Re: [RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type
On 2018-07-12 13:36, Ondrej Mosnacek wrote:
This new record type is used to log the full path corresponding to
some
important file descriptor used in a syscall.
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
include/uapi/linux/audit.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e3eaba84175..d60041ae34a8 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -114,6 +114,7 @@
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
+#define AUDIT_FD_PATH 1334 /* File descriptor path info */
The final message type number depends on other work in flight which may
or may not be accepted first, so don't count on this one being the
final. Having said that, we usually use the next number in sequence
unless there is a hard dependence on another patchset.
This will be the maintainer's job to juggle all these when they are
merged upstream. Unfortunately, that will make more work for the
corresponding user library patches that help identify this record type.
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635