int audit_rule_interfield_comp_data(struct audit_rule_data **rulep, const char *pair, int flags) { const char *f = pair; char *v; int op; int field1, field2; struct audit_rule_data *rule = *rulep; if (f == NULL) return -1; /* look for 2-char operators first then look for 1-char operators afterwards when found, null out the bytes under the operators to split and set value pointer just past operator bytes */ if ( (v = strstr(pair, "!=")) ) { *v++ = '\0'; *v++ = '\0'; op = AUDIT_NOT_EQUAL; } else if ( (v = strstr(pair, "=")) ) { *v++ = '\0'; op = AUDIT_EQUAL; } else { return -13; } if (*f == 0) return -24; if (*v == 0) return -25; if ((field1 = audit_name_to_field(f)) < 0) return -26; if ((field2 = audit_name_to_field(v)) < 0) return -27; /* Interfield comparison can only be in exit filter */ if (flags != AUDIT_FILTER_EXIT) return -7; // It should always be AUDIT_FIELD_COMPARE rule->fields[rule->field_count] = AUDIT_FIELD_COMPARE; rule->fieldflags[rule->field_count] = op; /* oh god, so many permutations */ switch (field1) { /* UID comparison */ case AUDIT_EUID: switch(field2) { case AUDIT_LOGINUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_EUID; break; case AUDIT_FSUID: rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_FSUID; break; case AUDIT_OBJ_UID: rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_OBJ_UID; break; case AUDIT_SUID: rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_SUID; break; case AUDIT_UID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_EUID; break; default: return -1; } break; case AUDIT_FSUID: switch(field2) { case AUDIT_LOGINUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_FSUID; break; case AUDIT_EUID: rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_FSUID; break; case AUDIT_OBJ_UID: rule->values[rule->field_count] = AUDIT_COMPARE_FSUID_TO_OBJ_UID; break; case AUDIT_SUID: rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_FSUID; break; case AUDIT_UID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_FSUID; break; default: return -1; } break; case AUDIT_LOGINUID: switch(field2) { case AUDIT_EUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_EUID; break; case AUDIT_FSUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_FSUID; break; case AUDIT_OBJ_UID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_OBJ_UID; break; case AUDIT_SUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_SUID; break; case AUDIT_UID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_AUID; break; default: return -1; } break; case AUDIT_SUID: switch(field2) { case AUDIT_LOGINUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_SUID; break; case AUDIT_EUID: rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_SUID; break; case AUDIT_FSUID: rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_FSUID; break; case AUDIT_OBJ_UID: rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_OBJ_UID; break; case AUDIT_UID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_SUID; break; default: return -1; } break; case AUDIT_OBJ_UID: switch(field2) { case AUDIT_LOGINUID: rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_OBJ_UID; break; case AUDIT_EUID: rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_OBJ_UID; break; case AUDIT_FSUID: rule->values[rule->field_count] = AUDIT_COMPARE_FSUID_TO_OBJ_UID; break; case AUDIT_UID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID; break; case AUDIT_SUID: rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_OBJ_UID; break; default: return -1; } break; case AUDIT_UID: switch(field2) { case AUDIT_LOGINUID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_AUID; break; case AUDIT_EUID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_EUID; break; case AUDIT_FSUID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_FSUID; break; case AUDIT_OBJ_UID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID; break; case AUDIT_SUID: rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_SUID; break; default: return -1; } break; /* GID comparisons */ case AUDIT_EGID: switch(field2) { case AUDIT_FSGID: rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_FSGID; break; case AUDIT_GID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_EGID; break; case AUDIT_OBJ_GID: rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_OBJ_GID; break; case AUDIT_SGID: rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_SGID; break; default: return -1; } break; case AUDIT_FSGID: switch(field2) { case AUDIT_SGID: rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_FSGID; break; case AUDIT_GID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_FSGID; break; case AUDIT_OBJ_GID: rule->values[rule->field_count] = AUDIT_COMPARE_FSGID_TO_OBJ_GID; break; case AUDIT_EGID: rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_FSGID; break; default: return -1; } break; case AUDIT_GID: switch(field2) { case AUDIT_EGID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_EGID; break; case AUDIT_FSGID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_FSGID; break; case AUDIT_OBJ_GID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_OBJ_GID; break; case AUDIT_SGID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_SGID; break; default: return -1; } break; case AUDIT_OBJ_GID: switch(field2) { case AUDIT_EGID: rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_OBJ_GID; break; case AUDIT_FSGID: rule->values[rule->field_count] = AUDIT_COMPARE_FSGID_TO_OBJ_GID; break; case AUDIT_GID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_OBJ_GID; break; case AUDIT_SGID: rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_OBJ_GID; break; default: return -1; } break; case AUDIT_SGID: switch(field2) { case AUDIT_FSGID: rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_FSGID; break; case AUDIT_GID: rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_SGID; break; case AUDIT_OBJ_GID: rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_OBJ_GID; break; case AUDIT_EGID: rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_SGID; break; default: return -1; } break; default: return -1; break; } rule->field_count++; return 0; }
int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags) { const char *f = pair; char *v; int op; int field; int vlen; if (f == NULL) return -1; /* look for 2-char operators first then look for 1-char operators afterwards when found, null out the bytes under the operators to split and set value pointer just past operator bytes */ if ( (v = strstr(pair, "!=")) ) { *v++ = '\0'; *v++ = '\0'; op = AUDIT_NEGATE; // legacy // op = AUDIT_NOT_EQUAL; } else if ( (v = strstr(pair, ">")) ) { return -10; } else if ( (v = strstr(pair, "<")) ) { return -10; } else if ( (v = strstr(pair, "&")) ) { return -10; } else if ( (v = strstr(pair, "=")) ) { *v++ = '\0'; op = 0; // legacy // op = AUDIT_EQUAL; } if (v == NULL) return -1; if (*f == 0) return -22; if (*v == 0) return -20; audit_msg(LOG_DEBUG,"pair=%s\n", f); if ((field = audit_name_to_field(f)) < 0) return -2; /* Exclude filter can be used only with MSGTYPE field */ if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE) return -12; audit_msg(LOG_DEBUG,"f%d%s%s\n", field, audit_operator_to_symbol(op),v); rule->fields[rule->field_count] = field | op; switch (field) { case AUDIT_UID: case AUDIT_EUID: case AUDIT_SUID: case AUDIT_FSUID: case AUDIT_LOGINUID: // Do positive & negative separate for 32 bit systems vlen = strlen(v); if (isdigit((char)*(v))) rule->values[rule->field_count] = strtoul(v, NULL, 0); else if (vlen >= 2 && *(v)=='-' && (isdigit((char)*(v+1)))) rule->values[rule->field_count] = strtol(v, NULL, 0); else { if (name_to_uid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown user: %s", v); return -2; } } break; case AUDIT_GID: case AUDIT_EGID: case AUDIT_SGID: case AUDIT_FSGID: if (isdigit((char)*(v))) rule->values[rule->field_count] = strtol(v, NULL, 0); else { if (name_to_gid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown group: %s", v); return -2; } } break; case AUDIT_EXIT: if (flags != AUDIT_FILTER_EXIT) return -7; vlen = strlen(v); if (isdigit((char)*(v))) rule->values[rule->field_count] = strtol(v, NULL, 0); else if (vlen >= 2 && *(v)=='-' && (isdigit((char)*(v+1)))) rule->values[rule->field_count] = strtol(v, NULL, 0); else { rule->values[rule->field_count] = audit_name_to_errno(v); if (rule->values[rule->field_count] == 0) return -15; } break; case AUDIT_MSGTYPE: if (flags != AUDIT_FILTER_EXCLUDE) return -9; if (isdigit((char)*(v))) rule->values[rule->field_count] = strtol(v, NULL, 0); else if (audit_name_to_msg_type(v) > 0) rule->values[rule->field_count] = audit_name_to_msg_type(v); else return -8; break; case AUDIT_ARCH: if (audit_syscalladded) return -3; if (!(op == AUDIT_NEGATE || op == 0)) return -13; if (isdigit((char)*(v))) { int machine; errno = 0; audit_elf = strtoul(v, NULL, 0); if (errno) return -5; // Make sure we have a valid mapping machine = audit_elf_to_machine(audit_elf); if (machine < 0) return -5; } else { // what do we want? i686, x86_64, ia64 // or b64, b32 int machine; unsigned int bits=0, elf; const char *arch=v; if (strcasecmp("b64", arch) == 0) { bits = __AUDIT_ARCH_64BIT; machine = audit_detect_machine(); } else if (strcasecmp("b32", arch) == 0) { bits = ~__AUDIT_ARCH_64BIT; machine = audit_detect_machine(); } else machine = audit_name_to_machine(arch); if (machine < 0) return -4; /* Here's where we fixup the machine. * for example, they give x86_64 & want 32 bits. * we translate that to i686. */ if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_86_64) machine = MACH_X86; else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_PPC64) machine = MACH_PPC; else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_S390X) machine = MACH_S390; /* Check for errors - return -6 * We don't allow 32 bit machines to specify * 64 bit. */ switch (machine) { case MACH_X86: if (bits == __AUDIT_ARCH_64BIT) return -6; break; case MACH_IA64: if (bits == ~__AUDIT_ARCH_64BIT) return -6; break; case MACH_PPC: if (bits == __AUDIT_ARCH_64BIT) return -6; break; case MACH_S390: if (bits == __AUDIT_ARCH_64BIT) return -6; break; case MACH_86_64: /* fallthrough */ case MACH_PPC64: /* fallthrough */ case MACH_S390X: /* fallthrough */ break; default: return -6; } /* OK, we have the machine type, now convert to elf. */ elf = audit_machine_to_elf(machine); if (elf == 0) return -5; audit_elf = elf; } rule->values[rule->field_count] = audit_elf; audit_archadded = 1; break; case AUDIT_FILETYPE: if (flags != AUDIT_FILTER_EXIT && flags != AUDIT_FILTER_ENTRY) return -17; rule->values[rule->field_count] = audit_name_to_ftype(v); if (rule->values[rule->field_count] < 0) { return -16; } break; /* These are strings */ case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_USER: case AUDIT_OBJ_ROLE: case AUDIT_OBJ_TYPE: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: case AUDIT_WATCH: case AUDIT_PERM: case AUDIT_DIR: case AUDIT_FILTERKEY: return -10; case AUDIT_ARG0...AUDIT_ARG3: vlen = strlen(v); if (isdigit((char)*(v))) rule->values[rule->field_count] = strtoul(v, NULL, 0); else if (vlen >= 2 && *(v)=='-' && (isdigit((char)*(v+1)))) rule->values[rule->field_count] = strtol(v, NULL, 0); else return -21; break; case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) return -7; /* fallthrough */ default: if (field == AUDIT_INODE) { if (!(op == AUDIT_NEGATE || op == 0)) return -13; } if (field == AUDIT_PPID && (flags != AUDIT_FILTER_EXIT && flags != AUDIT_FILTER_ENTRY)) return -17; if (flags == AUDIT_FILTER_EXCLUDE) return -18; if (!isdigit((char)*(v))) return -21; if (field == AUDIT_INODE) rule->values[rule->field_count] = strtoul(v, NULL, 0); else rule->values[rule->field_count] = strtol(v, NULL, 0); break; } ++rule->field_count; return 0; }
int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, int flags) { const char *f = pair; char *v; int op; int field; int vlen; int offset; struct audit_rule_data *rule = *rulep; if (f == NULL) return -1; /* look for 2-char operators first then look for 1-char operators afterwards when found, null out the bytes under the operators to split and set value pointer just past operator bytes */ if ( (v = strstr(pair, "!=")) ) { *v++ = '\0'; *v++ = '\0'; op = AUDIT_NOT_EQUAL; } else if ( (v = strstr(pair, ">=")) ) { *v++ = '\0'; *v++ = '\0'; op = AUDIT_GREATER_THAN_OR_EQUAL; } else if ( (v = strstr(pair, "<=")) ) { *v++ = '\0'; *v++ = '\0'; op = AUDIT_LESS_THAN_OR_EQUAL; } else if ( (v = strstr(pair, "&=")) ) { *v++ = '\0'; *v++ = '\0'; op = AUDIT_BIT_TEST; } else if ( (v = strstr(pair, "=")) ) { *v++ = '\0'; op = AUDIT_EQUAL; } else if ( (v = strstr(pair, ">")) ) { *v++ = '\0'; op = AUDIT_GREATER_THAN; } else if ( (v = strstr(pair, "<")) ) { *v++ = '\0'; op = AUDIT_LESS_THAN; } else if ( (v = strstr(pair, "&")) ) { *v++ = '\0'; op = AUDIT_BIT_MASK; } if (v == NULL) return -1; if (*f == 0) return -22; if (*v == 0) return -20; if ((field = audit_name_to_field(f)) < 0) return -2; /* Exclude filter can be used only with MSGTYPE field */ if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE) return -12; rule->fields[rule->field_count] = field; rule->fieldflags[rule->field_count] = op; switch (field) { case AUDIT_UID: case AUDIT_EUID: case AUDIT_SUID: case AUDIT_FSUID: case AUDIT_LOGINUID: case AUDIT_OBJ_UID: case AUDIT_OBJ_GID: // Do positive & negative separate for 32 bit systems vlen = strlen(v); if (isdigit((char)*(v))) rule->values[rule->field_count] = strtoul(v, NULL, 0); else if (vlen >= 2 && *(v)=='-' && (isdigit((char)*(v+1)))) rule->values[rule->field_count] = strtol(v, NULL, 0); else { if (strcmp(v, "unset") == 0) rule->values[rule->field_count] = 4294967295; else if (audit_name_to_uid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown user: %s", v); return -2; } } break; case AUDIT_GID: case AUDIT_EGID: case AUDIT_SGID: case AUDIT_FSGID: if (isdigit((char)*(v))) rule->values[rule->field_count] = strtol(v, NULL, 0); else { if (audit_name_to_gid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown group: %s", v); return -2; } } break; case AUDIT_EXIT: if (flags != AUDIT_FILTER_EXIT) return -7; vlen = strlen(v); if (isdigit((char)*(v))) rule->values[rule->field_count] = strtol(v, NULL, 0); else if (vlen >= 2 && *(v)=='-' && (isdigit((char)*(v+1)))) rule->values[rule->field_count] = strtol(v, NULL, 0); else { rule->values[rule->field_count] = audit_name_to_errno(v); if (rule->values[rule->field_count] == 0) return -15; } break; case AUDIT_MSGTYPE: if (flags != AUDIT_FILTER_EXCLUDE && flags != AUDIT_FILTER_USER) return -9; if (isdigit((char)*(v))) rule->values[rule->field_count] = strtol(v, NULL, 0); else if (audit_name_to_msg_type(v) > 0) rule->values[rule->field_count] = audit_name_to_msg_type(v); else return -8; break; /* These next few are strings */ case AUDIT_OBJ_USER: case AUDIT_OBJ_ROLE: case AUDIT_OBJ_TYPE: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: case AUDIT_WATCH: case AUDIT_DIR: /* Watch & object filtering is invalid on anything * but exit */ if (flags != AUDIT_FILTER_EXIT) return -7; if (field == AUDIT_WATCH || field == AUDIT_DIR) _audit_permadded = 1; /* fallthrough */ case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_FILTERKEY: if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded)) return -19; vlen = strlen(v); if (field == AUDIT_FILTERKEY && vlen > AUDIT_MAX_KEY_LEN) return -11; else if (vlen > PATH_MAX) return -11; rule->values[rule->field_count] = vlen; offset = rule->buflen; rule->buflen += vlen; *rulep = realloc(rule, sizeof(*rule) + rule->buflen); if (*rulep == NULL) { free(rule); audit_msg(LOG_ERR, "Cannot realloc memory!\n"); return -3; } else { rule = *rulep; } strncpy(&rule->buf[offset], v, vlen); break; case AUDIT_ARCH: if (_audit_syscalladded) return -3; if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) return -13; if (isdigit((char)*(v))) { int machine; errno = 0; _audit_elf = strtoul(v, NULL, 0); if (errno) return -5; // Make sure we have a valid mapping machine = audit_elf_to_machine(_audit_elf); if (machine < 0) return -5; } else { // what do we want? i686, x86_64, ia64 // or b64, b32 int machine; unsigned int bits=0, elf; const char *arch=v; if (strcasecmp("b64", arch) == 0) { bits = __AUDIT_ARCH_64BIT; machine = audit_detect_machine(); } else if (strcasecmp("b32", arch) == 0) { bits = ~__AUDIT_ARCH_64BIT; machine = audit_detect_machine(); } else machine = audit_name_to_machine(arch); if (machine < 0) return -4; /* Here's where we fixup the machine. * for example, they give x86_64 & want 32 bits. * we translate that to i686. */ if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_86_64) machine = MACH_X86; else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_PPC64) machine = MACH_PPC; else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_S390X) machine = MACH_S390; /* Check for errors - return -6 * We don't allow 32 bit machines to specify * 64 bit. */ switch (machine) { case MACH_X86: if (bits == __AUDIT_ARCH_64BIT) return -6; break; case MACH_IA64: if (bits == ~__AUDIT_ARCH_64BIT) return -6; break; case MACH_PPC: if (bits == __AUDIT_ARCH_64BIT) return -6; break; case MACH_S390: if (bits == __AUDIT_ARCH_64BIT) return -6; break; #ifdef WITH_ARMEB case MACH_ARMEB: if (bits == __AUDIT_ARCH_64BIT) return -6; break; #endif #ifdef WITH_AARCH64 case MACH_AARCH64: if (bits != __AUDIT_ARCH_64BIT) return -6; break; #endif case MACH_86_64: /* fallthrough */ case MACH_PPC64: /* fallthrough */ case MACH_S390X: /* fallthrough */ break; default: return -6; } /* OK, we have the machine type, now convert to elf. */ elf = audit_machine_to_elf(machine); if (elf == 0) return -5; _audit_elf = elf; } rule->values[rule->field_count] = _audit_elf; _audit_archadded = 1; break; case AUDIT_PERM: if (flags != AUDIT_FILTER_EXIT) return -7; else if (op != AUDIT_EQUAL) return -13; else { unsigned int i, len, val = 0; len = strlen(v); if (len > 4) return -11; for (i = 0; i < len; i++) { switch (tolower(v[i])) { case 'r': val |= AUDIT_PERM_READ; break; case 'w': val |= AUDIT_PERM_WRITE; break; case 'x': val |= AUDIT_PERM_EXEC; break; case 'a': val |= AUDIT_PERM_ATTR; break; default: return -14; } } rule->values[rule->field_count] = val; } break; case AUDIT_FILETYPE: if (!(flags == AUDIT_FILTER_EXIT || flags == AUDIT_FILTER_ENTRY)) return -17; rule->values[rule->field_count] = audit_name_to_ftype(v); if ((int)rule->values[rule->field_count] < 0) { return -16; } break; case AUDIT_ARG0...AUDIT_ARG3: vlen = strlen(v); if (isdigit((char)*(v))) rule->values[rule->field_count] = strtoul(v, NULL, 0); else if (vlen >= 2 && *(v)=='-' && (isdigit((char)*(v+1)))) rule->values[rule->field_count] = strtol(v, NULL, 0); else return -21; break; case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) return -7; /* fallthrough */ default: if (field == AUDIT_INODE) { if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) return -13; } if (field == AUDIT_PPID && !(flags == AUDIT_FILTER_EXIT || flags == AUDIT_FILTER_ENTRY)) return -17; if (!isdigit((char)*(v))) return -21; if (field == AUDIT_INODE) rule->values[rule->field_count] = strtoul(v, NULL, 0); else rule->values[rule->field_count] = strtol(v, NULL, 0); break; } rule->field_count++; return 0; }