bug?: audit filtering on negative values

Steve Grubb sgrubb at redhat.com
Wed Jan 18 20:49:26 UTC 2006


On Wednesday 18 January 2006 15:36, Timothy R. Chavez wrote:
> Sorry if I seem a little dense, but I'm not sure what you're getting at.

His example was for a0:

>auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries, no
>message on zSeries
>auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either

So negative number gets converted to unsigned number. All syscall args are 
unsigned.

>auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries or
>xSeries 

> The context stores:
>
> long                return_code;/* syscall return code */
>
> Which is signed and logged as "exit=".  This would be a problem when
> comparing the u32 audit_field val(ue) against it, right?

Probably. The might need to be a signed comparator function that knows how to 
handle those for attributes that are signed in nature.

int audit_comparator(const u32 left, const u32 op, const u32 right)

Which brings up the point that const should be taken off anything passed by 
value.

-Steve




More information about the Linux-audit mailing list