[PATCH] (1/2) new audit filter allows excluding messages by type (kernel)

[Amy Griffis]

On Thu, Nov 03, 2005 at 01:51:07PM -0600, Dustin Kirkland wrote:
> From include/linux/audit.h:
> 
> #define AUDIT_FILTER_USER       0x00    /* Apply rule to user-generated messages */
> #define AUDIT_FILTER_TASK       0x01    /* Apply rule at task creation (not syscall) */
> #define AUDIT_FILTER_ENTRY      0x02    /* Apply rule at syscall entry */
> #define AUDIT_FILTER_WATCH      0x03    /* Apply rule to file system watches */
> #define AUDIT_FILTER_EXIT       0x04    /* Apply rule at syscall exit */
> #define AUDIT_FILTER_EXCLUDE    0x05    /* Apply rule at audit_log_start */
> 
> So out of all of these, AUDIT_FILTER_ENTRY and AUDIT_FILTER_EXIT are the
> only two that are 'inherently syscall related', a minority in fact.

AUDIT_FILTER_TASK is syscall related.  It determines whether context
should be collected for syscall filtering.

AUDIT_FILTER_WATCH is not is use in the upstream kernels, and will not
be used in this iteration of filesystem audit code.

AUDIT_FILTER_USER is not syscall related and should not have been
implemented as such.  Stuffing it in the syscall filtering code was
lazy.

> If AUDIT_FILTER_EXCLUDE doesn't belong in auditsc.c, then neither does
> _USER, _TASK, _WATCH.

Correct, other than _TASK which does belong.

> I agree that these might be better placed elsewhere, but it's not the
> business of this patch to go about moving these things around.

Broken modularity is not something we want to perpetuate.  Why add to
the bad reputation this audit implementation already has?

> What are your thoughts on solving this properly for all filters?

Either make the filtering code general to audit, or use a separate
implementation for user-space filtering and record-type exclusion.  As
I've mentioned previously, I think the record-type exclusion could be
implemented in a better way.

Amy