[PATCH 1/1] audit: fix logic error in audit_filter_exclude()

[Dustin Kirkland]

From: Dustin Kirkland (IBM)

There's supposed to be an implicit AND between all subsequent rules in a
given filter list.  There's supposed to be an implicit OR between all
subsequent filters of a given type.  The way the audit_filter_exclude()
code currently operates, it forces an implicit AND between all rules in
all exclude filters.  This trivial patch fixes that problem with correct
logic.  If any one of the rules fails in a given list, break out of
examining that list and move on to the next list.  If all rules succeed
in a given list, return 1.


Signed-off-by: Dustin Kirkland <dustin.kirkland at us.ibm.com>

---

David-

Synced to your updated git tree, built, and tested the patches of mine
you integrated, which turned up a somewhat buried bug.


Also note:
1) this message should be spliced into the correct thread of your mailer
2) the text of the patch should be correctly insert into the body of
this mail
3) I'm attempting to use the Canonical Patch Format ;)

Please let me know if this is the appropriate format and I'll use it
from now on when final versions of a given patch are ready.

Thanks,
:-Dustin


diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -689,9 +689,11 @@ int audit_filter_exclude(int type)
 			if ( field == AUDIT_MSGTYPE ) {
 				result = audit_comparator(type, op, value); 
 				if (!result)
-					goto unlock_and_return;
+					break;
 			}
 		}
+		if (result)
+			goto unlock_and_return;
 	}
 unlock_and_return:
 	rcu_read_unlock();

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051103/d882d4bb/attachment.sig>