From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: [PATCH] auditctl -l listing with correct operators
Date: Wed, 17 May 2006 14:07:00 -0500
Message-ID: <446B7454.4000903@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>, Steve Grubb <sgrubb@redhat.com>
List-Id: linux-audit@redhat.com

With the current version of audit, auditctl -l only prints an equal, not 
equal operator when it displays rules, while the rules in the kernel are 
operating correctly, this is most an inconvenience, since is not 
possible to tell what rules are really in the kernel.

The problem lies in the audit_print_reply logic not detecting the type 
of the message (either AUDIT_LIST or AUDIT_LIST_RULE).

Below is a patch which adds this detection.

Thanks,
Mike

----

Signed-off-by: Michael Thompson <mcthomps@us.ibm.com>

--- audit-1.2.2-orig/src/auditctl.c    2006-05-12 14:59:59.000000000 -0500
+++ audit-1.2.2/src/auditctl.c    2006-05-16 15:56:31.000000000 -0500
@@ -926,8 +926,14 @@ static int audit_print_reply(struct audi
              for (i = 0; i < rep->rule->field_count; i++) {
                  int field = rep->rule->fields[i] &
                      ~AUDIT_OPERATORS & ~AUDIT_NEGATE;
-                int op = rep->rule->fields[i] &
-                    (AUDIT_OPERATORS | AUDIT_NEGATE);
+                int op;
+                if (rep->type == AUDIT_LIST_RULES) {
+                    op = rep->ruledata->fieldflags[i] &
+                        (AUDIT_OPERATORS | AUDIT_NEGATE);
+                } else {
+                    op = rep->rule->fields[i] &
+                        (AUDIT_OPERATORS | AUDIT_NEGATE);
+                }

                  const char *name = audit_field_to_name(field);
                  if (name) {