Hello,
Here is a patch against libaudit which adds support for the new
netlink message types and data structure used to specify audit rules
with string fields.
I've been using this patch to test my kernel changes. Hopefully it
can be of some use in adding the remainder of the necessary support to
the audit userspace tools.
Regards,
Amy
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 08cbc9e..c275400 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -234,6 +234,15 @@ int audit_request_rules_list(int fd)
return rc;
}
+int audit_list_rules_data(int fd)
+{
+ int rc = audit_send(fd, AUDIT_LIST_RULES, NULL, 0);
+ if (rc < 0)
+ audit_msg(LOG_WARNING, "Error sending rule list request (%s)",
+ strerror(-rc));
+ return rc;
+}
+
int audit_request_signal_info(int fd)
{
int rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0);
@@ -338,6 +347,31 @@ int audit_delete_rule(int fd, struct aud
return rc;
}
+int audit_add_rule_data(int fd, struct audit_rule_data *rule)
+{
+ int rc;
+ unsigned int size = sizeof(*rule) + rule->buflen;
+
+ rc = audit_send(fd, AUDIT_ADD_RULE, rule, size);
+ if (rc < 0)
+ audit_msg(LOG_WARNING,
+ "Error sending add rule request (%s)",
+ strerror(-rc));
+ return rc;
+}
+
+int audit_del_rule_data(int fd, struct audit_rule_data *rule)
+{
+ int rc;
+ unsigned int size = sizeof(*rule) + rule->buflen;
+
+ rc = audit_send(fd, AUDIT_DEL_RULE, rule, size);
+ if (rc < 0)
+ audit_msg(LOG_WARNING,
+ "Error sending delete rule request (%s)",
+ strerror(-rc));
+ return rc;
+}
/*
* This function will retreive the loginuid or -1 if there
diff --git a/lib/libaudit.h b/lib/libaudit.h
index a35fd1c..8b2e059 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -274,6 +274,7 @@ struct audit_reply {
union {
struct audit_status *status;
struct audit_rule *rule;
+ struct audit_rule_data *ruledata;
struct audit_login *login;
const char *message;
struct nlmsgerr *error;
@@ -348,6 +349,7 @@ extern int audit_set_backlog_limit(int
/* AUDIT_LIST */
extern int audit_request_rules_list(int fd);
extern int audit_request_watch_list(int fd);
+extern int audit_list_rules_data(int fd);
/* SIGNAL_INFO */
extern int audit_request_signal_info(int fd);
@@ -359,10 +361,12 @@ extern int audit_remove_watch(int fd, st
/* AUDIT_ADD */
extern int audit_add_rule(int fd, struct audit_rule *rule,
int flags, int action);
+extern int audit_add_rule_data(int fd, struct audit_rule_data *rule);
/* AUDIT_DEL */
extern int audit_delete_rule(int fd, struct audit_rule *rule,
int flags, int action);
+extern int audit_del_rule_data(int fd, struct audit_rule_data *rule);
// These are deprecated...do not use.
extern int audit_send_message(int fd, int type, const char *message);//private
diff --git a/lib/netlink.c b/lib/netlink.c
index e418d12..806e35d 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -163,6 +163,7 @@ static int adjust_reply(struct audit_rep
rep->status = NLMSG_DATA(rep->nlh);
break;
case AUDIT_LIST:
+ case AUDIT_LIST_RULES:
rep->rule = NLMSG_DATA(rep->nlh);
break;
case AUDIT_USER:
diff --git a/src/auditd.c b/src/auditd.c
index 2ec6d7e..924a0c7 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -389,6 +389,7 @@ int main(int argc, char *argv[])
case NLMSG_ERROR:
case AUDIT_GET: /* Or these */
case AUDIT_LIST:
+ case AUDIT_LIST_RULES:
case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON:
break;
case AUDIT_SIGNAL_INFO: