From: Amy Griffis <amy.griffis@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: [PATCH] audit tools: add filterkey support
Date: Wed, 14 Jun 2006 18:49:10 -0400 [thread overview]
Message-ID: <20060614224910.GB2268@zk3.dec.com> (raw)
Hi Steve,
Here is the userspace patch I used to test the kernel filterkey patch.
Hope this helps,
Amy
---
lib/fieldtab.h | 1 +
lib/libaudit.c | 13 +++++++------
lib/libaudit.h | 4 ++++
src/auditctl.c | 5 +++++
4 files changed, 17 insertions(+), 6 deletions(-)
acece4c427812119ec1aac24fe5e8b58902985a9
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a74754f 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -53,3 +53,4 @@ _S(AUDIT_ARG1, "a1" )
_S(AUDIT_ARG2, "a2" )
_S(AUDIT_ARG3, "a3" )
+_S(AUDIT_FILTERKEY, "filterkey")
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..48022df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
case AUDIT_WATCH:
+ case AUDIT_FILTERKEY:
return -10;
case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
if (flags == AUDIT_FILTER_ENTRY)
@@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud
else
return -8;
break;
+ case AUDIT_WATCH:
+ /* Watch is invalid on anything but exit */
+ if (flags != AUDIT_FILTER_EXIT)
+ return -7;
+ /* fallthrough */
case AUDIT_SE_USER:
case AUDIT_SE_ROLE:
case AUDIT_SE_TYPE:
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
- case AUDIT_WATCH:
- /* Watch is invalid on anything but exit */
- if ((flags != AUDIT_FILTER_EXIT) &&
- (field == AUDIT_WATCH))
- return -7;
-
+ case AUDIT_FILTERKEY:
rule->values[rule->field_count] = strlen(v);
offset = rule->buflen;
rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..c9e2ea4 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -214,6 +214,10 @@ extern "C" {
#define AUDIT_WATCH 105 /* This is a field in syscall rule */
#endif
+#ifndef AUDIT_FILTERKEY
+#define AUDIT_FILTERKEY 210
+#endif
+
/* This is new list defines from audit.h */
#ifndef AUDIT_FILTER_USER
#define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..168253f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -967,6 +967,11 @@ static int audit_print_reply(struct audi
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset += rep->ruledata->values[i];
+ } else if (field == AUDIT_FILTERKEY) {
+ printf(" filterkey=%.*s",
+ rep->ruledata->values[i],
+ &rep->ruledata->buf[boffset]);
+ boffset += rep->ruledata->values[i];
} else {
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
--
1.2.GIT
next reply other threads:[~2006-06-14 22:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-14 22:49 Amy Griffis [this message]
2006-06-26 12:49 ` [PATCH] audit tools: add filterkey support Steve
2006-06-26 12:57 ` Steve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060614224910.GB2268@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox