From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Cerri Subject: [PATCH] auvirt: Add details to cgroup records Date: Fri, 10 Feb 2012 11:31:52 -0200 Message-ID: <1328880712-27185-1-git-send-email-mhcerri@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q1ADW0H9003366 for ; Fri, 10 Feb 2012 08:32:00 -0500 Received: from e24smtp02.br.ibm.com (e24smtp02.br.ibm.com [32.104.18.86]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q1ADVwxh003661 for ; Fri, 10 Feb 2012 08:31:59 -0500 Received: from /spool/local by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 10 Feb 2012 11:31:57 -0200 Received: from d24av05.br.ibm.com (d24av05.br.ibm.com [9.18.232.44]) by d24relay01.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q1ADRcZ04460570 for ; Fri, 10 Feb 2012 10:27:38 -0300 Received: from d24av05.br.ibm.com (loopback [127.0.0.1]) by d24av05.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q1ADVsFu012872 for ; Fri, 10 Feb 2012 11:31:54 -0200 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com List-Id: linux-audit@redhat.com With this patch, auvirt prints additional information for cgroup records when the option "--all-events" is given. It adds the device class, the path or category of the device which is being allowed or denied, and the ACL. --- tools/auvirt/auvirt.c | 31 ++++++++++++++++++++++++++++++- 1 files changed, 30 insertions(+), 1 deletions(-) diff --git a/tools/auvirt/auvirt.c b/tools/auvirt/auvirt.c index a89b097..e5c5ef6 100644 --- a/tools/auvirt/auvirt.c +++ b/tools/auvirt/auvirt.c @@ -80,6 +80,10 @@ struct event { char *reason; char *res_type; char *res; + /* Fields specific for cgroup resources */ + char *cgroup_class; + char *cgroup_detail; + char *cgroup_acl; /* Fields specific for machine id events: */ char *seclevel; /* Fields specific for avc events: */ @@ -123,6 +127,9 @@ void event_free(struct event *event) free(event->comm); free(event->seresult); free(event->seperms); + free(event->cgroup_class); + free(event->cgroup_detail); + free(event->cgroup_acl); free(event); } } @@ -669,6 +676,22 @@ int add_resource(auparse_state_t *au, const char *uuid, uid_t uid, time_t time, event->uid = uid; event->start = time; add_proof(event, au); + + /* Get cgroup specific fields. */ + if (strcmp("cgroup", res_type) == 0) { + event->cgroup_class = copy_str(auparse_find_field(au, "class")); + if (event->cgroup_class) { + const char *detail = NULL; + if (strcmp("path", event->cgroup_class) == 0) { + detail = auparse_find_field(au, "path"); + } else if (strcmp("major", event->cgroup_class) == 0) { + detail = auparse_find_field(au, "category"); + } + event->cgroup_detail = copy_str(detail); + } + event->cgroup_acl = copy_str(auparse_find_field(au, "acl")); + } + if (list_append(events, event) == NULL) { event_free(event); return 1; @@ -1105,7 +1128,13 @@ void print_event(struct event *event) if (event->type == ET_RES) { printf("\t%-12.12s", N(event->res_type)); printf("\t%-10.10s", N(event->reason)); - printf("\t%s", N(event->res)); + if (strcmp("cgroup", event->res_type) != 0) { + printf("\t%s", N(event->res)); + } else { + printf("\t%s\t%s\t%s", N(event->cgroup_class), + N(event->cgroup_acl), + N(event->cgroup_detail)); + } } else if (event->type == ET_MACHINE_ID) { printf("\t%s", N(event->seclevel)); } else if (event->type == ET_AVC) { -- 1.7.1