diff options
| author | Amy Griffis <amy.griffis@hp.com> | 2006-02-07 12:05:27 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-03-20 14:08:54 -0500 |
| commit | 93315ed6dd12dacfc941f9eb8ca0293aadf99793 (patch) | |
| tree | 4fc070c92a1de21d3befe4ce48c733c65d044bb3 /include/linux/audit.h | |
| parent | af601e4623d0303bfafa54ec728b7ae8493a8e1b (diff) | |
[PATCH] audit string fields interface + consumer
Updated patch to dynamically allocate audit rule fields in kernel's
internal representation. Added unlikely() calls for testing memory
allocation result.
Amy Griffis wrote: [Wed Jan 11 2006, 02:02:31PM EST]
> Modify audit's kernel-userspace interface to allow the specification
> of string fields in audit rules.
>
> Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from 5ffc4a863f92351b720fe3e9c5cd647accff9e03 commit)
Diffstat (limited to 'include/linux/audit.h')
| -rw-r--r-- | include/linux/audit.h | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 8868c96ca8a2..8a3b98175c25 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -50,15 +50,18 @@ | |||
| 50 | */ | 50 | */ |
| 51 | #define AUDIT_GET 1000 /* Get status */ | 51 | #define AUDIT_GET 1000 /* Get status */ |
| 52 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | 52 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ |
| 53 | #define AUDIT_LIST 1002 /* List syscall filtering rules */ | 53 | #define AUDIT_LIST 1002 /* List syscall rules -- deprecated */ |
| 54 | #define AUDIT_ADD 1003 /* Add syscall filtering rule */ | 54 | #define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */ |
| 55 | #define AUDIT_DEL 1004 /* Delete syscall filtering rule */ | 55 | #define AUDIT_DEL 1004 /* Delete syscall rule -- deprecated */ |
| 56 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ | 56 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ |
| 57 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ | 57 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ |
| 58 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ | 58 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ |
| 59 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ | 59 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ |
| 60 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ | 60 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ |
| 61 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ | 61 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ |
| 62 | #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */ | ||
| 63 | #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */ | ||
| 64 | #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */ | ||
| 62 | 65 | ||
| 63 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ | 66 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ |
| 64 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ | 67 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ |
| @@ -229,6 +232,26 @@ struct audit_status { | |||
| 229 | __u32 backlog; /* messages waiting in queue */ | 232 | __u32 backlog; /* messages waiting in queue */ |
| 230 | }; | 233 | }; |
| 231 | 234 | ||
| 235 | /* audit_rule_data supports filter rules with both integer and string | ||
| 236 | * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and | ||
| 237 | * AUDIT_LIST_RULES requests. | ||
| 238 | */ | ||
| 239 | struct audit_rule_data { | ||
| 240 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ | ||
| 241 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ | ||
| 242 | __u32 field_count; | ||
| 243 | __u32 mask[AUDIT_BITMASK_SIZE]; | ||
| 244 | __u32 fields[AUDIT_MAX_FIELDS]; | ||
| 245 | __u32 values[AUDIT_MAX_FIELDS]; | ||
| 246 | __u32 fieldflags[AUDIT_MAX_FIELDS]; | ||
| 247 | __u32 buflen; /* total length of string fields */ | ||
| 248 | char buf[0]; /* string fields buffer */ | ||
| 249 | }; | ||
| 250 | |||
| 251 | /* audit_rule is supported to maintain backward compatibility with | ||
| 252 | * userspace. It supports integer fields only and corresponds to | ||
| 253 | * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests. | ||
| 254 | */ | ||
| 232 | struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ | 255 | struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ |
| 233 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ | 256 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ |
| 234 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ | 257 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ |
| @@ -338,7 +361,7 @@ extern void audit_log_d_path(struct audit_buffer *ab, | |||
| 338 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | 361 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
| 339 | extern int audit_filter_type(int type); | 362 | extern int audit_filter_type(int type); |
| 340 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | 363 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
| 341 | void *data, uid_t loginuid); | 364 | void *data, size_t datasz, uid_t loginuid); |
| 342 | #else | 365 | #else |
| 343 | #define audit_log(c,g,t,f,...) do { ; } while (0) | 366 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
| 344 | #define audit_log_start(c,g,t) ({ NULL; }) | 367 | #define audit_log_start(c,g,t) ({ NULL; }) |