Bug 147704 - laus incorrectly truncates path string when predicate filter is used
laus incorrectly truncates path string when predicate filter is used
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Neil Horman
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-10 13:15 EST by Neil Horman
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-18 09:29:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix substring comparisons based on prefix length for predicate path filters (382 bytes, patch)
2005-02-10 13:28 EST, Neil Horman
no flags Details | Diff
final version of the laus patch that was checked inot the kernel (394 bytes, patch)
2005-02-16 08:41 EST, Neil Horman
no flags Details | Diff

  None (edit)
Description Neil Horman 2005-02-10 13:15:08 EST
Description of problem:
when using the predicate filter on laus, the filter application code
sometimes fails to match the fliter substring to a path because string
lengths can be different.

Version-Release number of selected component (if applicable):
all

How reproducible:
always

Steps to Reproduce:
1.Set up a filter file which includes a predicate directive to filter
paths which are in a given subdirectory prefix, I used:
predicate is-etc = prefix(/etc);

2.Configure the filter file to watch a syscall which passes a path
variable.  I used the following construct:
set     file-ops = {
 "link",
 "unlink",
};

syscall @file-ops = is-etc(arg0);

3. touch /etc/testfile.txt

4. run the following command:
aurun unlink /etc/testfile.txt
  
Actual results:
running aucat produces:
 root unlink("/etc"); result=0

Expected results:
running aucat should produce:
root unlink("/etc/testfile.txt"); result=0

Additional info:
Comment 1 Neil Horman 2005-02-10 13:28:00 EST
Created attachment 110928 [details]
patch to fix substring comparisons based on prefix length for predicate path filters

This patch changes the strcmp call in audit_fileset_match to strncmp limiting
the length of the comparison to the length of the prefix used in the predicate
filter.  This causes substring matches to succede, instead of incorrectly
failing if the strings being compared are of unequal length.  An incorrectly
failed match results in the function being sent down a different code path
which results in the log string getting truncated to the length of the
predicate string, hence the display of only hte predicate in the log.
Comment 2 Ernie Petrides 2005-02-16 07:36:00 EST
A fix for this problem has just been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.14.EL).
Comment 3 Neil Horman 2005-02-16 08:41:41 EST
Created attachment 111126 [details]
final version of the laus patch that was checked inot the kernel
Comment 4 Tim Powers 2005-05-18 09:29:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html

Note You need to log in before you can comment on or make changes to this bug.