Re: [PATCH] auditctl -l listing with correct operators

Michael C Thompson wrote: > With the current version of audit, auditctl -l only prints an equal, not > equal operator when it displays rules, while the rules in the kernel are > operating correctly, this is most an inconvenience, since is not > possible to tell what rules are really in the kernel. > > The problem lies in the audit_print_reply logic not detecting the type > of the message (either AUDIT_LIST or AUDIT_LIST_RULE). > > Below is a patch which adds this detection. > > Thanks, > Mike This thread is technically a repost, because I realized that hiding a patch inside a big discussion thread is probably a no-no, and its just a dumb idea to begin with. Oh well, live and be dumb. Below is some testing between the original code and the patched code. # auditctl -a entry,always -S chmod -F 'uid=100' # auditctl -a entry,always -S chmod -F 'uid>200' # auditctl -a entry,always -S chmod -F 'uid>=300' # auditctl -a entry,always -S chmod -F 'uid!=400' # auditctl -a entry,always -S chmod -F 'uid<500' # auditctl -a entry,always -S chmod -F 'uid<=600' # auditctl -l [ audit-1.2.2 auditctl pre-patch] LIST_RULES: entry,always uid=100 (0x64) syscall=chmod LIST_RULES: entry,always uid=200 (0xc8) syscall=chmod LIST_RULES: entry,always uid=300 (0x12c) syscall=chmod LIST_RULES: entry,always uid=400 (0x190) syscall=chmod LIST_RULES: entry,always uid=500 (0x1f4) syscall=chmod LIST_RULES: entry,always uid=600 (0x258) syscall=chmod # auditctl -l [ audit-1.2.2 auditctl post-patch ] LIST_RULES: entry,always uid=100 (0x64) syscall=chmod LIST_RULES: entry,always uid>200 (0xc8) syscall=chmod LIST_RULES: entry,always uid>=300 (0x12c) syscall=chmod LIST_RULES: entry,always uid!=400 (0x190) syscall=chmod LIST_RULES: entry,always uid<500 (0x1f4) syscall=chmod LIST_RULES: entry,always uid<=600 (0x258) syscall=chmod