On 09/10/2013 08:31 AM, Stephen Smalley wrote: > On 09/09/2013 09:15 PM, Joshua Brindle wrote: >> Add libaudit support for adding directory watch rules. >> >> Add rule parsing support to auditd. >> >> Rule format matches auditctl. Currently only supports -w and -e. >> >> Change-Id: I8bdaea1b5e2a216eec79cd8c9dae583de8295d26 >> >> Signed-off-by: Joshua Brindle <[email protected]> > > You didn't include my two changes. Was that because you didn't agree > with them or you just wanted to keep them separate? > > Part of my change (the libaudit EAGAIN fix) could be folded directly > into Bill's existing change. The other part (the auditd > audit_set_enabled() call) could be folded into yours or kept separate. > Or you think audit.rules should explicitly perform an -e 1, then we > don't strictly need that change but that isn't the way upstream auditd > works. > > Have you set up a CLA with AOSP yet?
Attached are my two changes separated out. But I'm fine with them being folded into others, and my changes are public domain so there isn't a problem with doing that.
>From c1f271db9d785e10efc99a0015a79a26562ebb73 Mon Sep 17 00:00:00 2001 From: Stephen Smalley <[email protected]> Date: Tue, 10 Sep 2013 08:22:15 -0400 Subject: [PATCH 2/3] Retry on EAGAIN from recvfrom on the audit netlink socket. Signed-off-by: Stephen Smalley <[email protected]> --- auditd/libaudit.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/auditd/libaudit.c b/auditd/libaudit.c index 5eebe15..dc3ed1c 100644 --- a/auditd/libaudit.c +++ b/auditd/libaudit.c @@ -369,12 +369,15 @@ int audit_get_reply(int fd, struct audit_reply *rep, reply_t block, int peek) * another error manifests. */ if (len < 0 && errno != EINTR) { - if (block == GET_REPLY_NONBLOCKING && errno == EAGAIN) { + if (errno == EAGAIN) { + if (block == GET_REPLY_NONBLOCKING) { /* If the request is non blocking and the errno is EAGAIN, just return 0 */ return 0; - } - SLOGE("Error receiving from netlink socket, error: %s", strerror(errno)); - return -errno; + } + } else { + SLOGE("Error receiving from netlink socket, error: %s", strerror(errno)); + return -errno; + } } /* 0 or greater indicates success */ -- 1.8.1.4
>From a0321c3d8fbb3f1db5d18382dc92821e3ef6e5c4 Mon Sep 17 00:00:00 2001 From: Stephen Smalley <[email protected]> Date: Tue, 10 Sep 2013 08:22:58 -0400 Subject: [PATCH 3/3] Always enable audit syscall functionality on start of auditd. Signed-off-by: Stephen Smalley <[email protected]> --- auditd/auditd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/auditd/auditd.c b/auditd/auditd.c index 875eed0..46e5454 100644 --- a/auditd/auditd.c +++ b/auditd/auditd.c @@ -192,6 +192,12 @@ int main(int argc, char *argv[]) goto err; } + if (audit_set_enabled(audit_fd, 1) < 0) { + rc = errno; + SLOGE("Failed on audit_set_enabled with error: %s", strerror(errno)); + goto err; + } + if (audit_rules_read_and_add(audit_fd, AUDITD_RULES_FILE)) { SLOGE("error reading audit rules: %s", strerror(errno)); } -- 1.8.1.4
