From: Peng Haitao <penght@cn.fujitsu.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: audit-list <linux-audit@redhat.com>
Subject: [PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs
Date: Thu, 11 Sep 2008 13:05:36 +0800 [thread overview]
Message-ID: <48C8A720.60706@cn.fujitsu.com> (raw)
Hello steve,
Use option '-p process-id' cannot search out the log which contains the given process-id and message type is AVC.
For example:
# echo 'type=AVC msg=audit(1221036190.313:3232615): avc: denied { append } for pid=8961 comm="cupsd" path="/var/log/cups/access_log" dev=hda7 ino=1210126 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file' | ausearch -p 8961
<no matches>
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
---
src/ausearch-parse.c | 27 +++++++++++++++++++++------
1 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d2cb44d..e3ffa8c 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1209,11 +1209,26 @@ static int parse_avc(const lnode *n, search_items *s)
*term = ' ';
}
+ // get pid
+ str = strstr(term, "pid=");
+ if (str) {
+ str = str + 4;
+ term = strchr(str, ' ');
+ if (term == NULL)
+ return 3;
+ *term = 0;
+ errno = 0;
+ s->pid = strtoul(str, NULL, 10);
+ if (errno)
+ return 4;
+ *term = ' ';
+ }
+
if (event_comm && s->comm == NULL) {
// dont do this search unless needed
str = strstr(term, "comm=");
if (str == NULL) {
- rc = 3;
+ rc = 5;
goto err;
}
str += 5;
@@ -1221,7 +1236,7 @@ static int parse_avc(const lnode *n, search_items *s)
str++;
term = strchr(str, '"');
if (term == NULL) {
- rc = 4;
+ rc = 6;
goto err;
}
*term = 0;
@@ -1250,7 +1265,7 @@ static int parse_avc(const lnode *n, search_items *s)
str += 9;
term = strchr(str, ' ');
if (term == NULL) {
- rc = 5;
+ rc = 7;
goto err;
}
*term = 0;
@@ -1266,7 +1281,7 @@ static int parse_avc(const lnode *n, search_items *s)
str += 9;
term = strchr(str, ' ');
if (term == NULL) {
- rc = 6;
+ rc = 8;
goto err;
}
*term = 0;
@@ -1278,7 +1293,7 @@ static int parse_avc(const lnode *n, search_items *s)
// Now get the class...its at the end, so we do things different
str = strstr(term, "tclass=");
if (str == NULL) {
- rc = 7;
+ rc = 9;
goto err;
}
str += 7;
@@ -1292,7 +1307,7 @@ static int parse_avc(const lnode *n, search_items *s)
if (audit_avc_init(s) == 0) {
alist_append(s->avc, &an);
} else {
- rc = 8;
+ rc = 10;
goto err;
}
--
1.5.3
--
Regards
Peng Haitao
next reply other threads:[~2008-09-11 5:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-11 5:05 Peng Haitao [this message]
2008-09-11 15:09 ` [PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C8A720.60706@cn.fujitsu.com \
--to=penght@cn.fujitsu.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox