From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: [PATCH] audit tools: add filterkey support
Date: Wed, 14 Jun 2006 18:49:10 -0400
Message-ID: <20060614224910.GB2268@zk3.dec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi Steve,

Here is the userspace patch I used to test the kernel filterkey patch.

Hope this helps,
Amy

---

 lib/fieldtab.h |    1 +
 lib/libaudit.c |   13 +++++++------
 lib/libaudit.h |    4 ++++
 src/auditctl.c |    5 +++++
 4 files changed, 17 insertions(+), 6 deletions(-)

acece4c427812119ec1aac24fe5e8b58902985a9
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a74754f 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -53,3 +53,4 @@ _S(AUDIT_ARG1,     "a1"       )
 _S(AUDIT_ARG2,     "a2"       )
 _S(AUDIT_ARG3,     "a3"       )
 
+_S(AUDIT_FILTERKEY, "filterkey")
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..48022df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru
 		case AUDIT_SE_SEN:
 		case AUDIT_SE_CLR:
 		case AUDIT_WATCH:
+		case AUDIT_FILTERKEY:
 			return -10;
 		case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
 			if (flags == AUDIT_FILTER_ENTRY)
@@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud
 				else
 					return -8;
 			break;
+		case AUDIT_WATCH:
+			/* Watch is invalid on anything but exit */
+			if (flags != AUDIT_FILTER_EXIT)
+				return -7;
+			/* fallthrough */
 		case AUDIT_SE_USER:
 		case AUDIT_SE_ROLE:
 		case AUDIT_SE_TYPE:
 		case AUDIT_SE_SEN:
 		case AUDIT_SE_CLR:
-		case AUDIT_WATCH:
-			/* Watch is invalid on anything but exit */
-			if ((flags != AUDIT_FILTER_EXIT) &&
-					(field == AUDIT_WATCH))
-				return -7;
-
+		case AUDIT_FILTERKEY:
 			rule->values[rule->field_count] = strlen(v);
 			offset = rule->buflen;
 			rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..c9e2ea4 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -214,6 +214,10 @@ extern "C" {
 #define AUDIT_WATCH     105	/* This is a field in syscall rule */
 #endif
 
+#ifndef AUDIT_FILTERKEY
+#define AUDIT_FILTERKEY 210
+#endif
+
 /* This is new list defines from audit.h */
 #ifndef AUDIT_FILTER_USER
 #define AUDIT_FILTER_USER       0x00    /* Apply rule to user-generated messages */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..168253f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -967,6 +967,11 @@ static int audit_print_reply(struct audi
 						  rep->ruledata->values[i],
 						  &rep->ruledata->buf[boffset]);
 						boffset += rep->ruledata->values[i];
+					} else if (field == AUDIT_FILTERKEY) {
+						printf(" filterkey=%.*s",
+						  rep->ruledata->values[i],
+						  &rep->ruledata->buf[boffset]);
+						boffset += rep->ruledata->values[i];
 					} else {
 						printf(" %s%s%d", name, 
 							audit_operator_to_symbol(op),
-- 
1.2.GIT