Re: libaudit: fill structure audit_rule_data to use audit_add_rule_data
Hello Steve,
On 07/10/2025 19:31, Steve Grubb wrote:
Hello,
On Tuesday, October 7, 2025 8:21:56 AM Eastern Daylight Time Jean-Jacques
Pitrolle wrote:
> This is my first message and i hope i will provide the expected
> information to get help (:
Welcome. I think so.
Thanks.
> I'm looking in libaudit if there is a function to transform a line in
> audit.rules's format to a*struct audit_rule_data* to feed
> *audit_add_rule_data* to insert a new rule.
No. At times I think it was a mistake to put any rule processing code in
libaudit because that is very specific to auditctl and not something that you
would normally do.
OK thanks for the clarification.
> From tag *v3.0.9* (i need to stick to this version for the moment), i
> see occurences of*audit_add_rule_data* in*autrace.c* and*auditctl.c*
> but it seems that adding a rule is specific to those binaries.
Yes. It is easier to see the pattern in autrace. You have to call:
audit_rule_create_data
audit_rule_syscallbyname_data <- for each syscall
audit_rule_fieldpair_data <- for each field
audit_add_rule_data <- sends the rule into the kernel
audit_get_reply <- check to see how sending went
OK it confirms my thoughts
> Do i understand it correctly?
> Do i need to specifically write a basic rule parser to call
> *audit_add_rule_data* with a new rule when i use libaudit?
auditctl*is* the rule parser. It has not been broken out into a library
call. If it were, it would basically be the setopt function in auditctl. And
there are a*lot* of helper functions it calls. Pretty much 80% of auditctl
is involved in rule parsing.
> Or does libaudit provides a general way to tranform an auditd rule (i.e
> in format of audit.rules file) to a struct audit_rule_data?
Nope. I think this is the first request to parse rules since the list was
active. It may not sound appealing, but the quick thing is using execve to
run auditctl. This way you avoid shell command injection issues. The only
documentation for how to add rules into the kernel is auditctl's code. You
would have to do a careful read of the code and mimic all the idiosyncrasies
it has.
In my case, call the "external" binary auditctl is acceptable and
i will
go with this solution.
Thanks for your time it definitely helps me to make a better choice.
Regards.