From mboxrd@z Thu Jan  1 00:00:00 1970
From: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Subject: [PATCH] the exit field should not be used in entry list
Date: Mon, 28 Jul 2008 08:44:17 +0800
Message-ID: <488D1661.6090605@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: sgrubb@redhat.com, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello Steve,

The entry list is applied to match fields before excuting syscall. When matching, the exit code of syscall is unknown.
So the exit field should not be used in entry list.
This is a patch for latest audit-1.7.4. 

Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
---
 lib/deprecated.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/lib/deprecated.c b/lib/deprecated.c
index 7c7c808..4f0c14e 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -281,6 +281,8 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
 			}
 			break;
 		case AUDIT_EXIT:
+			if (flags == AUDIT_FILTER_ENTRY)
+				return -7;
 			vlen = strlen(v);
 			if (isdigit((char)*(v)))
 				rule->values[rule->field_count] =
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit