From mboxrd@z Thu Jan  1 00:00:00 1970
From: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Subject: [PATCH 1/4] Fix the bug of the error message for -7 when checking
 field
Date: Sat, 02 Aug 2008 18:03:43 +0800
Message-ID: <489430FF.40908@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello Steve, 

When field is AUDIT_EXIT, AUDIT_SUCCESS and so on, the entry,user,task,exclude filter list should be invalid on anything.
So I think using "flags != AUDIT_FILTER_EXIT" is better than "flags == AUDIT_FILTER_ENTRY".

The error message for "-7" is not suit in some conditions.
For example,
1, auditctl -a task,always -F perm=r
Error message is "Field perm cannot be checked at syscall entry".

It should be task filter list.

Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
---
 lib/deprecated.c |    5 ++---
 lib/libaudit.c   |    4 ++--
 src/auditctl.c   |    2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/lib/deprecated.c b/lib/deprecated.c
index 4f0c14e..4ad8253 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -281,7 +281,7 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
 			}
 			break;
 		case AUDIT_EXIT:
-			if (flags == AUDIT_FILTER_ENTRY)
+			if (flags != AUDIT_FILTER_EXIT)
 				return -7;
 			vlen = strlen(v);
 			if (isdigit((char)*(v)))
@@ -427,8 +427,7 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
 			return -10;
                 case AUDIT_DEVMAJOR...AUDIT_INODE:
                 case AUDIT_SUCCESS...AUDIT_SUCCESS:
-
-			if (flags == AUDIT_FILTER_ENTRY)
+			if (flags != AUDIT_FILTER_EXIT)
 				return -7;
 			/* fallthrough */
 		default:
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 563b8ad..d439c2f 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -870,7 +870,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			}
 			break;
 		case AUDIT_EXIT:
-			if (flags == AUDIT_FILTER_ENTRY)
+			if (flags != AUDIT_FILTER_EXIT)
 				return -7;
 			vlen = strlen(v);
 			if (isdigit((char)*(v))) 
@@ -1071,7 +1071,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS...AUDIT_SUCCESS:
-			if (flags == AUDIT_FILTER_ENTRY)
+			if (flags != AUDIT_FILTER_EXIT)
 				return -7;
 			/* fallthrough */
 		default:
diff --git a/src/auditctl.c b/src/auditctl.c
index d740509..5b6de26 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -739,7 +739,7 @@ static int setopt(int count, char *vars[])
 				break;
 			case -7:
 				fprintf(stderr,
-			 "Field %s cannot be checked at syscall entry\n",
+			 "Field %s can only be used with exit filter list\n",
 					 optarg);
 				retval = -1;
 				break;


-- 
Regards
Zhang Xiliang