[PATCH] Support for auditing on the actions of a not-yet-executed process.

[Peter Moody <pmoody@google.com>]

eg:

-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1

to see instances of /bin/bash opening a non-local socket. Or

-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1

to instances of /bin/bash, and any descendant processes, opening a non local socket.

proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
and it seemed like there was interest.

Signed-off-by: Peter Moody <pmoody@google.com>
---
 trunk/lib/errormsg.h |    2 +-
 trunk/lib/fieldtab.h |    2 ++
 trunk/lib/libaudit.c |   11 +++++++++++
 trunk/lib/libaudit.h |    7 ++++++-
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 4d996d5..cd595ec 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
     { -15,    2,    "-F unknown errno -"},
     { -16,    2,    "-F unknown file type - " },
     { -17,    1,    "can only be used with exit and entry filter list" },
-    { -18,    1,    "" }, // Unused
+    { -18,    1,    "only takes = operator" },
     { -19,    0,    "Key field needs a watch or syscall given prior to it" },
     { -20,    2,    "-F missing value after operation for" },
     { -21,    2,    "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index c0432cc..245b541 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3,         "a3"           )
 _S(AUDIT_FILTERKEY,    "key"          )
 
 _S(AUDIT_FIELD_COMPARE, "field_compare" )
+_S(AUDIT_EXE,          "exe"          )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 20eaf5f..06eed86 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else 
 				return -21;
 			break;
+		case AUDIT_EXE_CHILDREN:
+		case AUDIT_EXE:
+		{
+			struct stat buf;
+			if ((stat(v, &buf)) < 0)
+				return -2;
+			if (op != AUDIT_EQUAL)
+				return -18;
+			rule->values[rule->field_count] = (unsigned long)buf.st_ino;
+		}
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 89dd588..2c8a802 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -243,6 +243,12 @@ extern "C" {
 #ifndef AUDIT_FIELD_COMPARE
 #define AUDIT_FIELD_COMPARE 111
 #endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
 
 #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
@@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
 #endif
 
 #endif
-
-- 
1.7.7.3