[PATCH] audit tools: add filterkey support

[Amy Griffis]

Hi Steve,

Here is the userspace patch I used to test the kernel filterkey patch.

Hope this helps,
Amy

---

 lib/fieldtab.h |    1 +
 lib/libaudit.c |   13 +++++++------
 lib/libaudit.h |    4 ++++
 src/auditctl.c |    5 +++++
 4 files changed, 17 insertions(+), 6 deletions(-)

acece4c427812119ec1aac24fe5e8b58902985a9
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a74754f 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -53,3 +53,4 @@ _S(AUDIT_ARG1,     "a1"       )
 _S(AUDIT_ARG2,     "a2"       )
 _S(AUDIT_ARG3,     "a3"       )
 
+_S(AUDIT_FILTERKEY, "filterkey")
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..48022df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru
                case AUDIT_SE_SEN:
                case AUDIT_SE_CLR:
                case AUDIT_WATCH:
+               case AUDIT_FILTERKEY:
                        return -10;
                case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
                        if (flags == AUDIT_FILTER_ENTRY)
@@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud
                                else
                                        return -8;
                        break;
+               case AUDIT_WATCH:
+                       /* Watch is invalid on anything but exit */
+                       if (flags != AUDIT_FILTER_EXIT)
+                               return -7;
+                       /* fallthrough */
                case AUDIT_SE_USER:
                case AUDIT_SE_ROLE:
                case AUDIT_SE_TYPE:
                case AUDIT_SE_SEN:
                case AUDIT_SE_CLR:
-               case AUDIT_WATCH:
-                       /* Watch is invalid on anything but exit */
-                       if ((flags != AUDIT_FILTER_EXIT) &&
-                                       (field == AUDIT_WATCH))
-                               return -7;
-
+               case AUDIT_FILTERKEY:
                        rule->values[rule->field_count] = strlen(v);
                        offset = rule->buflen;
                        rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..c9e2ea4 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -214,6 +214,10 @@ extern "C" {
 #define AUDIT_WATCH     105    /* This is a field in syscall rule */
 #endif
 
+#ifndef AUDIT_FILTERKEY
+#define AUDIT_FILTERKEY 210
+#endif
+
 /* This is new list defines from audit.h */
 #ifndef AUDIT_FILTER_USER
 #define AUDIT_FILTER_USER       0x00    /* Apply rule to user-generated 
messages */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..168253f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -967,6 +967,11 @@ static int audit_print_reply(struct audi
                                                  rep->ruledata->values[i],
                                                  &rep->ruledata->buf[boffset]);
                                                boffset += 
rep->ruledata->values[i];
+                                       } else if (field == AUDIT_FILTERKEY) {
+                                               printf(" filterkey=%.*s",
+                                                 rep->ruledata->values[i],
+                                                 &rep->ruledata->buf[boffset]);
+                                               boffset += 
rep->ruledata->values[i];
                                        } else {
                                                printf(" %s%s%d", name, 
                                                        
audit_operator_to_symbol(op),
-- 
1.2.GIT


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit