Re: [PATCH 1/2] audit string fields interface + consumer
On Mon, Jan 16, 2006 at 03:16:04PM -0600, Dustin Kirkland wrote:
On 1/11/06, Amy Griffis <amy.griffis(a)hp.com> wrote:
> +static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
> + size_t datasz)
> {
> + int err = 0;
> + struct audit_entry *entry;
> + void *bufp;
> + /* size_t remain = datasz - sizeof(struct audit_rule_data); */
> int i;
>
> - if (a->flags != b->flags)
> - return 1;
> + entry = audit_to_entry_common((struct audit_rule *)data);
> + if (IS_ERR(entry))
> + goto exit_nofree;
> +
> + bufp = data->buf;
> + entry->rule.vers_ops = 2;
> + for (i = 0; i < data->field_count; i++) {
> + struct audit_field *f = &entry->rule.fields[i];
> +
> + err = -EINVAL;
> + if (!(data->fieldflags[i] & AUDIT_OPERATORS) ||
> + data->fieldflags[i] & ~AUDIT_OPERATORS)
> + goto exit_free;
> +
> + f->op = data->fieldflags[i] & AUDIT_OPERATORS;
> + f->type = data->fields[i];
> + switch(f->type) {
> + /* call type-specific conversion routines here */
> + default:
> + f->val = data->values[i];
> + }
> + }
>
> - if (a->action != b->action)
> - return 1;
> +exit_nofree:
> + return entry;
> +
> +exit_free:
> + kfree(entry);
> + return ERR_PTR(err);
> +}
Amy-
I'm noticing that this code does not yet do anything with the the
strings potentially in data->buf... Is this still on your to-do, or
was this intentional?
Yes, it was intentional. I tried to split the two patches between the
interface changes themselves, and the code added for the field
AUDIT_WATCH.
The second patch adds the following changes to this block:
@@ -161,8 +195,9 @@ static struct audit_entry *audit_data_to
int err = 0;
struct audit_entry *entry;
void *bufp;
- /* size_t remain = datasz - sizeof(struct audit_rule_data); */
+ size_t remain = datasz - sizeof(struct audit_rule_data);
int i;
+ char *path;
entry = audit_to_entry_common((struct audit_rule *)data);
if (IS_ERR(entry))
@@ -180,10 +215,20 @@ static struct audit_entry *audit_data_to
f->op = data->fieldflags[i] & AUDIT_OPERATORS;
f->type = data->fields[i];
+ f->val = data->values[i];
switch(f->type) {
- /* call type-specific conversion routines here */
- default:
- f->val = data->values[i];
+ case AUDIT_WATCH:
+ path = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(path))
+ goto exit_free;
+ entry->rule.buflen += f->val;
+
+ err = audit_to_watch(path, &entry->rule, i);
+ if (err) {
+ kfree(path);
+ goto exit_free;
+ }
+ break;
}
}
So any type that uses a string field should add a case here, call
audit_unpack_string() to unpack the buffer, and then do whatever else
is needed to translate the resulting string to the values used in the
audit rule.
Hope this helps,
Amy