From mboxrd@z Thu Jan  1 00:00:00 1970
From: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Subject: [PATCH 4/4] Add the checking of key field for a watch or syscall
 given
Date: Sat, 02 Aug 2008 18:16:48 +0800
Message-ID: <48943410.5030400@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello Steve, 

When field is AUDIT_FILTERKEY, it should need a watch or syscall given prior to it.
So I add checking and error message "-19" to realize it.

Do you agree with me? This is the patches for latest code in
audit SVN project. 

Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
---
 lib/libaudit.c |    3 +++
 src/auditctl.c |    7 ++++++-
 2 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/lib/libaudit.c b/lib/libaudit.c
index 4d20261..8dd5baa 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -75,6 +75,7 @@ static const struct nv_list failure_actions[] =
   { NULL,		0 }
 };
 
+int audit_permadded hidden = 0;
 int audit_archadded hidden = 0;
 int audit_syscalladded hidden = 0;
 unsigned int audit_elf hidden = 0U;
@@ -920,6 +921,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		case AUDIT_SUBJ_SEN:
 		case AUDIT_SUBJ_CLR:
 		case AUDIT_FILTERKEY:
+			if (field == AUDIT_FILTERKEY && !(audit_syscalladded || audit_permadded))
+                                return -19;
 			vlen = strlen(v);
 			if (field == AUDIT_FILTERKEY &&
 					vlen > AUDIT_MAX_KEY_LEN)
diff --git a/src/auditctl.c b/src/auditctl.c
index 0d38ac1..2c99e09 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -67,7 +67,6 @@ enum { OLD, NEW };
 int which;
 static struct audit_rule  rule;
 static struct audit_rule_data *rule_new = NULL;
-int audit_permadded;
 static char key[AUDIT_MAX_KEY_LEN+1];
 static int keylen;
 static int printed;
@@ -77,6 +76,7 @@ static const char key_sep[2] = { AUDIT_KEY_SEPARATOR, 0 };
 extern int audit_archadded;
 extern int audit_syscalladded;
 extern unsigned int audit_elf;
+extern int audit_permadded;
 
 /*
  * This function will reset everything used for each loop when loading 
@@ -799,6 +799,11 @@ static int setopt(int count, char *vars[])
 					"Field %s can not be used with exclude filter list\n", optarg);
 				retval = -1;
 				break;
+			case -19:
+				fprintf(stderr,
+					"Key field needs a watch or syscall given prior to it\n");
+				retval = -1;
+				break;
 			default:
 				retval = -1;
 				break;

-- 
Regards
Zhang Xiliang