On 10/29/2013 12:11 AM, William Roberts wrote:
> FYI This is a DRAFT patch. Just mostly to show how you can test the kernel
> patches I have been
> putting out recently. You can toggle the false/true in auditd.c and then
> re-push the auditd daemon.
I think you want to default-true but ignore errors or at least ones that
merely signify that the kernel doesn't support it.
>
>
> On Mon, Oct 28, 2013 at 9:09 PM, William Roberts
> <bill.c.robe...@gmail.com>wrote:
>
>> Change-Id: I82f39aae8264707bdc8eae9e32cfbf650545a0fa
>> ---
>> auditd/auditd.c | 8 ++++++++
>> auditd/libaudit.c | 25 +++++++++++++++++++++++++
>> auditd/libaudit.h | 33 +++++++++++++++++++++++++++++++++
>> 3 files changed, 66 insertions(+)
>>
>> diff --git a/auditd/auditd.c b/auditd/auditd.c
>> index 6a4ecae..beaff51 100644
>> --- a/auditd/auditd.c
>> +++ b/auditd/auditd.c
>> @@ -19,6 +19,7 @@
>> #define LOG_TAG "auditd"
>>
>> #include <stdio.h>
>> +#include <stdbool.h>
>> #include <stdlib.h>
>>
>> #include <errno.h>
>> @@ -188,6 +189,13 @@ int main(int argc, char *argv[])
>> goto err;
>> }
>>
>> + if (audit_set_cmdline_output(audit_fd, false, WAIT_NO) < 0) {
>> + rc = errno;
>> + SLOGE("Failed on audit_set_cmdline_feature with error: %s",
>> strerror(errno));
>> + goto err;
>> + }
>> +
>> +
>> pfds.fd = audit_fd;
>> pfds.events = POLLIN;
>>
>> diff --git a/auditd/libaudit.c b/auditd/libaudit.c
>> index 06e5557..2771d92 100644
>> --- a/auditd/libaudit.c
>> +++ b/auditd/libaudit.c
>> @@ -220,6 +220,31 @@ out:
>> return rc;
>> }
>>
>> +int audit_set_cmdline_output(int fd, bool val, rep_wait_t wmode)
>> +{
>> + int rc;
>> + struct audit_reply rep;
>> + struct audit_features features;
>> +
>> + memset(&features, 0, sizeof(features));
>> +
>> + features.vers = 1;
>> + features.mask = AUDIT_FEATURE_TO_MASK(AUDIT_FEATURE_CMDLINE_OUTPUT);
>> + features.features |= (val == true) << AUDIT_FEATURE_CMDLINE_OUTPUT;
>> +
>> + rc = audit_send(fd, AUDIT_SET_FEATURE, &features, sizeof(features));
>> + if (rc < 0) {
>> + SLOGE("Could net set cmdline output for audit events, error: %s",
>> strerror(-rc));
>> + return rc;
>> + }
>> +
>> + if (wmode != WAIT_NO) {
>> + audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
>> + }
>> +
>> + return 0;
>> +}
>> +
>> int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
>> {
>> int rc;
>> diff --git a/auditd/libaudit.h b/auditd/libaudit.h
>> index fbaa7b9..7fc8138 100644
>> --- a/auditd/libaudit.h
>> +++ b/auditd/libaudit.h
>> @@ -22,11 +22,30 @@
>> #include <stdint.h>
>> #include <sys/socket.h>
>> #include <sys/types.h>
>> +#include <stdbool.h>
>> #include <linux/netlink.h>
>> #include <linux/audit.h>
>>
>> #define MAX_AUDIT_MESSAGE_LENGTH 8970
>>
>> +#define AUDIT_SET_FEATURE 1018
>> +#define AUDIT_GET_FEATURE 1019
>> +#define AUDIT_FEATURE_CHANGE 1020
>> +
>> +struct audit_features {
>> +#define AUDIT_FEATURE_VERSION 1
>> + __u32 vers;
>> + __u32 mask;
>> + __u32 features;
>> + __u32 lock;
>> +};
>> +
>> +#define AUDIT_FEATURE_CMDLINE_OUTPUT 0
>> +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_CMDLINE_OUTPUT
>> +
>> +#define audit_feature_valid(x) ((x) >= 0 && (x) <=
>> AUDIT_LAST_FEATURE)
>> +#define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31))
>> +
>> typedef enum {
>> GET_REPLY_BLOCKING=0,
>> GET_REPLY_NONBLOCKING
>> @@ -108,4 +127,18 @@ extern int audit_get_reply(int fd, struct
>> audit_reply *rep, reply_t block,
>> */
>> extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
>>
>> +/**
>> + * Turns on (true) or off (false) the cmdline autput of the audit records.
>> + * @param fd
>> + * The fd returned by a call to audit_open()
>> + * @param val
>> + * True for on, flase for off.
>> + * @param wmode
>> + * Whether or not to block on the underlying socket io calls.
>> + * @return
>> + * This function returns 0 on success, -errno on error.
>> + */
>> +extern int audit_set_cmdline_output(int fd, bool val, rep_wait_t wmode);
>> +
>> +
>> #endif
>> --
>> 1.7.9.5
>>
>>
>
>
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
