On 11/3/05, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Thursday 03 November 2005 08:58, Amy Griffis wrote:
> What about someone running a kernel without CONFIG_AUDITSYSCALL? With
> this implementation, they wouldn't be able to use this filtering at
> all. That doesn't make any sense, since filtering audit record types
> is inherently unrelated to syscalls. This filtering applies to audit
> in general, so it should live entirely in audit.c.
It might be tricky to untangle. I think it uses functions that only live in
that file. I think its worth looking into, though
I'm looking into it.
It looks like audit_comparator() would have to be externalized, which
shouldn't be a problem.
The bigger issue is the fact that the messages to filter out are stored
in the audit_filter_list, and **all** of the audit rules code (ie,
audit_add_rule, audit_del_rule, etc) live in auditsc.c
One option would be to create a new structure to hold the list of
message types to exclude, and create new netlink aware functions to
populate and clear this list from userspace. However, that's grossly
duplicating the work that already present for the rest of the filter
rules lists.
It's perhaps arguable that the rules filtering code should perhaps be in
a file of it's own? auditrl.c? Of the other rule lists, at least
AUDIT_FILTER_TASK and AUDIT_FILTER_WATCH are not inherently tied to
syscalls, so AUDIT_FILTER_EXCLUDE doesn't seem that egregious.
But those changes would belong in a patch of it's own, which I'll be
happy to review and test if you provide. But for now, I'm going to move
on to more pressing matters and perhaps I'll look into that later.
:-Dustin