From: Amy Griffis <amy.griffis@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: [PATCH] audit tools: add filterkey support
Date: Wed, 14 Jun 2006 18:49:10 -0400 [thread overview]
Message-ID: <20060614224910.GB2268@zk3.dec.com> (raw)
Hi Steve,
Here is the userspace patch I used to test the kernel filterkey patch.
Hope this helps,
Amy
---
lib/fieldtab.h | 1 +
lib/libaudit.c | 13 +++++++------
lib/libaudit.h | 4 ++++
src/auditctl.c | 5 +++++
4 files changed, 17 insertions(+), 6 deletions(-)
acece4c427812119ec1aac24fe5e8b58902985a9
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a74754f 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -53,3 +53,4 @@ _S(AUDIT_ARG1, "a1" )
_S(AUDIT_ARG2, "a2" )
_S(AUDIT_ARG3, "a3" )
+_S(AUDIT_FILTERKEY, "filterkey")
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..48022df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
case AUDIT_WATCH:
+ case AUDIT_FILTERKEY:
return -10;
case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
if (flags == AUDIT_FILTER_ENTRY)
@@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud
else
return -8;
break;
+ case AUDIT_WATCH:
+ /* Watch is invalid on anything but exit */
+ if (flags != AUDIT_FILTER_EXIT)
+ return -7;
+ /* fallthrough */
case AUDIT_SE_USER:
case AUDIT_SE_ROLE:
case AUDIT_SE_TYPE:
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
- case AUDIT_WATCH:
- /* Watch is invalid on anything but exit */
- if ((flags != AUDIT_FILTER_EXIT) &&
- (field == AUDIT_WATCH))
- return -7;
-
+ case AUDIT_FILTERKEY:
rule->values[rule->field_count] = strlen(v);
offset = rule->buflen;
rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..c9e2ea4 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -214,6 +214,10 @@ extern "C" {
#define AUDIT_WATCH 105 /* This is a field in syscall rule */
#endif
+#ifndef AUDIT_FILTERKEY
+#define AUDIT_FILTERKEY 210
+#endif
+
/* This is new list defines from audit.h */
#ifndef AUDIT_FILTER_USER
#define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..168253f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -967,6 +967,11 @@ static int audit_print_reply(struct audi
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset += rep->ruledata->values[i];
+ } else if (field == AUDIT_FILTERKEY) {
+ printf(" filterkey=%.*s",
+ rep->ruledata->values[i],
+ &rep->ruledata->buf[boffset]);
+ boffset += rep->ruledata->values[i];
} else {
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
--
1.2.GIT
next reply other threads:[~2006-06-14 22:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-14 22:49 Amy Griffis [this message]
2006-06-26 12:49 ` [PATCH] audit tools: add filterkey support Steve
2006-06-26 12:57 ` Steve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060614224910.GB2268@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.