|
 |
ade036 |
diff -urp audit-2.3.5.orig/src/ausearch-common.h audit-2.3.5/src/ausearch-common.h
|
|
|
ade036 |
--- audit-2.3.5.orig/src/ausearch-common.h 2014-03-12 12:30:31.000000000 -0400
|
|
|
ade036 |
+++ audit-2.3.5/src/ausearch-common.h 2014-03-17 17:08:27.200016460 -0400
|
|
|
ade036 |
@@ -1,5 +1,5 @@
|
|
|
ade036 |
/* ausearch-common.h --
|
|
|
ade036 |
- * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina.
|
|
|
ade036 |
+ * Copyright 2006-08,2010,2014 Red Hat Inc., Durham, North Carolina.
|
|
|
ade036 |
* Copyright (c) 2011 IBM Corp.
|
|
|
ade036 |
* All Rights Reserved.
|
|
|
ade036 |
*
|
|
|
ade036 |
@@ -41,6 +41,7 @@ extern const char *event_filename;
|
|
|
ade036 |
extern const char *event_hostname;
|
|
|
ade036 |
extern const char *event_terminal;
|
|
|
ade036 |
extern int event_syscall;
|
|
|
ade036 |
+extern int event_machine;
|
|
|
ade036 |
extern const char *event_exe;
|
|
|
ade036 |
extern int event_ua, event_ga;
|
|
|
ade036 |
extern int event_exit, event_exit_is_set;
|
|
|
ade036 |
diff -urp audit-2.3.5.orig/src/ausearch-match.c audit-2.3.5/src/ausearch-match.c
|
|
|
ade036 |
--- audit-2.3.5.orig/src/ausearch-match.c 2014-03-12 12:30:31.000000000 -0400
|
|
|
ade036 |
+++ audit-2.3.5/src/ausearch-match.c 2014-03-17 17:08:27.200016460 -0400
|
|
|
ade036 |
@@ -84,9 +84,14 @@ int match(llist *l)
|
|
|
ade036 |
if ((event_pid != -1) &&
|
|
|
ade036 |
(event_pid != l->s.pid))
|
|
|
ade036 |
return 0;
|
|
|
ade036 |
- if ((event_syscall != -1) &&
|
|
|
ade036 |
- (event_syscall != l->s.syscall))
|
|
|
ade036 |
- return 0;
|
|
|
ade036 |
+ if (event_syscall != -1) {
|
|
|
ade036 |
+ if (event_syscall != l->s.syscall)
|
|
|
ade036 |
+ return 0;
|
|
|
ade036 |
+ if (event_machine != -1 &&
|
|
|
ade036 |
+ (event_machine !=
|
|
|
ade036 |
+ audit_elf_to_machine(l->s.arch)))
|
|
|
ade036 |
+ return 0;
|
|
|
ade036 |
+ }
|
|
|
ade036 |
if ((event_session_id != -2) &&
|
|
|
ade036 |
(event_session_id != l->s.session_id))
|
|
|
ade036 |
return 0;
|
|
|
ade036 |
diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c
|
|
|
ade036 |
--- audit-2.3.5.orig/src/ausearch-options.c 2014-03-12 12:30:31.000000000 -0400
|
|
|
ade036 |
+++ audit-2.3.5/src/ausearch-options.c 2014-03-17 17:08:27.200016460 -0400
|
|
|
ade036 |
@@ -49,7 +49,7 @@ pid_t event_pid = -1, event_ppid = -1;
|
|
|
ade036 |
success_t event_success = S_UNSET;
|
|
|
ade036 |
int event_exact_match = 0;
|
|
|
ade036 |
uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
|
|
|
ade036 |
-int event_syscall = -1;
|
|
|
ade036 |
+int event_syscall = -1, event_machine = -1;
|
|
|
ade036 |
int event_ua = 0, event_ga = 0, event_se = 0;
|
|
|
ade036 |
int just_one = 0;
|
|
|
ade036 |
int event_session_id = -2;
|
|
|
ade036 |
@@ -661,6 +661,7 @@ int check_params(int count, char *vars[]
|
|
|
ade036 |
optarg);
|
|
|
ade036 |
retval = -1;
|
|
|
ade036 |
}
|
|
|
ade036 |
+ event_machine = machine;
|
|
|
ade036 |
}
|
|
|
ade036 |
c++;
|
|
|
ade036 |
break;
|
|
|
ade036 |
diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c
|
|
|
ade036 |
--- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-12 12:30:31.000000000 -0400
|
|
|
ade036 |
+++ audit-2.3.5/src/ausearch-parse.c 2014-03-17 17:09:33.344014612 -0400
|
|
|
ade036 |
@@ -1883,6 +1883,37 @@ static int parse_kernel_anom(const lnode
|
|
|
ade036 |
}
|
|
|
ade036 |
}
|
|
|
ade036 |
|
|
|
ade036 |
+ if (n->type == AUDIT_SECCOMP) {
|
|
|
ade036 |
+ // get arch
|
|
|
ade036 |
+ str = strstr(term, "arch=");
|
|
|
ade036 |
+ if (str == NULL)
|
|
|
ade036 |
+ return 0; // A few kernel versions don't have it
|
|
|
ade036 |
+ ptr = str + 5;
|
|
|
ade036 |
+ term = strchr(ptr, ' ');
|
|
|
ade036 |
+ if (term == NULL)
|
|
|
ade036 |
+ return 12;
|
|
|
ade036 |
+ *term = 0;
|
|
|
ade036 |
+ errno = 0;
|
|
|
ade036 |
+ s->arch = (int)strtoul(ptr, NULL, 16);
|
|
|
ade036 |
+ if (errno)
|
|
|
ade036 |
+ return 13;
|
|
|
ade036 |
+ *term = ' ';
|
|
|
ade036 |
+ // get syscall
|
|
|
ade036 |
+ str = strstr(term, "syscall=");
|
|
|
ade036 |
+ if (str == NULL)
|
|
|
ade036 |
+ return 14;
|
|
|
ade036 |
+ ptr = str + 8;
|
|
|
ade036 |
+ term = strchr(ptr, ' ');
|
|
|
ade036 |
+ if (term == NULL)
|
|
|
ade036 |
+ return 15;
|
|
|
ade036 |
+ *term = 0;
|
|
|
ade036 |
+ errno = 0;
|
|
|
ade036 |
+ s->syscall = (int)strtoul(ptr, NULL, 10);
|
|
|
ade036 |
+ if (errno)
|
|
|
ade036 |
+ return 16;
|
|
|
ade036 |
+ *term = ' ';
|
|
|
ade036 |
+ }
|
|
|
ade036 |
+
|
|
|
ade036 |
return 0;
|
|
|
ade036 |
}
|
|
|
ade036 |
|
|
|
ade036 |
diff -urp audit-2.3.5.orig/src/ausearch-report.c audit-2.3.5/src/ausearch-report.c
|
|
|
ade036 |
--- audit-2.3.5.orig/src/ausearch-report.c 2014-03-12 12:30:31.000000000 -0400
|
|
|
ade036 |
+++ audit-2.3.5/src/ausearch-report.c 2014-03-17 17:08:27.201016460 -0400
|
|
|
ade036 |
@@ -335,7 +335,7 @@ static void interpret(char *name, char *
|
|
|
ade036 |
}
|
|
|
ade036 |
type = auparse_interp_adjust_type(rtype, name, val);
|
|
|
ade036 |
|
|
|
ade036 |
- if (rtype == AUDIT_SYSCALL) {
|
|
|
ade036 |
+ if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP) {
|
|
|
ade036 |
if (machine == (unsigned long)-1)
|
|
|
ade036 |
machine = audit_detect_machine();
|
|
|
ade036 |
if (*name == 'a' && strcmp(name, "arch") == 0) {
|