Re: another issue with Audit
On Mon, Apr 24, 2006 at 11:59:33AM -0400, Steve Grubb wrote:
On Monday 24 April 2006 11:51, Linda Knippers wrote:
> That's really strange. ?I'm running the .16 kernel and the audit-1.2
> audit tools on an x86 and I'm not seeing the problem. ?I'll upgrade and
> see what happens.
I see the same probelm that Loulwa is reporting on .18 kernel.
Hmm. Looks like the filesystem audit patches didn't make it into the
.18 kernel. The kernel doesn't reject field types it doesn't know
about, so it's adding the rule with field type 105 and value
strlen(path).
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d3a8539..63aa039 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
[..]
@@ -188,8 +211,9 @@ static struct audit_entry *audit_data_to
int err = 0;
struct audit_entry *entry;
void *bufp;
- /* size_t remain = datasz - sizeof(struct audit_rule_data); */
+ size_t remain = datasz - sizeof(struct audit_rule_data);
int i;
+ char *str;
entry = audit_to_entry_common((struct audit_rule *)data);
if (IS_ERR(entry))
@@ -207,10 +231,35 @@ static struct audit_entry *audit_data_to
f->op = data->fieldflags[i] & AUDIT_OPERATORS;
f->type = data->fields[i];
+ f->val = data->values[i];
+ f->se_str = NULL;
+ f->se_rule = NULL;
switch(f->type) {
- /* call type-specific conversion routines here */
- default:
- f->val = data->values[i];
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_SEN:
+ case AUDIT_SE_CLR:
+ str = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(str))
+ goto exit_free;
+ entry->rule.buflen += f->val;
+
+ err = selinux_audit_rule_init(f->type, f->op, str,
+ &f->se_rule);
+ /* Keep currently invalid fields around in case they
+ * become valid after a policy reload. */
+ if (err == -EINVAL) {
+ printk(KERN_WARNING "audit rule for selinux "
+ "\'%s\' is invalid\n", str);
+ err = 0;
+ }
+ if (err) {
+ kfree(str);
+ goto exit_free;
+ } else
+ f->se_str = str;
+ break;
}
}