Steve Grubb wrote: [Sat Aug 26 2006, 02:06:20PM EDT] > Hello, > > During some troubleshooting, I found that ppid was accidentally omitted from > the legacy rule section. This resulted in EINVAL for any rule with ppid sent > with AUDIT_ADD.
AUDIT_PPID was recently added, so shouldn't be supported for the legacy structure. Instead auditctl should use struct audit_rule_data for rules with AUDIT_PPID. > Signed-off-by: Steve Grubb <[EMAIL PROTECTED]> > > > diff -urp linux-2.6.17.x86_64.orig/kernel/auditfilter.c > linux-2.6.17.x86_64/kernel/auditfilter.c > --- linux-2.6.17.x86_64.orig/kernel/auditfilter.c 2006-08-26 > 13:50:19.000000000 -0400 > +++ linux-2.6.17.x86_64/kernel/auditfilter.c 2006-08-26 13:52:30.000000000 > -0400 > @@ -413,6 +413,7 @@ static struct audit_entry *audit_rule_to > case AUDIT_PERS: > case AUDIT_ARCH: > case AUDIT_MSGTYPE: > + case AUDIT_PPID: > case AUDIT_DEVMAJOR: > case AUDIT_DEVMINOR: > case AUDIT_EXIT: > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
