Re: bug?: audit filtering on negative values
On Wed, 2006-01-18 at 15:21 -0500, Steve Grubb wrote:
On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
> What kernel are you testing on? I just checked the latest kernel
> (lspp.6) and this does look like a problem:
>
> struct audit_field {
> u32 type;
> u32 val;
> u32 op;
> };
>
>
> We only allow unsigned val(ues). Eek
Right and that's because this is what the context stores:
129 struct audit_context {
136 unsigned long argv[4]; /* syscall arguments */
-Steve
Sorry if I seem a little dense, but I'm not sure what you're getting at.
The context stores:
long return_code;/* syscall return code */
Which is signed and logged as "exit=". This would be a problem when
comparing the u32 audut_field val(ue) against it, right?
-tim