Hi Steve,
> > When I use "-a user,always -S open", errors will be reported. But when I
> > use "-S open -a user,always", no errors will report. There is no
> > corresponding codes to deal with the later format.
>
> I'm still thinking about this patch. I'll look at it again tomorrow.
>
I modified the original patch. (I moved the judgment codes for list and
syscall
in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".)
Then when using "-S open -a user,always" or "-S open -d user,always" will
report
error to users.
And I found another problem, when using "-a 'list','action' -w /mnt", it will
always
add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found "-w"
will
use the "exit" list automatically. I think it's better to add something about
it
in
manual.
How about your opinion?
Signed-off-by: Chu Li <[EMAIL PROTECTED]>
---
diff --git a/src/auditctl.c b/src/auditctl.c
index 48f1369..f4f9553 100755
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -575,52 +575,41 @@ static int setopt(int count, char *vars[])
retval = -2;
break;
case 'a':
- if (strstr(optarg, "task") && audit_syscalladded) {
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
+ retval = -1;
+ } else if (rc == 2) {
fprintf(stderr,
- "Syscall auditing requested for task list\n");
+ "Append rule - bad keyword %s\n",
+ optarg);
retval = -1;
- } else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Append rule - bad keyword %s\n",
- optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else
- retval = 1; /* success - please send */
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
+ } else
+ retval = 1; /* success - please send */
}
break;
case 'A':
- if (strstr(optarg, "task") && audit_syscalladded) {
- fprintf(stderr,
- "Error: syscall auditing requested for task list\n");
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
retval = -1;
+ } else if (rc == 2) {
+ fprintf(stderr,
+ "Add rule - bad keyword %s\n", optarg);
+ retval = -1;
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
} else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Add rule - bad keyword %s\n", optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else {
- add |= AUDIT_FILTER_PREPEND;
- retval = 1; /* success - please send */
- }
+ add |= AUDIT_FILTER_PREPEND;
+ retval = 1; /* success - please send */
}
break;
case 'd':
@@ -1215,6 +1204,27 @@ static int handle_request(int status)
status = 0; // report success
else if (status > 0) {
int rc;
+ if(audit_syscalladded == 1){
+ if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to task
list\n");
+ return -1;
+ } else if (((add &
(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to user
list\n");
+ return -1;
+ } else if (exclude) {
+ fprintf(stderr,
+ "Error: syscall auditing cannot be put on
exclude list\n");
+ return -1;
+ }
+ }
if (add != AUDIT_FILTER_UNSET) {
// if !task add syscall any if not specified
if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
> -----Original Message-----
> From: Steve Grubb [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 05, 2008 8:19 AM
> To: chuli
> Cc: 'linux-audit'
> Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action", no
> errors
> will be reported.
>
> Hi,
>
> On Wednesday 30 July 2008 21:38:26 chuli wrote:
> > When I use "-a user,always -S open", errors will be reported. But when I
> > use "-S open -a user,always", no errors will report. There is no
> > corresponding codes to deal with the later format.
>
> I'm still thinking about this patch. I'll look at it again tomorrow.
>
> Thanks,
> -Steve
>
>
> > Here is my patch. Hope for your opinion about such modification.
> > (I move the code for checking "task" list to the handle_request().)
> >
> > Signed-off-by: Chu Li <[EMAIL PROTECTED]>
> > ---
> > diff --git a/src/auditctl.c b/src/auditctl.c
> > index d740509..9cc3df0 100755
> > --- a/src/auditctl.c
> > +++ b/src/auditctl.c
> > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[])
> > retval = -2;
> > break;
> > case 'a':
> > - if (strstr(optarg, "task") && audit_syscalladded) {
> > + rc = audit_rule_setup(optarg, &add, &action);
> > + if (rc == 3) {
> > + fprintf(stderr,
> > + "Multiple rule insert/delete operations are not
> > allowed\n");
> > + retval = -1;
> > + } else if (rc == 2) {
> > fprintf(stderr,
> > - "Syscall auditing requested for task list\n");
> > + "Append rule - bad keyword %s\n",
> > + optarg);
> > retval = -1;
> > - } else {
> > - rc = audit_rule_setup(optarg, &add, &action);
> > - if (rc == 3) {
> > - fprintf(stderr,
> > - "Multiple rule insert/delete operations are not allowed\n");
> > - retval = -1;
> > - } else if (rc == 2) {
> > - fprintf(stderr,
> > - "Append rule - bad keyword %s\n",
> > - optarg);
> > - retval = -1;
> > - } else if (rc == 1) {
> > - fprintf(stderr,
> > - "Append rule - possible is deprecated\n");
> > - return -3; /* deprecated - eat it */
> > - } else
> > - retval = 1; /* success - please send */
> > - }
> > + } else if (rc == 1) {
> > + fprintf(stderr,
> > + "Append rule - possible is deprecated\n");
> > + return -3; /* deprecated - eat it */
> > + } else
> > + retval = 1; /* success - please send */
> > break;
> > case 'A':
> > - if (strstr(optarg, "task") && audit_syscalladded) {
> > - fprintf(stderr,
> > - "Error: syscall auditing requested for task list\n");
> > + rc = audit_rule_setup(optarg, &add, &action);
> > + if (rc == 3) {
> > + fprintf(stderr,
> > + "Multiple rule insert/delete operations are not
> > allowed\n");
> > retval = -1;
> > + } else if (rc == 2) {
> > + fprintf(stderr,
> > + "Add rule - bad keyword %s\n", optarg);
> > + retval = -1;
> > + } else if (rc == 1) {
> > + fprintf(stderr,
> > + "Append rule - possible is deprecated\n");
> > + return -3; /* deprecated - eat it */
> > } else {
> > - rc = audit_rule_setup(optarg, &add, &action);
> > - if (rc == 3) {
> > - fprintf(stderr,
> > - "Multiple rule insert/delete operations are not allowed\n");
> > - retval = -1;
> > - } else if (rc == 2) {
> > - fprintf(stderr,
> > - "Add rule - bad keyword %s\n", optarg);
> > - retval = -1;
> > - } else if (rc == 1) {
> > - fprintf(stderr,
> > - "Append rule - possible is deprecated\n");
> > - return -3; /* deprecated - eat it */
> > - } else {
> > - add |= AUDIT_FILTER_PREPEND;
> > - retval = 1; /* success - please send */
> > - }
> > + add |= AUDIT_FILTER_PREPEND;
> > + retval = 1; /* success - please send */
> > }
> > break;
> > case 'd':
> > @@ -1167,6 +1155,27 @@ static int handle_request(int status)
> > audit_rule_syscallbyname_data(
> > rule_new, "all");
> > }
> > + if(audit_syscalladded == 1){
> > + if (((add &
> > (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > + AUDIT_FILTER_TASK || (del &
> > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET))
> > ==
> > + AUDIT_FILTER_TASK)) {
> > + fprintf(stderr,
> > + "Error: syscall auditing being added to
> > task list\n");
> > + return -1;
> > + } else if (((add &
> > (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > + AUDIT_FILTER_USER || (del &
> > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET))
> > ==
> > + AUDIT_FILTER_USER)) {
> > + fprintf(stderr,
> > + "Error: syscall auditing being added to
> > user list\n");
> > + return -1;
> > + } else if (exclude) {
> > + fprintf(stderr,
> > + "Error: syscall auditing cannot be put
> > on exclude
> list\n");
> > + return -1;
> > + }
> > + }
> > if (which == OLD) {
> > rc = audit_add_rule(fd, &rule, add, action);
> > } else {
> >
> > Regards
> > Chu Li
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
