diff options
author | Amy Griffis <amy.griffis@hp.com> | 2006-06-14 18:45:21 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-07-01 05:43:06 -0400 |
commit | 5adc8a6adc91c4c85a64c75a70a619fffc924817 (patch) | |
tree | ace9af6bbc3cf711f43cfd88e834baeb6989ca3f /include/linux | |
parent | 9262e9149f346a5443300f8c451b8e7631e81a42 (diff) |
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit
rules. This is useful when a watched file is accessed through a link or
symlink, as well as for general audit log analysis.
Because this patch uses a string key instead of an integer key, there is a bit
of extra overhead to do the kstrdup() when a rule fires. However, we're also
allocating memory for the audit record buffer, so it's probably not that
significant. I went ahead with a string key because it seems more
user-friendly.
Note that the user must ensure that filterkeys are unique. The kernel only
checks for duplicate rules.
Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/audit.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index e051ff9c5b50..a489104ae3a4 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -122,6 +122,7 @@ | |||
122 | /* Rule structure sizes -- if these change, different AUDIT_ADD and | 122 | /* Rule structure sizes -- if these change, different AUDIT_ADD and |
123 | * AUDIT_LIST commands must be implemented. */ | 123 | * AUDIT_LIST commands must be implemented. */ |
124 | #define AUDIT_MAX_FIELDS 64 | 124 | #define AUDIT_MAX_FIELDS 64 |
125 | #define AUDIT_MAX_KEY_LEN 32 | ||
125 | #define AUDIT_BITMASK_SIZE 64 | 126 | #define AUDIT_BITMASK_SIZE 64 |
126 | #define AUDIT_WORD(nr) ((__u32)((nr)/32)) | 127 | #define AUDIT_WORD(nr) ((__u32)((nr)/32)) |
127 | #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) | 128 | #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) |
@@ -171,6 +172,8 @@ | |||
171 | #define AUDIT_ARG2 (AUDIT_ARG0+2) | 172 | #define AUDIT_ARG2 (AUDIT_ARG0+2) |
172 | #define AUDIT_ARG3 (AUDIT_ARG0+3) | 173 | #define AUDIT_ARG3 (AUDIT_ARG0+3) |
173 | 174 | ||
175 | #define AUDIT_FILTERKEY 210 | ||
176 | |||
174 | #define AUDIT_NEGATE 0x80000000 | 177 | #define AUDIT_NEGATE 0x80000000 |
175 | 178 | ||
176 | /* These are the supported operators. | 179 | /* These are the supported operators. |