From mboxrd@z Thu Jan  1 00:00:00 1970
From: ramsdell@mitre.org (John D. Ramsdell)
Subject: Clone and fcntl64 flags patch
Date: 23 Jul 2007 07:44:42 -0400
Message-ID: <ogtzm1nz6mt.fsf_-_@oolong.mitre.org>
References: <ogtfy3jqqnm.fsf@oolong.mitre.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <ogtfy3jqqnm.fsf@oolong.mitre.org>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: sgrubb@redhat.com, jdennis@redhat.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--=-=-=

Enclosed is a patch for auparse/interpret.c that makes it so that
a0 is interpreted for clone flags, not a2.  It also fixes two problems
with interpreting the fcntl system call.  The name of the system call
is fcntl64, but the original code looked for the name fcntl.  I have
also added a case so that a2 is printed as FD_CLOEXEC whenever a1 is
F_SETFD and a2 is 1.

I still haven't figured out why the auparse library prints getdents
when strace print getdents64.  I'll keep on looking.  You'd think that
either both getdents and fcntl would be printed with or without the
64 tacked on, but the current situation seem very odd to me.

John


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=clone-fcntl-flags.patch
Content-Description: clone fcntl64

Only in audit-1.5.5/audisp: audispd
Only in audit-1.5.5/audisp: audispd-audispd.o
Only in audit-1.5.5/audisp: .libs
Only in audit-1.5.5/audisp: Makefile
Only in audit-1.5.5/auparse: auditd-config.lo
Only in audit-1.5.5/auparse: auditd-config.o
Only in audit-1.5.5/auparse: auparse.lo
Only in audit-1.5.5/auparse: auparse.o
Only in audit-1.5.5/auparse: autsv
Only in audit-1.5.5/auparse: autsv__00.txt
Only in audit-1.5.5/auparse: autsv.c
Only in audit-1.5.5/auparse: autsv.txt
Only in audit-1.5.5/auparse: data_buf.lo
Only in audit-1.5.5/auparse: data_buf.o
Only in audit-1.5.5/auparse: .deps
Only in audit-1.5.5/auparse: ellist.lo
Only in audit-1.5.5/auparse: ellist.o
diff -ur oaudit-1.5.5/auparse/interpret.c audit-1.5.5/auparse/interpret.c
--- oaudit-1.5.5/auparse/interpret.c	2007-07-20 08:19:18.000000000 -0400
+++ audit-1.5.5/auparse/interpret.c	2007-07-23 07:30:42.000000000 -0400
@@ -978,9 +978,20 @@
 static const char *print_a0(const char *val, const rnode *r)
 {
 	int machine = r->machine, syscall = r->syscall;
+	char *out;
 	const char *sys = audit_syscall_to_name(syscall, machine);
 	if (sys) {
-		/* Unused right now... */
+		if (strcmp(sys, "clone") == 0) {
+			int ival;
+
+			errno = 0;
+			ival = strtoul(val, NULL, 16);
+		        if (errno) {
+                		asprintf(&out, "conversion error(%s)", val);
+	                	return out;
+	        	}
+			return print_clone_flags(ival);
+		}
 	}
 	return strdup(val);
 }
@@ -1001,7 +1012,7 @@
 	                	return out;
 	        	}
 			return print_open_flags(ival);
-		} else if (strncmp(sys, "fcntl", 5) == 0) {
+		} else if (strcmp(sys, "fcntl64") == 0) {
 			int ival;
 
 			errno = 0;
@@ -1022,17 +1033,7 @@
 	char *out;
 	const char *sys = audit_syscall_to_name(syscall, machine);
 	if (sys) {
-		if (strcmp(sys, "clone") == 0) {
-			int ival;
-
-			errno = 0;
-			ival = strtoul(val, NULL, 16);
-		        if (errno) {
-                		asprintf(&out, "conversion error(%s)", val);
-	                	return out;
-	        	}
-			return print_clone_flags(ival);
-		} else if (strncmp(sys, "fcntl", 5) == 0) {
+		if (strcmp(sys, "fcntl64") == 0) {
 			int ival;
 
 			errno = 0;
@@ -1045,6 +1046,10 @@
 			{
 				case F_SETOWN:
 					return print_uid(val);
+				case F_SETFD:
+					if (ival == FD_CLOEXEC)
+						return strdup("FD_CLOEXEC");
+					/* Fall thru okay. */
 				case F_SETFL:
 				case F_SETLEASE:
 				case F_GETLEASE:
Only in audit-1.5.5/auparse: interpret.c~
Only in audit-1.5.5/auparse: interpret.lo
Only in audit-1.5.5/auparse: interpret.o
Only in audit-1.5.5/auparse: libauparse.la
Only in audit-1.5.5/auparse: .libs
Only in audit-1.5.5/auparse: Makefile
Only in audit-1.5.5/auparse: message.lo
Only in audit-1.5.5/auparse: message.o
Only in audit-1.5.5/auparse: nvlist.lo
Only in audit-1.5.5/auparse: nvlist.o
Only in audit-1.5.5/auparse: nvpair.lo
Only in audit-1.5.5/auparse: nvpair.o
Only in audit-1.5.5/auparse: oautsv
Only in audit-1.5.5/auparse: oautsv.txt
Only in audit-1.5.5/auparse: rlist.lo
Only in audit-1.5.5/auparse: rlist.o
Only in audit-1.5.5/auparse/test: .deps
Only in audit-1.5.5/auparse/test: Makefile
Only in audit-1.5.5/bindings: Makefile
Only in audit-1.5.5/bindings/python: build
Only in audit-1.5.5/bindings/python: Makefile
Only in audit-1.5.5: config.h
Only in audit-1.5.5: config.log
Only in audit-1.5.5: config.status
Only in audit-1.5.5/docs: Makefile
Only in audit-1.5.5/init.d: Makefile
Only in audit-1.5.5/lib: audit_logging.lo
Only in audit-1.5.5/lib: audit_logging.o
Only in audit-1.5.5/lib: deprecated.lo
Only in audit-1.5.5/lib: deprecated.o
Only in audit-1.5.5/lib: .deps
Only in audit-1.5.5/lib: libaudit.la
Only in audit-1.5.5/lib: libaudit.lo
Only in audit-1.5.5/lib: libaudit.o
Only in audit-1.5.5/lib: .libs
Only in audit-1.5.5/lib: lookup_table.lo
Only in audit-1.5.5/lib: lookup_table.o
Only in audit-1.5.5/lib: Makefile
Only in audit-1.5.5/lib: message.lo
Only in audit-1.5.5/lib: message.o
Only in audit-1.5.5/lib: netlink.lo
Only in audit-1.5.5/lib: netlink.o
Only in audit-1.5.5: libtool
Only in audit-1.5.5: Makefile
Only in audit-1.5.5/src: auditctl
Only in audit-1.5.5/src: auditctl-llist.o
Only in audit-1.5.5/src: auditctl.o
Only in audit-1.5.5/src: auditd
Only in audit-1.5.5/src: auditd-auditd-config.o
Only in audit-1.5.5/src: auditd-auditd-dispatch.o
Only in audit-1.5.5/src: auditd-auditd-event.o
Only in audit-1.5.5/src: auditd-auditd.o
Only in audit-1.5.5/src: auditd-auditd-reconfig.o
Only in audit-1.5.5/src: auditd-auditd-sendmail.o
Only in audit-1.5.5/src: auditd-config.o
Only in audit-1.5.5/src: aureport
Only in audit-1.5.5/src: aureport.o
Only in audit-1.5.5/src: aureport-options.o
Only in audit-1.5.5/src: aureport-output.o
Only in audit-1.5.5/src: aureport-scan.o
Only in audit-1.5.5/src: ausearch
Only in audit-1.5.5/src: ausearch-avc.o
Only in audit-1.5.5/src: ausearch-int.o
Only in audit-1.5.5/src: ausearch-llist.o
Only in audit-1.5.5/src: ausearch-lookup.o
Only in audit-1.5.5/src: ausearch-match.o
Only in audit-1.5.5/src: ausearch-nvpair.o
Only in audit-1.5.5/src: ausearch.o
Only in audit-1.5.5/src: ausearch-options.o
Only in audit-1.5.5/src: ausearch-parse.o
Only in audit-1.5.5/src: ausearch-report.o
Only in audit-1.5.5/src: ausearch-string.o
Only in audit-1.5.5/src: ausearch-time.o
Only in audit-1.5.5/src: autrace
Only in audit-1.5.5/src: autrace.o
Only in audit-1.5.5/src: delete_all.o
Only in audit-1.5.5/src: .libs
Only in audit-1.5.5/src: Makefile
Only in audit-1.5.5/src/mt: actiontab.h
Only in audit-1.5.5/src/mt: alpha_table.h
Only in audit-1.5.5/src/mt: audit_logging.o
Only in audit-1.5.5/src/mt: deprecated.o
Only in audit-1.5.5/src/mt: fieldtab.h
Only in audit-1.5.5/src/mt: flagtab.h
Only in audit-1.5.5/src/mt: i386_table.h
Only in audit-1.5.5/src/mt: ia64_table.h
Only in audit-1.5.5/src/mt: libauditmt.a
Only in audit-1.5.5/src/mt: libaudit.o
Only in audit-1.5.5/src/mt: lookup_table.o
Only in audit-1.5.5/src/mt: machinetab.h
Only in audit-1.5.5/src/mt: Makefile
Only in audit-1.5.5/src/mt: message.o
Only in audit-1.5.5/src/mt: msg_typetab.h
Only in audit-1.5.5/src/mt: netlink.o
Only in audit-1.5.5/src/mt: optab.h
Only in audit-1.5.5/src/mt: ppc_table.h
Only in audit-1.5.5/src/mt: s390_table.h
Only in audit-1.5.5/src/mt: s390x_table.h
Only in audit-1.5.5/src/mt: x86_64_table.h
Only in audit-1.5.5: stamp-h1
Only in audit-1.5.5/swig: _audit.la
Only in audit-1.5.5/swig: audit_wrap.c
Only in audit-1.5.5/swig: audit_wrap.lo
Only in audit-1.5.5/swig: audit_wrap.o
Only in audit-1.5.5/swig: .deps
Only in audit-1.5.5/swig: .libs
Only in audit-1.5.5/swig: Makefile
Only in audit-1.5.5/system-config-audit: config.log
Only in audit-1.5.5/system-config-audit: config.status
Only in audit-1.5.5/system-config-audit: intltool-extract
Only in audit-1.5.5/system-config-audit: intltool-merge
Only in audit-1.5.5/system-config-audit: intltool-update
Only in audit-1.5.5/system-config-audit: libtool
Only in audit-1.5.5/system-config-audit: Makefile
Only in audit-1.5.5/system-config-audit/po: .intltool-merge-cache
Only in audit-1.5.5/system-config-audit/po: Makefile
Only in audit-1.5.5/system-config-audit/po: Makefile.in
Only in audit-1.5.5/system-config-audit/po: POTFILES
Only in audit-1.5.5/system-config-audit/po: stamp-it
Only in audit-1.5.5/system-config-audit/src: config.h
Only in audit-1.5.5/system-config-audit/src: .deps
Only in audit-1.5.5/system-config-audit/src: .dirstamp
Only in audit-1.5.5/system-config-audit/src: .libs
Only in audit-1.5.5/system-config-audit/src: src_system_config_audit_server-server.o
Only in audit-1.5.5/system-config-audit/src: stamp-h1
Only in audit-1.5.5/system-config-audit/src: system-config-audit
Only in audit-1.5.5/system-config-audit/src: system-config-audit-server
Only in audit-1.5.5/system-config-audit: system-config-audit.desktop

--=-=-=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--=-=-=--