key in syscall audit rules.

I'm building an audit.40 with this in. Steve, does it look OK to you? --- linux-2.6.9/include/linux/audit.h~ 2005-05-17 14:43:57.000000000 +0100 +++ linux-2.6.9/include/linux/audit.h 2005-05-17 15:10:33.000000000 +0100 @@ -128,6 +128,8 @@ struct atomic_t; #define AUDIT_ARG2 (AUDIT_ARG0+2) #define AUDIT_ARG3 (AUDIT_ARG0+3) +#define AUDIT_KEY 0x1000 /* Identifying key for rule */ + #define AUDIT_NEGATE 0x80000000 --- linux-2.6.9/kernel/auditsc.c~ 2005-05-17 15:17:40.000000000 +0100 +++ linux-2.6.9/kernel/auditsc.c 2005-05-17 15:15:11.000000000 +0100 @@ -140,6 +140,7 @@ struct audit_context { unsigned int serial; /* serial number for record */ struct timespec ctime; /* time of syscall entry */ uid_t loginuid; /* login uid (identity) */ + uint32_t key; /* Key of rule which triggered auditing */ int major; /* syscall number */ unsigned long argv[4]; /* syscall arguments */ int return_valid; /* return code is valid */ @@ -334,9 +335,11 @@ int audit_receive_filter(int type, int p static int audit_filter_rules(struct task_struct *tsk, struct audit_rule *rule, struct audit_context *ctx, - enum audit_state *state) + enum audit_state *state, + uint32_t *key) { int i, j; + uint32_t localkey = 0; for (i = 0; i < rule->field_count; i++) { u32 field = rule->fields[i] & ~AUDIT_NEGATE; @@ -429,8 +432,9 @@ static int audit_filter_rules(struct tas if (ctx) result = (ctx->argv[field-AUDIT_ARG0]==value); break; + case AUDIT_KEY: + localkey = value; } - if (rule->fields[i] & AUDIT_NEGATE) result = !result; if (!result) @@ -441,6 +445,8 @@ static int audit_filter_rules(struct tas case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; } + if (key) + *key = localkey; return 1; } @@ -451,11 +457,11 @@ static int audit_filter_rules(struct tas static enum audit_state audit_filter_task(struct task_struct *tsk) { struct audit_entry *e; - enum audit_state state; + enum audit_state state; rcu_read_lock(); list_for_each_entry_rcu(e, &audit_tsklist, list) { - if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { + if (audit_filter_rules(tsk, &e->rule, NULL, &state, NULL)) { rcu_read_unlock(); return state; } @@ -475,13 +481,13 @@ static enum audit_state audit_filter_sys { struct audit_entry *e; enum audit_state state; - int word = AUDIT_WORD(ctx->major); - int bit = AUDIT_BIT(ctx->major); + int word = AUDIT_WORD(ctx->major); + int bit = AUDIT_BIT(ctx->major); rcu_read_lock(); list_for_each_entry_rcu(e, list, list) { if ((e->rule.mask[word] & bit) == bit - && audit_filter_rules(tsk, &e->rule, ctx, &state)) { + && audit_filter_rules(tsk, &e->rule, ctx, &state, &ctx->key)) { rcu_read_unlock(); return state; } @@ -677,6 +683,8 @@ static void audit_log_exit(struct audit_ if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "syscall=%d", context->major); + if (context->key) + audit_log_format(ab, " key=%x", context->key); if (context->personality != PER_LINUX) audit_log_format(ab, " per=%lx", context->personality); audit_log_format(ab, " arch=%x", context->arch); -- dwmw2