Hello Steve,
AUDIT_PERM field should used after a watch given.
For example,
auditctl -a exit,always -F perm=r
No error message is outputed.
I think we should add checking for it.
Signed-off-by: Zhang Xiliang <[EMAIL PROTECTED]>
---
lib/libaudit.c | 2 ++
src/auditctl.c | 5 +++++
2 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 3e2e28f..fd2c41b 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1046,6 +1046,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair,
return -7;
else if (op != AUDIT_EQUAL)
return -13;
+ else if (audit_permadded != 1)
+ return -22;
else {
unsigned int i, len, val = 0;
diff --git a/src/auditctl.c b/src/auditctl.c
index 1455ee6..b356faa 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -857,6 +857,11 @@ static int setopt(int count, char *vars[])
"-F value should be number for %s\n",
optarg);
retval = -1;
break;
+ case -22:
+ fprintf(stderr,
+ "permission option needs a watch given
prior to it\n");
+ retval = -1;
+ break;
default:
retval = -1;
break;
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
