Re: [PATCH] fix ppid bug in 2.6.18 kernel
Steve Grubb wrote: [Sat Aug 26 2006, 02:06:20PM EDT]
Hello,
During some troubleshooting, I found that ppid was accidentally omitted from
the legacy rule section. This resulted in EINVAL for any rule with ppid sent
with AUDIT_ADD.
AUDIT_PPID was recently added, so shouldn't be supported for the
legacy structure. Instead auditctl should use struct audit_rule_data
for rules with AUDIT_PPID.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.17.x86_64.orig/kernel/auditfilter.c
linux-2.6.17.x86_64/kernel/auditfilter.c
--- linux-2.6.17.x86_64.orig/kernel/auditfilter.c 2006-08-26 13:50:19.000000000 -0400
+++ linux-2.6.17.x86_64/kernel/auditfilter.c 2006-08-26 13:52:30.000000000 -0400
@@ -413,6 +413,7 @@ static struct audit_entry *audit_rule_to
case AUDIT_PERS:
case AUDIT_ARCH:
case AUDIT_MSGTYPE:
+ case AUDIT_PPID:
case AUDIT_DEVMAJOR:
case AUDIT_DEVMINOR:
case AUDIT_EXIT:
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit