[PATCH] libaudit.c - add entry list check for the path filter

[PATCH] libaudit.c - add entry list check for the path filter

[Michael C Thompson]

The auditctl filter "path" is only valid on the exit filter list, and 
the current version of auditctl does not perform this sanity check. 
Other values filter options which are required to be on the exit list 
have this sanity-check mechanism.

Below is a patch which adds this sanity check for the "path" filter keyword.

Thanks,
Mike

---

Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>


--- audit-1.2.2-orig/lib/libaudit.c     2006-04-16 08:57:11.000000000 -0500
+++ audit-1.2.2/lib/libaudit.c  2006-05-17 14:56:55.000000000 -0500
@@ -952,6 +952,10 @@
                 case AUDIT_SE_SEN:
                 case AUDIT_SE_CLR:
                 case AUDIT_WATCH:
+                       /* Watch is invalid on entry */
+                       if ((flags == AUDIT_FILTER_ENTRY) &&
+                               (field == AUDIT_WATCH))
+                               return -7;
                         rule->values[rule->field_count] = strlen(v);
                         offset = rule->buflen;
                         rule->buflen += strlen(v);

Re: [PATCH] libaudit.c - add entry list check for the path filter

[Steve Grubb]

On Thursday 18 May 2006 10:23, Michael C Thompson wrote:
> Below is a patch which adds this sanity check for the "path" filter
> keyword.

Thanks. I applied a slight variation of this. I changed it to be != 
AUDIT_FILTER_EXIT.

-Steve