. Thanks for the patch.

-Steve