Following are two patches, the first of which provides an interface
for specifying audit rules with string fields. The second patch adds
a new string field AUDIT_WATCH. These patches are an update of the
previous audit interface patches I have posted to this list.
These patches are functionally similar to the previous posts; however,
I believe you will find the organization of the code to be quite
different and much improved. I have updated the interface based on
the feedback I received. I also resolved the issue of differentiating
between inode-based and path-based (or watch-based) filtering by
creating a new field AUDIT_WATCH and adding it to the switch in
audit_filter_rules().
Following is a summary of the interface.
A new struct audit_rule_data and corresponding netlink message types
have been added. Additionally, the SELinux nlmsg_audit_perms[] table
has been updated with the new netlink message types.
The new struct allows userspace to supply one or more string fields
packed in a variable length buffer. The kernel expects the buffer to
be neither null-delimited nor null-terminated.
The length of string data for a given field is provided as its value
element in the array. The kernel provides the buflen element for
convenience on rule listing, to allow userspace to allocate memory for
the buffer without walking the array to tabulate lengths. Buflen is
ignored coming from userspace. Instead, the kernel ensures that the
total of the lengths specified in the value elements do not exceed the
length of the message payload minus sizeof(struct audit_rule_data).
Several routines have been added to auditfilter.c to translate between
the kernel's rule representation and the two userspace rule
representations using structs audit_rule and audit_rule_data.