[PATCH] Fix a bug that use option '-p process-id' cannot search out all matched logs

Wed, 10 Sep 2008 22:08:06 -0700 

Hello steve,

Use option '-p process-id' cannot search out the log which contains the given 
process-id and message type is AVC.

For example:
# echo 'type=AVC msg=audit(1221036190.313:3232615): avc:  denied  { append } 
for  pid=8961 comm="cupsd" path="/var/log/cups/access_log" dev=hda7 ino=1210126 
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:file_t:s0 tclass=file' | ausearch -p 8961
<no matches>

Signed-off-by: Peng Haitao <[EMAIL PROTECTED]>

---
 src/ausearch-parse.c |   27 +++++++++++++++++++++------
 1 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d2cb44d..e3ffa8c 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1209,11 +1209,26 @@ static int parse_avc(const lnode *n, search_items *s)
                *term = ' ';
        }
 
+       // get pid
+       str = strstr(term, "pid=");
+       if (str) {
+               str = str + 4;
+               term = strchr(str, ' ');
+               if (term == NULL)
+                       return 3;
+               *term = 0;
+               errno = 0;
+               s->pid = strtoul(str, NULL, 10);
+               if (errno)
+                       return 4;
+               *term = ' ';
+       }
+
        if (event_comm && s->comm == NULL) {
        // dont do this search unless needed
                str = strstr(term, "comm=");
                if (str == NULL) {
-                       rc = 3;
+                       rc = 5;
                        goto err;
                }
                str += 5;
@@ -1221,7 +1236,7 @@ static int parse_avc(const lnode *n, search_items *s)
                        str++;
                        term = strchr(str, '"');
                        if (term == NULL) {
-                               rc = 4;
+                               rc = 6;
                                goto err;
                        }
                        *term = 0;
@@ -1250,7 +1265,7 @@ static int parse_avc(const lnode *n, search_items *s)
                        str += 9;
                        term = strchr(str, ' ');
                        if (term == NULL) {
-                               rc = 5;
+                               rc = 7;
                                goto err;
                        }
                        *term = 0;
@@ -1266,7 +1281,7 @@ static int parse_avc(const lnode *n, search_items *s)
                        str += 9;
                        term = strchr(str, ' ');
                        if (term == NULL) {
-                               rc = 6;
+                               rc = 8;
                                goto err;
                        }
                        *term = 0;
@@ -1278,7 +1293,7 @@ static int parse_avc(const lnode *n, search_items *s)
        // Now get the class...its at the end, so we do things different
        str = strstr(term, "tclass=");
        if (str == NULL) {
-               rc = 7;
+               rc = 9;
                goto err;
        }
        str += 7;
@@ -1292,7 +1307,7 @@ static int parse_avc(const lnode *n, search_items *s)
        if (audit_avc_init(s) == 0) {
                alist_append(s->avc, &an);
        } else {
-               rc = 8;
+               rc = 10;
                goto err;
        }
 
-- 
1.5.3


-- 
Regards
Peng Haitao

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to