Hi Steve, Here is the userspace patch I used to test the kernel filterkey patch. Hope this helps, Amy --- lib/fieldtab.h | 1 + lib/libaudit.c | 13 +++++++------ lib/libaudit.h | 4 ++++ src/auditctl.c | 5 +++++ 4 files changed, 17 insertions(+), 6 deletions(-) acece4c427812119ec1aac24fe5e8b58902985a9 diff --git a/lib/fieldtab.h b/lib/fieldtab.h index a6f3121..a74754f 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -53,3 +53,4 @@ _S(AUDIT_ARG1, "a1" ) _S(AUDIT_ARG2, "a2" ) _S(AUDIT_ARG3, "a3" ) +_S(AUDIT_FILTERKEY, "filterkey") diff --git a/lib/libaudit.c b/lib/libaudit.c index b61df6c..48022df 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru case AUDIT_SE_SEN: case AUDIT_SE_CLR: case AUDIT_WATCH: + case AUDIT_FILTERKEY: return -10; case AUDIT_DEVMAJOR...AUDIT_SUCCESS: if (flags == AUDIT_FILTER_ENTRY) @@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud else return -8; break; + case AUDIT_WATCH: + /* Watch is invalid on anything but exit */ + if (flags != AUDIT_FILTER_EXIT) + return -7; + /* fallthrough */ case AUDIT_SE_USER: case AUDIT_SE_ROLE: case AUDIT_SE_TYPE: case AUDIT_SE_SEN: case AUDIT_SE_CLR: - case AUDIT_WATCH: - /* Watch is invalid on anything but exit */ - if ((flags != AUDIT_FILTER_EXIT) && - (field == AUDIT_WATCH)) - return -7; - + case AUDIT_FILTERKEY: rule->values[rule->field_count] = strlen(v); offset = rule->buflen; rule->buflen += strlen(v); diff --git a/lib/libaudit.h b/lib/libaudit.h index 8aab24e..c9e2ea4 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -214,6 +214,10 @@ extern "C" { #define AUDIT_WATCH 105 /* This is a field in syscall rule */ #endif +#ifndef AUDIT_FILTERKEY +#define AUDIT_FILTERKEY 210 +#endif + /* This is new list defines from audit.h */ #ifndef AUDIT_FILTER_USER #define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */ diff --git a/src/auditctl.c b/src/auditctl.c index 045a38d..168253f 100644 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -967,6 +967,11 @@ static int audit_print_reply(struct audi rep->ruledata->values[i], &rep->ruledata->buf[boffset]); boffset += rep->ruledata->values[i]; + } else if (field == AUDIT_FILTERKEY) { + printf(" filterkey=%.*s", + rep->ruledata->values[i], + &rep->ruledata->buf[boffset]); + boffset += rep->ruledata->values[i]; } else { printf(" %s%s%d", name, audit_operator_to_symbol(op), -- 1.2.GIT