Userspace component to pass an exclude filter to and from the kernel. - Teach userspace about the "exclude,???" filter - Teach userspace about the "msgtype=???" field - Look up the message type in the name-to-msg table if need be STEVE: The blob of code in audit_print_reply() might take some munging. This patch is built on top of my operators patch, which you haven't released yet. I taught the "auditctl -l" to process the "exclude" list rules from the kernel for better debugging purposes. To do this, I had to update audit_print_reply() to translate the operators to their symbols. I'll gladly rework this part as soon as you have a release of audit with the operator code in it. But this should be enough to see what's going on here. Comments welcome. :-Dustin diff -urpN audit-1.0.7-operators/lib/libaudit.c audit-1.0.7-operators-exclude/lib/libaudit.c --- audit-1.0.7-operators/lib/libaudit.c 2005-10-26 12:58:59.000000000 -0500 +++ audit-1.0.7-operators-exclude/lib/libaudit.c 2005-11-01 16:28:09.000000000 -0600 @@ -699,6 +699,17 @@ int audit_rule_fieldpair(struct audit_ru } } break; + case AUDIT_MSGTYPE: + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else + if (audit_name_to_msg_type(v) > 0) + rule->values[rule->field_count] = + audit_name_to_msg_type(v); + else + return -8; + break; case AUDIT_ARCH: if (audit_syscalladded) return -3; /* This bitmask is used to validate user input. It represents all bits that are currently used in an audit field constant understood by the kernel. diff -urpN audit-1.0.7-operators/lib/lookup_table.c audit-1.0.7-operators-exclude/lib/lookup_table.c --- audit-1.0.7-operators/lib/lookup_table.c 2005-10-20 17:28:40.000000000 -0500 +++ audit-1.0.7-operators-exclude/lib/lookup_table.c 2005-10-31 15:53:55.000000000 -0600 @@ -90,6 +90,7 @@ static struct transtab fieldtab[] = { { AUDIT_LOGINUID, "loginuid" }, { AUDIT_PERS, "pers" }, { AUDIT_ARCH, "arch" }, + { AUDIT_MSGTYPE, "msgtype" }, { AUDIT_DEVMAJOR, "devmajor" }, { AUDIT_DEVMINOR, "devminor" }, @@ -104,11 +105,12 @@ static struct transtab fieldtab[] = { #define AUDIT_FIELD_NAMES (sizeof(fieldtab)/sizeof(fieldtab[0])) static struct transtab flagtab[] = { - { AUDIT_FILTER_TASK, "task" }, - { AUDIT_FILTER_ENTRY, "entry" }, - { AUDIT_FILTER_EXIT, "exit" }, - { AUDIT_FILTER_USER, "user" }, - { AUDIT_FILTER_WATCH, "watch" } + { AUDIT_FILTER_TASK, "task" }, + { AUDIT_FILTER_ENTRY, "entry" }, + { AUDIT_FILTER_EXIT, "exit" }, + { AUDIT_FILTER_USER, "user" }, + { AUDIT_FILTER_WATCH, "watch" }, + { AUDIT_FILTER_EXCLUDE, "exclude" } }; #define AUDIT_FLAG_NAMES (sizeof(flagtab)/sizeof(flagtab[0])) diff -urpN audit-1.0.7-operators/src/auditctl.c audit-1.0.7-operators-exclude/src/auditctl.c --- audit-1.0.7-operators/src/auditctl.c 2005-10-20 17:28:03.000000000 -0500 +++ audit-1.0.7-operators-exclude/src/auditctl.c 2005-11-01 16:24:34.000000000 -0600 @@ -150,6 +150,8 @@ static int audit_rule_setup(const char * *flags = AUDIT_FILTER_USER; else if (strstr(opt, "watch")) *flags = AUDIT_FILTER_WATCH; + else if (strstr(opt, "exclude")) + *flags = AUDIT_FILTER_EXCLUDE; else return 1; if (strstr(opt, "never")) @@ -569,6 +571,10 @@ static int setopt(int count, char *vars[ fprintf(stderr, "Field %s cannot be checked at syscall entry\n", optarg); retval = -1; break; + case -8: + fprintf(stderr, "-F unknown message type\n"); + retval = -1; + break; default: retval = -1; break; @@ -1011,30 +1017,34 @@ static int audit_print_reply(struct audi audit_flag_to_name((int)rep->rule->flags), audit_action_to_name(rep->rule->action)); for (i = 0; i < rep->rule->field_count; i++) { - int field = rep->rule->fields[i]; - int negated = 0; - - if (field & AUDIT_NEGATE) { - field &= ~AUDIT_NEGATE; - negated = 1; - } + int field = rep->rule->fields[i] & ~AUDIT_OPERATORS & ~AUDIT_NEGATE; + int op = rep->rule->fields[i] & AUDIT_OPERATORS & ~AUDIT_NEGATE; const char *name = audit_field_to_name(field); if (name) { if (strcmp(name, "arch") == 0) { audit_elf =rep->rule->values[i]; printf(" %s%s%u", name, - negated ? "!=" : "=", + audit_operator_to_symbol(op), (unsigned)rep->rule->values[i]); } - else + else if (strcmp(name, "msgtype") == 0) + if (!audit_msg_type_to_name(rep->rule->values[i])) + printf(" %s%s%d", name, + audit_operator_to_symbol(op), + rep->rule->values[i]); + else + printf(" %s%s%s", name, + audit_operator_to_symbol(op), + audit_msg_type_to_name(rep->rule->values[i])); + else printf(" %s%s%d", name, - negated ? "!=" : "=", + audit_operator_to_symbol(op), rep->rule->values[i]); } else printf(" f%d%s%d", rep->rule->fields[i], - negated ? "!=" : "=", + audit_operator_to_symbol(op), rep->rule->values[i]); if (rep->rule->values[i]) printf(" (0x%x)", rep->rule->values[i]);