Here is some additional description of the functionality provided with
the new AUDIT_WATCH field. I posted it in a previous iteration of
this code, but thought I'd include it here for cohesiveness.
On Wed, Jan 11, 2006 at 01:59:21PM -0500, Amy Griffis wrote:
Following are two patches, the first of which provides an interface
for specifying audit rules with string fields. The second patch adds
a new string field AUDIT_WATCH. These patches are an update of the
previous audit interface patches I have posted to this list.
These patches are functionally similar to the previous posts; however,
I believe you will find the organization of the code to be quite
different and much improved. I have updated the interface based on
the feedback I received. I also resolved the issue of differentiating
between inode-based and path-based (or watch-based) filtering by
creating a new field AUDIT_WATCH and adding it to the switch in
audit_filter_rules().
Following is a summary of the interface.
A new struct audit_rule_data and corresponding netlink message types
have been added. Additionally, the SELinux nlmsg_audit_perms[] table
has been updated with the new netlink message types.
The new struct allows userspace to supply one or more string fields
packed in a variable length buffer. The kernel expects the buffer to
be neither null-delimited nor null-terminated.
The length of string data for a given field is provided as its value
element in the array. The kernel provides the buflen element for
convenience on rule listing, to allow userspace to allocate memory for
the buffer without walking the array to tabulate lengths. Buflen is
ignored coming from userspace. Instead, the kernel ensures that the
total of the lengths specified in the value elements do not exceed the
length of the message payload minus sizeof(struct audit_rule_data).
Several routines have been added to auditfilter.c to translate between
the kernel's rule representation and the two userspace rule
representations using structs audit_rule and audit_rule_data.
With the AUDIT_WATCH field, userspace may specify a path filter, akin
to specifying an inode filter. If a filename exists at the specified
path, audit records will be generated as they are for inode filters.
If a filename does not exist at the specified path, the rule will be
added, but no records will be generated.
In the next patch set, I will provide the functionality necessary to
support persistence for path-based filters (aka watches). This will
enable audit to generate audit records whenever an inode exists at the
specified path.