bug?: audit filtering on negative values
Steve Grubb
sgrubb at redhat.com
Wed Jan 18 20:49:26 UTC 2006
On Wednesday 18 January 2006 15:36, Timothy R. Chavez wrote:
> Sorry if I seem a little dense, but I'm not sure what you're getting at.
His example was for a0:
>auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries, no
>message on zSeries
>auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either
So negative number gets converted to unsigned number. All syscall args are
unsigned.
>auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries or
>xSeries
> The context stores:
>
> long return_code;/* syscall return code */
>
> Which is signed and logged as "exit=". This would be a problem when
> comparing the u32 audit_field val(ue) against it, right?
Probably. The might need to be a signed comparator function that knows how to
handle those for attributes that are signed in nature.
int audit_comparator(const u32 left, const u32 op, const u32 right)
Which brings up the point that const should be taken off anything passed by
value.
-Steve
More information about the Linux-audit
mailing list