[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bug?: audit filtering on negative values



On Wednesday 18 January 2006 15:36, Timothy R. Chavez wrote:
> Sorry if I seem a little dense, but I'm not sure what you're getting at.

His example was for a0:

>auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries, no
>message on zSeries
>auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either

So negative number gets converted to unsigned number. All syscall args are 
unsigned.

>auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries or
>xSeries 

> The context stores:
>
> long                return_code;/* syscall return code */
>
> Which is signed and logged as "exit=".  This would be a problem when
> comparing the u32 audit_field val(ue) against it, right?

Probably. The might need to be a signed comparator function that knows how to 
handle those for attributes that are signed in nature.

int audit_comparator(const u32 left, const u32 op, const u32 right)

Which brings up the point that const should be taken off anything passed by 
value.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]