Re: Unique audit record type ranges for individual LSMs

Le 06/12/17 à 18:51, Tyler Hicks a écrit : FTR, the apparmor usespace library seems to support the 15xx range for quite sometimes already, I see the following commit in the git repository: commit a6a88a4dd7ec9fd59b01c27f8cd40f653386107b Author: Steve Beattie <steve(a)nxnw.org&gt; Date: Fri Sep 14 14:00:48 2007 +0000 This patch adds support to the logparsing library for the type=15xx flags when events come through the audit subsystem. It also fixes the case where the audit daemon has not been configured with apparmor support and the events are reported as type=UNKNOWN[15xx]. It also fixes the testsuite dependencies so that they will get relinked when the library changes. This commits contains the following used id's: +/* FIXME: this ought to be pulled from <linux/audit.h> but there's no + * guarantee these will exist there. */ +#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */ +#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */ +#define AUDIT_APPARMOR_DENIED 1503 +#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */ +#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */ +#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */ +