[PATCH] auditctl -l listing with correct operators

Wednesday, 17 May 2006

With the current version of audit, auditctl -l only prints an equal, not 
equal operator when it displays rules, while the rules in the kernel are 
operating correctly, this is most an inconvenience, since is not 
possible to tell what rules are really in the kernel.

The problem lies in the audit_print_reply logic not detecting the type 
of the message (either AUDIT_LIST or AUDIT_LIST_RULE).

Below is a patch which adds this detection.

Thanks,
Mike

----

Signed-off-by: Michael Thompson <mcthomps(a)us.ibm.com&gt;

--- audit-1.2.2-orig/src/auditctl.c    2006-05-12 14:59:59.000000000 -0500
+++ audit-1.2.2/src/auditctl.c    2006-05-16 15:56:31.000000000 -0500
@@ -926,8 +926,14 @@ static int audit_print_reply(struct audi
              for (i = 0; i < rep->rule->field_count; i++) {
                  int field = rep->rule->fields[i] &
                      ~AUDIT_OPERATORS & ~AUDIT_NEGATE;
-                int op = rep->rule->fields[i] &
-                    (AUDIT_OPERATORS | AUDIT_NEGATE);
+                int op;
+                if (rep->type == AUDIT_LIST_RULES) {
+                    op = rep->ruledata->fieldflags[i] &
+                        (AUDIT_OPERATORS | AUDIT_NEGATE);
+                } else {
+                    op = rep->rule->fields[i] &
+                        (AUDIT_OPERATORS | AUDIT_NEGATE);
+                }

                  const char *name = audit_field_to_name(field);
                  if (name) {


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[PATCH] auditctl -l listing with correct operators