From mboxrd@z Thu Jan  1 00:00:00 1970
From: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Subject: [PATCH] In some platforms, "connect", "bind", "accept", "sendto",
 "recvfrom", "sendfile" arenot audit directly.
Date: Wed, 30 Jul 2008 16:29:55 +0800
Message-ID: <48902683.6070902@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: sgrubb@redhat.com, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello Steve,

 When I use "autrace -r" or "auditctl -a exit,always -S connect" on "ia32" machine, it report some error.
 I found in some platforms, "connect", "bind", "accept", "sendto", "recvfrom", "sendfile" isnot supported to call directly.
 They are used by syscall "socketcall".

 I think when the socket calls are supported, we should insert "socketcall" instead of them.
 Do you agree with me? 

Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
---
 lib/deprecated.c |    7 +++++++
 lib/libaudit.c   |    6 ++++++
 2 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/lib/deprecated.c b/lib/deprecated.c
index 4f0c14e..ced4c62 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -160,6 +160,13 @@ int audit_rule_syscallbyname(struct audit_rule *rule,
 	if (nr < 0) {
 		if (isdigit(scall[0]))
 			nr = strtol(scall, NULL, 0);
+		if(strcmp(scall, "connect") || strcmp(scall, "bind")
+			|| strcmp(scall, "accept") || strcmp(scall, "sendto")
+			|| strcmp(scall, "recvfrom") || strcmp(scall, "sendfile")) {
+			scall = "socketcall";
+			nr = audit_name_to_syscall(scall, machine);
+                }
+
 	}
 	if (nr >= 0) 
 		return audit_rule_syscall(rule, nr);
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 0588537..36baff1 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -761,6 +761,12 @@ int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
 	if (nr < 0) {
 		if (isdigit(scall[0]))
 			nr = strtol(scall, NULL, 0);
+		if(strcmp(scall, "connect") || strcmp(scall, "bind") 
+			|| strcmp(scall, "accept") || strcmp(scall, "sendto") 
+			|| strcmp(scall, "recvfrom") || strcmp(scall, "sendfile")) {
+			scall = "socketcall";
+			nr = audit_name_to_syscall(scall, machine);
+		}
 	}
 	if (nr >= 0) 
 		return audit_rule_syscall_data(rule, nr);
-- 
1.5.4.2


-- 
Regards
Zhang Xiliang