In auparse_normalize, pick up comm for successful memory allocations

RH-steve-grubb · RH-steve-grubb · commit 4758ec5e2fb8 · 2017-10-10T11:58:26.000-04:00
diff --git a/ChangeLog b/ChangeLog
@@ -27,6 +27,7 @@
 - In audispd.conf, add new plugin_dir config item to customize plugin location
 - Add support for FANOTIFY event
 - Improve auparse_normalize support for SECCOMP events
+- In auparse_normalize, pick up comm for successful memory allocations
 
 2.7.8
 - Add config option to auditd to not verify email addr domain (#1406887)
diff --git a/auparse/normalize.c b/auparse/normalize.c
@@ -806,7 +806,19 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 			break;
 		case NORM_SYSTEM_MEMORY:
 			act = "allocated-memory";
-			// TODO: The object is implied
+			if (syscall_success == 1) {
+				// If its not a mmap avc, we can use comm
+				act = "allocated-memory-in";
+				auparse_first_record(au);
+				f = auparse_find_field(au, "comm");
+				if (f) {
+					D.thing.primary = set_record(0,
+						auparse_get_record_num(au));
+					D.thing.primary =
+						set_field(D.thing.primary,
+						auparse_get_field_num(au));
+				}
+			}
 			D.thing.what = NORM_WHAT_MEMORY;
 			break;
 		case NORM_SCHEDULER:
