On Wednesday 06 August 2008 04:15:09 Zhang Xiliang wrote:
AUDIT_PERM field should used after a watch given.
For example,
auditctl -a exit,always -F perm=r
No error message is outputed.
I think we should add checking for it.
This is a legal rule. The kernel will pick the syscalls that satisfy the read
permission. Typically, you would have other fields in addition. So...I'm not
applying this patch.
Thanks,
-Steve