Hello,
Yu Zhiguo píše v Pá 18. 07. 2008 v 14:54 +0800:
> I know "list" and "action" can be changed, this is convenient.
No, it is undocumented. As an author of system-config-audit I'd much
prefer if audit rejected such options, replicating the exact code in
auditctl in order to handle all undocumented behavior the same way as
auditctl is rather impractical.
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 2c136ea..1aba437 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -168,27 +168,34 @@ static void usage(void)
> /* Returns 0 ok, 1 deprecated action, 2 error */
> static int audit_rule_setup(const char *opt, int *flags, int *act)
> {
> + char *p;
> + if ((strchr(opt, ',') != strrchr(opt, ',')) || !strchr(opt, ','))
> + return 2;
> +
> + p = strchr(opt, ',');
I think
p = strchr(opt, ',');
if (p == NULL || strchr(p + 1, ',') != NULL)
return 2;
would be simpler.
> - if (strstr(opt, "task"))
> + if (!strncmp(opt, "task,", p - opt + 1) || !strcmp(p, ",task"))
> *flags = AUDIT_FILTER_TASK;
Each string should be recognized only in the documented position IMHO.
The patch also replaces case-sensitive matching by case-insensitive,
which is not described above.
If such changes in the semantics of the parameter are accepted, at
minimum the auditctl.8 man page should be updated as well.
Mirek
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
