bug?: audit filtering on negative values
Timothy R. Chavez
tinytim at us.ibm.com
Wed Jan 18 20:36:29 UTC 2006
On Wed, 2006-01-18 at 15:21 -0500, Steve Grubb wrote:
> On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
> > What kernel are you testing on? I just checked the latest kernel
> > (lspp.6) and this does look like a problem:
> >
> > struct audit_field {
> > u32 type;
> > u32 val;
> > u32 op;
> > };
> >
> >
> > We only allow unsigned val(ues). Eek
>
> Right and that's because this is what the context stores:
>
> 129 struct audit_context {
> 136 unsigned long argv[4]; /* syscall arguments */
>
>
> -Steve
>
Sorry if I seem a little dense, but I'm not sure what you're getting at.
The context stores:
long return_code;/* syscall return code */
Which is signed and logged as "exit=". This would be a problem when
comparing the u32 audut_field val(ue) against it, right?
-tim
More information about the Linux-audit
mailing list