From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: [PATCH] libaudit.c - add entry list check for the path filter
Date: Thu, 18 May 2006 09:23:09 -0500
Message-ID: <446C834D.5010008@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4IENL1X029784
	for <linux-audit@redhat.com>; Thu, 18 May 2006 10:23:21 -0400
Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4IENJaW030595
	for <linux-audit@redhat.com>; Thu, 18 May 2006 10:23:19 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
	[9.17.195.11])
	by e32.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4IENCE6002449
	for <linux-audit@redhat.com>; Thu, 18 May 2006 10:23:12 -0400
Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com [9.17.195.169])
	by westrelay02.boulder.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id
	k4IENClD262644
	for <linux-audit@redhat.com>; Thu, 18 May 2006 08:23:12 -0600
Received: from d03av03.boulder.ibm.com (loopback [127.0.0.1])
	by d03av03.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id
	k4IENC6I020984
	for <linux-audit@redhat.com>; Thu, 18 May 2006 08:23:12 -0600
Received: from [127.0.0.1] (pendarric.austin.ibm.com [9.41.46.77])
	by d03av03.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id
	k4IENBi0020912
	for <linux-audit@redhat.com>; Thu, 18 May 2006 08:23:12 -0600
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

The auditctl filter "path" is only valid on the exit filter list, and 
the current version of auditctl does not perform this sanity check. 
Other values filter options which are required to be on the exit list 
have this sanity-check mechanism.

Below is a patch which adds this sanity check for the "path" filter keyword.

Thanks,
Mike

---

Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>


--- audit-1.2.2-orig/lib/libaudit.c     2006-04-16 08:57:11.000000000 -0500
+++ audit-1.2.2/lib/libaudit.c  2006-05-17 14:56:55.000000000 -0500
@@ -952,6 +952,10 @@
                 case AUDIT_SE_SEN:
                 case AUDIT_SE_CLR:
                 case AUDIT_WATCH:
+                       /* Watch is invalid on entry */
+                       if ((flags == AUDIT_FILTER_ENTRY) &&
+                               (field == AUDIT_WATCH))
+                               return -7;
                         rule->values[rule->field_count] = strlen(v);
                         offset = rule->buflen;
                         rule->buflen += strlen(v);