Skip to content

Commit

Permalink
Fix filter by arch on s390x
Browse files Browse the repository at this point in the history 
Allow adding rules with filters like "-F arch=b64" and "-F arch=b32"
  • Loading branch information
@djoreilly
djoreilly committed Sep 30, 2024
1 parent f626137 commit 13c6c69
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions rule/rule.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,13 +198,15 @@ func ToCommandLine(wf WireFormat, resolveIds bool) (rule string, err error) {
}
if r.arch == "b32" {
switch arch {
case "i386", "arm", "ppc":
case "i386", "arm", "ppc", "s390":
case "aarch64":
arch = "arm"
case "x86_64":
arch = "i386"
case "ppc64", "ppc64le":
arch = "ppc"
case "s390x":
arch = "s390"
default:
return "", fmt.Errorf("invalid arch for b32: '%s'", arch)
}
Expand Down Expand Up @@ -863,7 +865,7 @@ func getArch(arch string) (string, uint32, error) {
}

switch runtimeArch {
case "aarch64", "x86_64", "ppc64":
case "aarch64", "x86_64", "ppc64", "s390x":
realArch = runtimeArch
default:
return "", 0, fmt.Errorf("cannot use b64 on %v", runtimeArch)
Expand All @@ -875,14 +877,16 @@ func getArch(arch string) (string, uint32, error) {
}

switch runtimeArch {
case "arm", "i386":
case "arm", "i386", "s390":
realArch = runtimeArch
case "aarch64":
realArch = "arm"
case "x86_64":
realArch = "i386"
case "ppc64":
realArch = "ppc"
case "s390x":
realArch = "s390"
default:
return "", 0, fmt.Errorf("cannot use b32 on %v", runtimeArch)
}
Expand All @@ -909,16 +913,17 @@ func getDisplayArch(archID uint32) (string, error) {
requestedArch := auparse.AuditArch(archID)
if requestedArch == runtimeArch {
switch requestedArch {
case auparse.AUDIT_ARCH_AARCH64, auparse.AUDIT_ARCH_X86_64, auparse.AUDIT_ARCH_PPC64:
case auparse.AUDIT_ARCH_AARCH64, auparse.AUDIT_ARCH_X86_64, auparse.AUDIT_ARCH_PPC64, auparse.AUDIT_ARCH_S390X:
return "b64", nil
case auparse.AUDIT_ARCH_ARM, auparse.AUDIT_ARCH_I386, auparse.AUDIT_ARCH_PPC:
case auparse.AUDIT_ARCH_ARM, auparse.AUDIT_ARCH_I386, auparse.AUDIT_ARCH_PPC, auparse.AUDIT_ARCH_S390:
return "b32", nil
}
} else {
switch {
case runtimeArch == auparse.AUDIT_ARCH_AARCH64 && requestedArch == auparse.AUDIT_ARCH_ARM,
runtimeArch == auparse.AUDIT_ARCH_X86_64 && requestedArch == auparse.AUDIT_ARCH_I386,
runtimeArch == auparse.AUDIT_ARCH_PPC64 && requestedArch == auparse.AUDIT_ARCH_PPC:
runtimeArch == auparse.AUDIT_ARCH_PPC64 && requestedArch == auparse.AUDIT_ARCH_PPC,
runtimeArch == auparse.AUDIT_ARCH_S390X && requestedArch == auparse.AUDIT_ARCH_S390:
return "b32", nil
}
}
Expand Down

0 comments on commit 13c6c69

Please sign in to comment.