[PATCH] auditctl -l listing with correct operators
Michael C Thompson
thompsmc at us.ibm.com
Wed May 17 19:07:00 UTC 2006
With the current version of audit, auditctl -l only prints an equal, not
equal operator when it displays rules, while the rules in the kernel are
operating correctly, this is most an inconvenience, since is not
possible to tell what rules are really in the kernel.
The problem lies in the audit_print_reply logic not detecting the type
of the message (either AUDIT_LIST or AUDIT_LIST_RULE).
Below is a patch which adds this detection.
Thanks,
Mike
----
Signed-off-by: Michael Thompson <mcthomps at us.ibm.com>
--- audit-1.2.2-orig/src/auditctl.c 2006-05-12 14:59:59.000000000 -0500
+++ audit-1.2.2/src/auditctl.c 2006-05-16 15:56:31.000000000 -0500
@@ -926,8 +926,14 @@ static int audit_print_reply(struct audi
for (i = 0; i < rep->rule->field_count; i++) {
int field = rep->rule->fields[i] &
~AUDIT_OPERATORS & ~AUDIT_NEGATE;
- int op = rep->rule->fields[i] &
- (AUDIT_OPERATORS | AUDIT_NEGATE);
+ int op;
+ if (rep->type == AUDIT_LIST_RULES) {
+ op = rep->ruledata->fieldflags[i] &
+ (AUDIT_OPERATORS | AUDIT_NEGATE);
+ } else {
+ op = rep->rule->fields[i] &
+ (AUDIT_OPERATORS | AUDIT_NEGATE);
+ }
const char *name = audit_field_to_name(field);
if (name) {
More information about the Linux-audit
mailing list