diff options
| author | Amy Griffis <amy.griffis@hp.com> | 2006-06-14 18:45:21 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-07-01 05:43:06 -0400 |
| commit | 5adc8a6adc91c4c85a64c75a70a619fffc924817 (patch) | |
| tree | ace9af6bbc3cf711f43cfd88e834baeb6989ca3f /kernel/audit.h | |
| parent | 9262e9149f346a5443300f8c451b8e7631e81a42 (diff) | |
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit
rules. This is useful when a watched file is accessed through a link or
symlink, as well as for general audit log analysis.
Because this patch uses a string key instead of an integer key, there is a bit
of extra overhead to do the kstrdup() when a rule fires. However, we're also
allocating memory for the audit record buffer, so it's probably not that
significant. I went ahead with a string key because it seems more
user-friendly.
Note that the user must ensure that filterkeys are unique. The kernel only
checks for duplicate rules.
Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
Diffstat (limited to 'kernel/audit.h')
| -rw-r--r-- | kernel/audit.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/audit.h b/kernel/audit.h index 8323e4132a33..6aa33b848cf2 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
| @@ -81,6 +81,7 @@ struct audit_krule { | |||
| 81 | u32 mask[AUDIT_BITMASK_SIZE]; | 81 | u32 mask[AUDIT_BITMASK_SIZE]; |
| 82 | u32 buflen; /* for data alloc on list rules */ | 82 | u32 buflen; /* for data alloc on list rules */ |
| 83 | u32 field_count; | 83 | u32 field_count; |
| 84 | char *filterkey; /* ties events to rules */ | ||
| 84 | struct audit_field *fields; | 85 | struct audit_field *fields; |
| 85 | struct audit_field *inode_f; /* quick access to an inode field */ | 86 | struct audit_field *inode_f; /* quick access to an inode field */ |
| 86 | struct audit_watch *watch; /* associated watch */ | 87 | struct audit_watch *watch; /* associated watch */ |