From: Miloslav Trmac <mitr@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>, Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
Subject: Re: [PATCH] Don't crash on unknown S_IFMT file modes
Date: Thu, 26 Mar 2009 11:05:24 -0400 (EDT) [thread overview]
Message-ID: <205213183.2433851238079924103.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> (raw)
In-Reply-To: <244499589.2433711238079841056.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
[-- Attachment #1: Type: text/plain, Size: 319 bytes --]
----- "LC Bruzenak" <lenny@magitekltd.com> wrote:
> Thank you for this patch...wherever it may be.
> :)
Ooops :/
> Do you have a standard auparse test you use to track these down?
No, I only have a small Python program to use auparse to interpret a supplied log file (attached). There is also (make check).
Mirek
[-- Attachment #2: audit-interpret.py --]
[-- Type: application/octet-stream, Size: 1409 bytes --]
#! /usr/bin/python
import sys
import auparse
import audit
def none_to_null(s):
if s is None:
return '(null)'
else:
return s
def walk_test(au):
au.reset()
while True:
if not au.first_record():
print "Error getting first record"
sys.exit(1)
print "%d records:" % (au.get_num_records(),)
while True:
print " raw: %s" % (none_to_null(au.get_record_text()))
print " type %d(%s) has %d fields" % \
(au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
au.get_num_fields())
print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
event = au.get_timestamp()
if event is None:
print "Error getting timestamp - aborting"
sys.exit(1)
print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
au.first_field()
while True:
print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
if not au.next_field(): break
print
if not au.next_record(): break
if not au.parse_next_event(): break
if __name__ == '__main__':
au = auparse.AuParser(auparse.AUSOURCE_FILE, sys.argv[1])
walk_test(au)
[-- Attachment #3: audit-ifmt.patch --]
[-- Type: application/octet-stream, Size: 2157 bytes --]
Index: src/ausearch-report.c
===================================================================
--- src/ausearch-report.c (revision 268)
+++ src/ausearch-report.c (working copy)
@@ -548,6 +548,7 @@
static void print_mode(const char *val)
{
+ const char *name;
unsigned int ival;
errno = 0;
@@ -558,8 +559,17 @@
}
// print the file type
- printf("%s,", audit_ftype_to_name(ival & S_IFMT));
+ name = audit_ftype_to_name(ival & S_IFMT);
+ if (name != NULL)
+ printf("%s,", name);
+ else {
+ unsigned first_ifmt_bit;
+ // The lowest-valued "1" bit in S_IFMT
+ first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
+ printf("%03o,", (ival & S_IFMT) / first_ifmt_bit);
+ }
+
// check on special bits
if (S_ISUID & ival)
printf("suid,");
Index: auparse/interpret.c
===================================================================
--- auparse/interpret.c (revision 268)
+++ auparse/interpret.c (working copy)
@@ -453,6 +453,7 @@
{
unsigned int ival;
char *out, buf[48];
+ const char *name;
errno = 0;
ival = strtoul(val, NULL, 8);
@@ -461,22 +462,28 @@
return out;
}
- buf[0] = 0;
+ // detect the file type
+ name = audit_ftype_to_name(ival & S_IFMT);
+ if (name != NULL)
+ strcpy(buf, name);
+ else {
+ unsigned first_ifmt_bit;
- // detect tthe file type
- strcat(buf, audit_ftype_to_name(ival & S_IFMT));
- strcat(buf, ",");
+ // The lowest-valued "1" bit in S_IFMT
+ first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
+ sprintf(buf, "%03o", (ival & S_IFMT) / first_ifmt_bit);
+ }
// check on special bits
if (S_ISUID & ival)
- strcat(buf, "suid,");
+ strcat(buf, ",suid");
if (S_ISGID & ival)
- strcat(buf, "sgid,");
+ strcat(buf, ",sgid");
if (S_ISVTX & ival)
- strcat(buf, "sticky,");
+ strcat(buf, ",sticky");
// and the read, write, execute flags in octal
- asprintf(&out, "%s %03o", buf, (S_IRWXU|S_IRWXG|S_IRWXO) & ival);
+ asprintf(&out, "%s,%03o", buf, (S_IRWXU|S_IRWXG|S_IRWXO) & ival);
return out;
}
[-- Attachment #4: Type: text/plain, Size: 0 bytes --]
next parent reply other threads:[~2009-03-26 15:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <244499589.2433711238079841056.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2009-03-26 15:05 ` Miloslav Trmac [this message]
2009-03-27 15:44 ` [PATCH] Don't crash on unknown S_IFMT file modes LC Bruzenak
2009-03-27 15:55 ` Miloslav Trmac
2009-03-27 15:56 ` LC Bruzenak
2009-03-26 12:06 Miloslav Trmac
2009-03-26 12:41 ` LC Bruzenak
2009-04-06 14:34 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=205213183.2433851238079924103.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com \
--to=mitr@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox