Regarding bug 435682

Regarding bug 435682

[Alexander]

[-- Attachment #1.1: Type: text/plain, Size: 335 bytes --]

Here's a patch for version 2.1.3 which solves bug 435682 (
https://bugzilla.redhat.com/show_bug.cgi?id=435682).
Patched auditctl allows to specify files having spaces in ther names - just
surround a filename with apostrophes.

Hope this will help someone who encountered the same problem. And, maybe,
the bug will be closed at last :)

[-- Attachment #1.2: Type: text/html, Size: 419 bytes --]

[-- Attachment #2: audit-2.1.3.patch --]
[-- Type: text/x-patch, Size: 2108 bytes --]

diff -aurN audit-2.1.3/src/auditctl.c audit-2.1.3_patch//src/auditctl.c
--- audit-2.1.3/src/auditctl.c	2011-08-15 21:31:00.000000000 +0400
+++ audit-2.1.3_patch//src/auditctl.c	2011-10-20 18:10:31.000000000 +0400
@@ -939,6 +939,70 @@
 	return NULL;
 }
 
+
+void preprocess(char *buf)
+{
+    char quote_ctx = 0;
+
+    while (*buf)
+    {
+        if (*buf == '\'')
+            quote_ctx++;
+        
+        if (*buf == ' ' && (quote_ctx & 1))
+            *buf = 0xFF;
+        
+        buf++;
+    }
+}
+
+
+void postprocess(unsigned char *buf)
+{
+    unsigned char *str = strdup(buf);
+    unsigned char *pos1 = str;
+    unsigned char *pos2 = buf;
+    int i = 0;
+    
+    if (!str)
+        return;
+    
+    while (*pos1)
+    {
+        if (*pos1 == '\'')
+            *pos1 = ' ';
+    
+        pos1++;
+    }
+    
+    pos1 = str;
+    pos2 = buf;
+    
+    while (*pos1)
+    {
+        if (*pos1 != ' ')
+        {
+            *pos2 = *pos1;
+            pos2++;
+        }
+
+        pos1++;
+    }
+    
+    *pos2 = 0;
+    
+    while (*buf)
+    {
+        if (*buf == 0xFF)
+            *buf = ' ';
+    
+        buf++;
+    }
+    
+    free(str);
+}
+
+
 /*
  * This function reads the given file line by line and executes the rule.
  * It returns 0 if everything went OK, 1 if there are problems before reading
@@ -1001,6 +1065,8 @@
 		char *options[NUM_OPTIONS];
 		char *ptr;
 		int idx=0;
+		char apst = 0;
+		char *pos = 0;
 
 		/* Weed out blank lines */
 		while (buf[idx] == ' ')
@@ -1009,9 +1075,13 @@
 			lineno++;
 			continue;
 		}
+		
+		preprocess(buf);
+		
 		ptr = strtok(buf, " ");
 		if (ptr == NULL)
 			break;
+		
 		/* allow comments */
 		if (ptr[0] == '#') {
 			lineno++;
@@ -1021,8 +1091,10 @@
 		options[i++] = "auditctl";
 		options[i++] = ptr;
 		while( (ptr=strtok(NULL, " ")) && i<NUM_OPTIONS-1 ) {
+		        postprocess(ptr);
 			options[i++] = ptr;
 		}
+		
 		options[i] = NULL;
 
 		/* Parse it */
@@ -1094,6 +1166,7 @@
 			free(rule_new);
 			return 1;
 		}
+		
 		retval = setopt(argc, 0, argv);
 		if (retval == -3) {
 			free(rule_new);

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: Regarding bug 435682

[Miloslav Trmac]

> Here's a patch for version 2.1.3 which solves bug 435682 (
> https://bugzilla.redhat.com/show_bug.cgi?id=435682 ).
> Patched auditctl allows to specify files having spaces in ther names
> - just surround a filename with apostrophes.

This patch also arbitrarily breaks handling of apostrophes and \xFF characters in filenames; it probably is a marginal improvement, but any change to the format should IMHO start with an explicit and consistent specification of how quoting is supposed to work in audit.rules, and then implementing exactly that.

If we do have to change the file format to support spaces, let's do it, but let's also make sure that we don't need to change it again soon to fix different artifacts of the parser implementation.
    Mirek

Re: Regarding bug 435682

[Steve Grubb]

On Friday, October 21, 2011 08:49:30 AM Miloslav Trmac wrote:
> > Here's a patch for version 2.1.3 which solves bug 435682 (
> > https://bugzilla.redhat.com/show_bug.cgi?id=435682 ).
> > Patched auditctl allows to specify files having spaces in ther names
> > - just surround a filename with apostrophes.
> 
> This patch also arbitrarily breaks handling of apostrophes and \xFF
> characters in filenames; it probably is a marginal improvement, but any
> change to the format should IMHO start with an explicit and consistent
> specification of how quoting is supposed to work in audit.rules, and then
> implementing exactly that.
>
> If we do have to change the file format to support spaces, let's do it, but
> let's also make sure that we don't need to change it again soon to fix
> different artifacts of the parser implementation. Mirek

I was thinking of using the same mechanism as shell escaping '\' since this is how 
bash would present the path to the user.

-Steve

Re: Regarding bug 435682

[Alexander]

[-- Attachment #1.1: Type: text/plain, Size: 1074 bytes --]

   It definitely breaks handling of 0xFF and apostrophe, but in case of 3
year old feature request it's better than nothing :)
Obviously, it's better to use something like escape sequences, but the patch
was something like a proof-of-concept.

2011/10/21 Miloslav Trmac <mitr@redhat.com>

> > Here's a patch for version 2.1.3 which solves bug 435682 (
> > https://bugzilla.redhat.com/show_bug.cgi?id=435682 ).
> > Patched auditctl allows to specify files having spaces in ther names
> > - just surround a filename with apostrophes.
>
> This patch also arbitrarily breaks handling of apostrophes and \xFF
> characters in filenames; it probably is a marginal improvement, but any
> change to the format should IMHO start with an explicit and consistent
> specification of how quoting is supposed to work in audit.rules, and then
> implementing exactly that.
>
> If we do have to change the file format to support spaces, let's do it, but
> let's also make sure that we don't need to change it again soon to fix
> different artifacts of the parser implementation.
>    Mirek
>

[-- Attachment #1.2: Type: text/html, Size: 1444 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Regarding bug 435682

[Alexander]

[-- Attachment #1.1: Type: text/plain, Size: 271 bytes --]

  Here's another version of the patch for version 2.1.3 which solves bug
435682 (https://bugzilla.redhat.com/show_bug.cgi?id=435682).
Seems to be slightly better than previous version, 'cause now it's using
something like escape sequence to handle filenames with spaces.

[-- Attachment #1.2: Type: text/html, Size: 378 bytes --]

[-- Attachment #2: auditctl.patch1 --]
[-- Type: application/octet-stream, Size: 2500 bytes --]

diff -aurN audit-2.1.3/src/auditctl.c audit-2.1.3_patch//src/auditctl.c
--- audit-2.1.3/src/auditctl.c	2011-08-15 21:31:00.000000000 +0400
+++ audit-2.1.3_patch//src/auditctl.c	2011-10-24 11:14:02.000000000 +0400
@@ -939,6 +939,82 @@
 	return NULL;
 }
 
+
+void preprocess(char *buf)
+{
+    char esc_ctx = 0;
+
+    while (*buf)
+    {
+        if (*buf == '\\' && !esc_ctx)
+        {
+            esc_ctx++;
+        }
+        else
+        {
+            if (esc_ctx)
+            {
+                if (*buf == ' ')
+                {
+                    *buf = 0x07;
+                    *(buf - 1) = 0x07;
+                }
+                else if (*buf == '\\')
+                {
+                    *buf = 0x04;
+                    *(buf - 1) = 0x04;
+                }
+                    
+                esc_ctx--;
+            }
+        }
+        
+        buf++;
+    }
+}
+
+
+void postprocess(unsigned char *buf)
+{
+    unsigned char *str = strdup(buf);
+    unsigned char *pos1 = str;
+    unsigned char *pos2 = buf;
+    int i = 0;
+    
+    if (!str)
+        return;
+    
+    while (*pos1)
+    {
+        if (*pos1 == 0x07)
+        {
+            *pos2 = ' ';
+            pos1 += 2;
+            pos2++;
+
+            continue;
+        }
+        else if (*pos1 == 0x04)
+        {
+            *pos2 = '\\';
+            pos1 += 2;
+            pos2++;
+            
+            continue;
+        }
+        
+        *pos2 = *pos1;
+        
+        pos2++;
+        pos1++;
+    }
+    
+    *pos2 = 0;
+    
+    free(str);
+}
+
+
 /*
  * This function reads the given file line by line and executes the rule.
  * It returns 0 if everything went OK, 1 if there are problems before reading
@@ -1001,6 +1077,8 @@
 		char *options[NUM_OPTIONS];
 		char *ptr;
 		int idx=0;
+		char apst = 0;
+		char *pos = 0;
 
 		/* Weed out blank lines */
 		while (buf[idx] == ' ')
@@ -1009,9 +1087,13 @@
 			lineno++;
 			continue;
 		}
+		
+		preprocess(buf);
+		
 		ptr = strtok(buf, " ");
 		if (ptr == NULL)
 			break;
+		
 		/* allow comments */
 		if (ptr[0] == '#') {
 			lineno++;
@@ -1021,8 +1103,10 @@
 		options[i++] = "auditctl";
 		options[i++] = ptr;
 		while( (ptr=strtok(NULL, " ")) && i<NUM_OPTIONS-1 ) {
+		        postprocess(ptr);
 			options[i++] = ptr;
 		}
+		
 		options[i] = NULL;
 
 		/* Parse it */
@@ -1094,6 +1178,7 @@
 			free(rule_new);
 			return 1;
 		}
+		
 		retval = setopt(argc, 0, argv);
 		if (retval == -3) {
 			free(rule_new);

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: Regarding bug 435682

[Steve Grubb]

On Friday, October 28, 2011 09:56:48 AM Alexander wrote:
>   Here's another version of the patch for version 2.1.3 which solves bug
> 435682 (https://bugzilla.redhat.com/show_bug.cgi?id=435682).
> Seems to be slightly better than previous version, 'cause now it's using
> something like escape sequence to handle filenames with spaces.

Applied a slightly modified version of the patch:
https://fedorahosted.org/audit/changeset/608

Thanks,
-Steve