From mboxrd@z Thu Jan  1 00:00:00 1970
From: ramsdell@mitre.org (John D. Ramsdell)
Subject: Re: An autrace that follows forks
Date: 15 Oct 2006 11:32:07 -0400
Message-ID: <ogt4pu5lhmw.fsf@divan.mitre.org>
References: <ogtbqoiwraf.fsf@divan.mitre.org>
	<200610111624.54540.sgrubb@redhat.com>
	<ogt8xjlbydh.fsf@divan.mitre.org>
	<200610131007.53543.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200610131007.53543.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve Grubb <sgrubb@redhat.com> writes:

> It was using auditctl just for expedience when the program was
> written. I can add the code to switch it over.

I wrote code that uses libaudit to add rules.  After performing "yum
install audit-libs-devel", I was pleased to find a manual page for
audit_add_rule, but the description of the return value says to refer
to audit_send.  However, I found no manual page for audit_send.
Studying code made me realize the error condition is <= 0, not < 0, so
it's important not to guess.

John

static int audit_sys; /* File descriptor for socket to audit system */

static int			/* Create a rule for a pid */
init_rule(struct audit_rule *r, pid_t pid)
{				/* Returns zero on success */
  char field[PID_FIELD_SIZE];
  if (snprintf(field, PID_FIELD_SIZE, "pid=%d", pid) >= PID_FIELD_SIZE) {
    fprintf(stderr, "Internal error in init_rule\n");
    exit(1);
  }
  memset(r, 0, sizeof(*r));
  if (audit_rule_syscallbyname(r, "all") < 0) {
    fprintf(stderr, "Illegal syscall name for audit rule for %d\n", pid);
    return 1;
  }
  if (audit_rule_fieldpair(r, field, AUDIT_FILTER_ENTRY)) {
    fprintf(stderr, "Cannot add field to audit rule for %d\n", pid);
    return 1;
  }
  return 0;
}

/* Equivalent to '/sbin/auditctl -a entry,always -F pid=%d -S all' */
static int
add_rule(pid_t pid)		/* Returns zero on success */
{
  int i;
  for (i = 0; i < nchildren; i++)
    if (pid == children[i])	/* Rule already present */
      return 0;
  if (nchildren >= MAX_CHILDREN) {
    fprintf(stderr, "Too many children\n");
    return 1;
  }
  struct audit_rule r[1];
  if (init_rule(r, pid))
    return 1;
  if (audit_add_rule(audit_sys, r, AUDIT_FILTER_ENTRY, AUDIT_ALWAYS) <= 0) {
    fprintf(stderr, "Cannot add an audit rule for %d\n", pid);
    return 1;
  }
  children[nchildren++] = pid;
  return 0;
}