[PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* [PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs
@ 2008-09-11  5:05 Peng Haitao
  2008-09-11 15:09 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Peng Haitao @ 2008-09-11  5:05 UTC (permalink / raw)
  To: Steve Grubb; +Cc: audit-list

Hello steve,

Use option '-p process-id' cannot search out the log which contains the given process-id and message type is AVC.

For example:
# echo 'type=AVC msg=audit(1221036190.313:3232615): avc:  denied  { append } for  pid=8961 comm="cupsd" path="/var/log/cups/access_log" dev=hda7 ino=1210126 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file' | ausearch -p 8961
<no matches>

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>

---
 src/ausearch-parse.c |   27 +++++++++++++++++++++------
 1 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d2cb44d..e3ffa8c 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1209,11 +1209,26 @@ static int parse_avc(const lnode *n, search_items *s)
 		*term = ' ';
 	}
 
+	// get pid
+	str = strstr(term, "pid=");
+	if (str) {
+		str = str + 4;
+		term = strchr(str, ' ');
+		if (term == NULL)
+			return 3;
+		*term = 0;
+		errno = 0;
+		s->pid = strtoul(str, NULL, 10);
+		if (errno)
+			return 4;
+		*term = ' ';
+	}
+
 	if (event_comm && s->comm == NULL) {
 	// dont do this search unless needed
 		str = strstr(term, "comm=");
 		if (str == NULL) {
-			rc = 3;
+			rc = 5;
 			goto err;
 		}
 		str += 5;
@@ -1221,7 +1236,7 @@ static int parse_avc(const lnode *n, search_items *s)
 			str++;
 			term = strchr(str, '"');
 			if (term == NULL) {
-				rc = 4;
+				rc = 6;
 				goto err;
 			}
 			*term = 0;
@@ -1250,7 +1265,7 @@ static int parse_avc(const lnode *n, search_items *s)
 			str += 9;
 			term = strchr(str, ' ');
 			if (term == NULL) {
-				rc = 5;
+				rc = 7;
 				goto err;
 			}
 			*term = 0;
@@ -1266,7 +1281,7 @@ static int parse_avc(const lnode *n, search_items *s)
 			str += 9;
 			term = strchr(str, ' ');
 			if (term == NULL) {
-				rc = 6;
+				rc = 8;
 				goto err;
 			}
 			*term = 0;
@@ -1278,7 +1293,7 @@ static int parse_avc(const lnode *n, search_items *s)
 	// Now get the class...its at the end, so we do things different
 	str = strstr(term, "tclass=");
 	if (str == NULL) {
-		rc = 7;
+		rc = 9;
 		goto err;
 	}
 	str += 7;
@@ -1292,7 +1307,7 @@ static int parse_avc(const lnode *n, search_items *s)
 	if (audit_avc_init(s) == 0) {
 		alist_append(s->avc, &an);
 	} else {
-		rc = 8;
+		rc = 10;
 		goto err;
 	}
 
-- 
1.5.3


-- 
Regards
Peng Haitao

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs
  2008-09-11  5:05 [PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs Peng Haitao
@ 2008-09-11 15:09 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2008-09-11 15:09 UTC (permalink / raw)
  To: Peng Haitao; +Cc: audit-list

On Thursday 11 September 2008 01:05:36 Peng Haitao wrote:
> Use option '-p process-id' cannot search out the log which contains the
> given process-id and message type is AVC.

Applied, thanks,

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-09-11 15:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-11  5:05 [PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs Peng Haitao
2008-09-11 15:09 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox