[redhat-lspp] [PATCH] testing new audit features
Amy Griffis
amy.griffis at hp.com
Mon Mar 20 23:37:25 UTC 2006
Hi,
I was asked to post the userspace patches I've been using to test
audit watches, a feature which will hopefully be included in the next
lspp test kernel. I haven't tested the new SELinux rule fields yet,
but I've modified the patch to include support for them as well.
Following is a patch against glibc-kernheaders-3.0-4, which adds the
necessary support to <linux/audit.h>.
Amy
diff --git a/usr/include/linux/audit.h b/usr/include/linux/audit.h
index b7ddf64..52a16b3 100644
--- a/usr/include/linux/audit.h
+++ b/usr/include/linux/audit.h
@@ -40,15 +40,18 @@
*/
#define AUDIT_GET 1000 /* Get status */
#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
-#define AUDIT_LIST 1002 /* List syscall filtering rules */
-#define AUDIT_ADD 1003 /* Add syscall filtering rule */
-#define AUDIT_DEL 1004 /* Delete syscall filtering rule */
+#define AUDIT_LIST 1002 /* List syscall rules -- deprecated */
+#define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */
+#define AUDIT_DEL 1004 /* Delete syscall rule -- deprecated */
#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
#define AUDIT_LOGIN 1006 /* Define the login id and information */
#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
+#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
+#define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
+#define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages uninteresting to kernel */
#define AUDIT_LAST_USER_MSG 1199
@@ -65,6 +68,7 @@
#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
+#define AUDIT_CWD 1307 /* Current working directory */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -106,6 +110,11 @@
#define AUDIT_LOGINUID 9
#define AUDIT_PERS 10
#define AUDIT_ARCH 11
+#define AUDIT_SE_USER 13 /* security label user */
+#define AUDIT_SE_ROLE 14 /* security label role */
+#define AUDIT_SE_TYPE 15 /* security label type */
+#define AUDIT_SE_SEN 16 /* security label sensitivity label */
+#define AUDIT_SE_CLR 17 /* security label clearance label */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
@@ -114,6 +123,7 @@
#define AUDIT_INODE 102
#define AUDIT_EXIT 103
#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
+#define AUDIT_WATCH 105
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
@@ -178,6 +188,26 @@ struct audit_status {
uint32_t backlog; /* messages waiting in queue */
};
+/* audit_rule_data supports filter rules with both integer and string
+ * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
+ * AUDIT_LIST_RULES requests.
+ */
+struct audit_rule_data {
+ uint32_t flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
+ uint32_t action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
+ uint32_t field_count;
+ uint32_t mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
+ uint32_t fields[AUDIT_MAX_FIELDS];
+ uint32_t values[AUDIT_MAX_FIELDS];
+ uint32_t fieldflags[AUDIT_MAX_FIELDS];
+ uint32_t buflen; /* total length of string fields */
+ char buf[0]; /* string fields buffer */
+};
+
+/* audit_rule is supported to maintain backward compatibility with
+ * userspace. It supports integer fields only and corresponds to
+ * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests.
+ */
struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
uint32_t flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
uint32_t action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
More information about the redhat-lspp
mailing list