Skip to content

Commit

Permalink
auparse: do not interpret fE as a capability field
Browse files Browse the repository at this point in the history 
The file effective capability is a boolean.  It is being interpreted as the
capability "chown" by auparse.  Just print its raw value.

An example from an execve syscall:
type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin

Fixed:
type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=1 old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin

See: #18
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
  • Loading branch information
@rgbriggs @RH-steve-grubb
rgbriggs authored and RH-steve-grubb committed Jun 13, 2017
1 parent ec259b3 commit 25cd7ea
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion auparse/typetab.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,6 @@ _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" )
_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" )
_S(AUPARSE_TYPE_CAP_BITMAP, "fp" )
_S(AUPARSE_TYPE_CAP_BITMAP, "fi" )
_S(AUPARSE_TYPE_CAP_BITMAP, "fe" )
_S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" )
_S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" )
_S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" )
Expand Down

0 comments on commit 25cd7ea

Please sign in to comment.