Hi,
On Wednesday 30 July 2008 21:38:26 chuli wrote:
> When I use "-a user,always -S open", errors will be reported. But when I
> use "-S open -a user,always", no errors will report. There is no
> corresponding codes to deal with the later format.
I'm still thinking about this patch. I'll look at it again tomorrow.
Thanks,
-Steve
> Here is my patch. Hope for your opinion about such modification.
> (I move the code for checking "task" list to the handle_request().)
>
> Signed-off-by: Chu Li <[EMAIL PROTECTED]>
> ---
> diff --git a/src/auditctl.c b/src/auditctl.c
> index d740509..9cc3df0 100755
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[])
> retval = -2;
> break;
> case 'a':
> - if (strstr(optarg, "task") && audit_syscalladded) {
> + rc = audit_rule_setup(optarg, &add, &action);
> + if (rc == 3) {
> + fprintf(stderr,
> + "Multiple rule insert/delete operations are not
> allowed\n");
> + retval = -1;
> + } else if (rc == 2) {
> fprintf(stderr,
> - "Syscall auditing requested for task list\n");
> + "Append rule - bad keyword %s\n",
> + optarg);
> retval = -1;
> - } else {
> - rc = audit_rule_setup(optarg, &add, &action);
> - if (rc == 3) {
> - fprintf(stderr,
> - "Multiple rule insert/delete operations are not allowed\n");
> - retval = -1;
> - } else if (rc == 2) {
> - fprintf(stderr,
> - "Append rule - bad keyword %s\n",
> - optarg);
> - retval = -1;
> - } else if (rc == 1) {
> - fprintf(stderr,
> - "Append rule - possible is deprecated\n");
> - return -3; /* deprecated - eat it */
> - } else
> - retval = 1; /* success - please send */
> - }
> + } else if (rc == 1) {
> + fprintf(stderr,
> + "Append rule - possible is deprecated\n");
> + return -3; /* deprecated - eat it */
> + } else
> + retval = 1; /* success - please send */
> break;
> case 'A':
> - if (strstr(optarg, "task") && audit_syscalladded) {
> - fprintf(stderr,
> - "Error: syscall auditing requested for task list\n");
> + rc = audit_rule_setup(optarg, &add, &action);
> + if (rc == 3) {
> + fprintf(stderr,
> + "Multiple rule insert/delete operations are not
> allowed\n");
> retval = -1;
> + } else if (rc == 2) {
> + fprintf(stderr,
> + "Add rule - bad keyword %s\n", optarg);
> + retval = -1;
> + } else if (rc == 1) {
> + fprintf(stderr,
> + "Append rule - possible is deprecated\n");
> + return -3; /* deprecated - eat it */
> } else {
> - rc = audit_rule_setup(optarg, &add, &action);
> - if (rc == 3) {
> - fprintf(stderr,
> - "Multiple rule insert/delete operations are not allowed\n");
> - retval = -1;
> - } else if (rc == 2) {
> - fprintf(stderr,
> - "Add rule - bad keyword %s\n", optarg);
> - retval = -1;
> - } else if (rc == 1) {
> - fprintf(stderr,
> - "Append rule - possible is deprecated\n");
> - return -3; /* deprecated - eat it */
> - } else {
> - add |= AUDIT_FILTER_PREPEND;
> - retval = 1; /* success - please send */
> - }
> + add |= AUDIT_FILTER_PREPEND;
> + retval = 1; /* success - please send */
> }
> break;
> case 'd':
> @@ -1167,6 +1155,27 @@ static int handle_request(int status)
> audit_rule_syscallbyname_data(
> rule_new, "all");
> }
> + if(audit_syscalladded == 1){
> + if (((add &
> (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET))
> ==
> + AUDIT_FILTER_TASK)) {
> + fprintf(stderr,
> + "Error: syscall auditing being added to
> task list\n");
> + return -1;
> + } else if (((add &
> (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET))
> ==
> + AUDIT_FILTER_USER)) {
> + fprintf(stderr,
> + "Error: syscall auditing being added to
> user list\n");
> + return -1;
> + } else if (exclude) {
> + fprintf(stderr,
> + "Error: syscall auditing cannot be put
> on exclude list\n");
> + return -1;
> + }
> + }
> if (which == OLD) {
> rc = audit_add_rule(fd, &rule, add, action);
> } else {
>
> Regards
> Chu Li
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
