From mboxrd@z Thu Jan  1 00:00:00 1970
From: Miloslav Trmac <mitr@redhat.com>
Subject: Re: [PATCH] Don't crash on unknown S_IFMT file modes
Date: Thu, 26 Mar 2009 11:05:24 -0400 (EDT)
Message-ID: <205213183.2433851238079924103.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
References: <244499589.2433711238079841056.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_Part_81543_1871122493.1238079924101"
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <244499589.2433711238079841056.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>, Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

------=_Part_81543_1871122493.1238079924101
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

----- "LC Bruzenak" <lenny@magitekltd.com> wrote:
> Thank you for this patch...wherever it may be.
> :)
Ooops :/


> Do you have a standard auparse test you use to track these down?
No, I only have a small Python program to use auparse to interpret a supplied log file (attached).  There is also (make check).
    Mirek
------=_Part_81543_1871122493.1238079924101
Content-Type: application/octet-stream; name=audit-interpret.py
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=audit-interpret.py

#! /usr/bin/python
import sys

import auparse
import audit

def none_to_null(s):
    if s is None:
        return '(null)'
    else:
        return s

def walk_test(au):
    au.reset()
    while True:
        if not au.first_record():
            print "Error getting first record"
            sys.exit(1)

        print "%d records:" % (au.get_num_records(),)

        while True:
            print "    raw: %s" % (none_to_null(au.get_record_text()))
            print "    type %d(%s) has %d fields" % \
                  (au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
                   au.get_num_fields())
            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
            event = au.get_timestamp()
            if event is None:
                print "Error getting timestamp - aborting"
                sys.exit(1)

            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
            au.first_field()
            while True:
                print "        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
                if not au.next_field(): break
            print
            if not au.next_record(): break
        if not au.parse_next_event(): break

if __name__ == '__main__':
    au = auparse.AuParser(auparse.AUSOURCE_FILE, sys.argv[1])
    walk_test(au)

------=_Part_81543_1871122493.1238079924101
Content-Type: application/octet-stream; name=audit-ifmt.patch
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=audit-ifmt.patch

Index: src/ausearch-report.c
===================================================================
--- src/ausearch-report.c	(revision 268)
+++ src/ausearch-report.c	(working copy)
@@ -548,6 +548,7 @@
 
 static void print_mode(const char *val)
 {
+	const char *name;
 	unsigned int ival;
 
 	errno = 0;
@@ -558,8 +559,17 @@
 	}
 
 	// print the file type
-	printf("%s,", audit_ftype_to_name(ival & S_IFMT));
+	name = audit_ftype_to_name(ival & S_IFMT);
+	if (name != NULL)
+		printf("%s,", name);
+	else {
+		unsigned first_ifmt_bit;
 
+		// The lowest-valued "1" bit in S_IFMT
+		first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
+		printf("%03o,", (ival & S_IFMT) / first_ifmt_bit);
+	}
+
 	// check on special bits
 	if (S_ISUID & ival)
 		printf("suid,");
Index: auparse/interpret.c
===================================================================
--- auparse/interpret.c	(revision 268)
+++ auparse/interpret.c	(working copy)
@@ -453,6 +453,7 @@
 {
         unsigned int ival;
 	char *out, buf[48];
+	const char *name;
 
         errno = 0;
         ival = strtoul(val, NULL, 8);
@@ -461,22 +462,28 @@
                 return out;
         }
 
-	buf[0] = 0;
+        // detect the file type
+	name = audit_ftype_to_name(ival & S_IFMT);
+	if (name != NULL)
+		strcpy(buf, name);
+	else {
+		unsigned first_ifmt_bit;
 
-        // detect tthe file type
-        strcat(buf, audit_ftype_to_name(ival & S_IFMT));
-	strcat(buf, ",");
+		// The lowest-valued "1" bit in S_IFMT
+		first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
+		sprintf(buf, "%03o", (ival & S_IFMT) / first_ifmt_bit);
+	}
 
         // check on special bits
         if (S_ISUID & ival)
-                strcat(buf, "suid,");
+                strcat(buf, ",suid");
         if (S_ISGID & ival)
-                strcat(buf, "sgid,");
+                strcat(buf, ",sgid");
         if (S_ISVTX & ival)
-                strcat(buf, "sticky,");
+                strcat(buf, ",sticky");
 
 	// and the read, write, execute flags in octal
-        asprintf(&out, "%s %03o",  buf, (S_IRWXU|S_IRWXG|S_IRWXO) & ival);
+        asprintf(&out, "%s,%03o",  buf, (S_IRWXU|S_IRWXG|S_IRWXO) & ival);
 	return out;
 }
 

------=_Part_81543_1871122493.1238079924101
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


------=_Part_81543_1871122493.1238079924101--