[PATCH] audit-0.6.10 (update)
Timothy R. Chavez
tinytim at us.ibm.com
Sat Apr 23 05:46:10 UTC 2005
Hello,
This patch does some minor cosmetic fixups and also fixed the faulty #include
path Stephen pointed out earlier. I will try to patch up to the latest audit
user package later today.
Thanks.
-tim
diff -Nurp audit-0.6.10~orig/lib/libaudit.c audit-0.6.10~audit/lib/libaudit.c
--- audit-0.6.10~orig/lib/libaudit.c 2005-03-31 22:04:57.000000000 +0000
+++ audit-0.6.10~audit/lib/libaudit.c 2005-04-23 05:34:39.000000000 +0000
@@ -203,18 +203,44 @@ int audit_request_list(int fd)
return rc;
}
-int audit_insert_watch(int fd, struct audit_watch *req)
+int audit_insert_watch(int fd, struct audit_transport *req, char **buf)
{
- int rc = audit_send(fd, AUDIT_WATCH_INS, req, sizeof(*req));
+ void *memblk = NULL;
+ unsigned int offset, total;
+
+ total = sizeof(*req) + req->pathlen + req->fklen;
+ memblk = (void*)malloc(total);
+ if (!memblk)
+ return -1;
+
+ memcpy(memblk, req, sizeof(*req));
+ offset = total - req->fklen;
+ memcpy(memblk + offset, buf[1], req->fklen);
+ offset = offset - req->pathlen;
+ memcpy(memblk + offset, buf[0], req->pathlen);
+
+ int rc = audit_send(fd, AUDIT_WATCH_INS, memblk, total);
if (rc < 0)
msg(LOG_WARNING, "Error sending watch insert request (%s)",
strerror(-rc));
return rc;
}
-int audit_remove_watch(int fd, struct audit_watch *req)
+int audit_remove_watch(int fd, struct audit_transport *req, char **buf)
{
- int rc = audit_send(fd, AUDIT_WATCH_REM, req, sizeof(*req));
+ void *memblk = NULL;
+ unsigned int offset, total;
+
+ total = sizeof(*req) + req->pathlen;
+ memblk = (void*)malloc(total);
+ if (!memblk)
+ return -1;
+
+ memcpy(memblk, req, sizeof(*req));
+ offset = total - req->pathlen;
+ memcpy(memblk + offset, buf[0], req->pathlen);
+
+ int rc = audit_send(fd, AUDIT_WATCH_REM, memblk, total);
if (rc < 0)
msg(LOG_WARNING, "Error sending watch remove request (%s)",
strerror(-rc));
diff -Nurp audit-0.6.10~orig/lib/libaudit.h audit-0.6.10~audit/lib/libaudit.h
--- audit-0.6.10~orig/lib/libaudit.h 2005-04-23 05:26:17.000000000 +0000
+++ audit-0.6.10~audit/lib/libaudit.h 2005-04-23 05:31:28.000000000 +0000
@@ -42,11 +42,22 @@
#define AUDIT_WATCH_LIST 1009
struct audit_watch {
- uint32_t namelen;
- uint32_t fklen;
- char *name;
- char *filterkey;
- uint32_t perms;
+ uint32_t dev_major;
+ uint32_t dev_minor;
+ char *path;
+ char *filterkey;
+ uint32_t perms;
+ uint32_t valid;
+};
+
+struct audit_transport {
+ uint32_t dev_major;
+ uint32_t dev_minor;
+ uint32_t perms;
+ uint32_t valid;
+ uint32_t pathlen;
+ uint32_t fklen;
+ char buf[0];
};
/* 32 byte max key size */
#define AUDIT_FILTERKEY_MAX 32
@@ -57,15 +68,15 @@ struct audit_watch {
struct audit_reply {
struct audit_message msg;
- int type;
- int len;
- struct nlmsghdr *nlh;
- struct audit_status *status;
- struct audit_rule *rule;
- struct audit_login *login;
- const char *message;
- struct nlmsgerr *error;
- int watch;
+ int type;
+ int len;
+ struct nlmsghdr *nlh;
+ struct audit_status *status;
+ struct audit_rule *rule;
+ struct audit_login *login;
+ struct audit_transport *watch;
+ const char *message;
+ struct nlmsgerr *error;
};
struct auditd_reply_list {
@@ -120,8 +131,8 @@ extern int audit_set_backlog_limit(int
extern int audit_request_list(int fd);
/* AUDIT_WATCH */
-extern int audit_insert_watch(int fd, struct audit_watch *req);
-extern int audit_remove_watch(int fd, struct audit_watch *req);
+extern int audit_insert_watch(int fd, struct audit_transport *req, char **buf);
+extern int audit_remove_watch(int fd, struct audit_transport *req, char **buf);
/* AUDIT_ADD */
extern int audit_add_rule(int fd, struct audit_rule *rule,
diff -Nurp audit-0.6.10~orig/lib/netlink.c audit-0.6.10~audit/lib/netlink.c
--- audit-0.6.10~orig/lib/netlink.c 2005-03-31 22:04:57.000000000 +0000
+++ audit-0.6.10~audit/lib/netlink.c 2005-04-23 05:32:50.000000000 +0000
@@ -133,7 +133,7 @@ static int adjust_reply(struct audit_rep
rep->rule = NULL;
rep->message = NULL;
rep->error = NULL;
- rep->watch = 0;
+ rep->watch = NULL;
if (!NLMSG_OK(rep->nlh, (unsigned int)len))
return 0;
switch (rep->type) {
@@ -153,7 +153,8 @@ static int adjust_reply(struct audit_rep
break;
case AUDIT_WATCH_INS:
case AUDIT_WATCH_REM:
- memcpy(&rep->watch, NLMSG_DATA(rep->nlh), sizeof(int));
+ case AUDIT_WATCH_LIST:
+ rep->watch = NLMSG_DATA(rep->nlh);
break;
}
return len;
diff -Nurp audit-0.6.10~orig/src/auditctl.c audit-0.6.10~audit/src/auditctl.c
--- audit-0.6.10~orig/src/auditctl.c 2005-04-01 19:06:42.000000000 +0000
+++ audit-0.6.10~audit/src/auditctl.c 2005-04-23 05:34:01.000000000 +0000
@@ -73,6 +73,8 @@ static int add = 0, del = 0, action = 0;
static int ins = 0, rem = 0;
static struct audit_rule rule;
static struct audit_watch watch;
+static struct audit_transport wreq;
+static char *wreq_buf[2] = {NULL, NULL};
/*
@@ -90,7 +92,7 @@ static int reset_vars(void)
rem = 0;
memset(&rule, 0, sizeof(rule));
- memset(&watch, 0, sizeof(watch));
+ memset(&wreq, 0, sizeof(wreq));
if ((fd = audit_open()) < 0) {
fprintf(stderr, "Cannot open netlink audit socket\n");
return 1;
@@ -116,7 +118,8 @@ static void usage(void)
" -k <key> Set filterkey on watch\n"
" -l List rules\n"
" -m text Send a user-space message\n"
- " -p [r|w|e|a] Set permissions filter on watch:\n"
+ " -p [r|w|e|a] Set permissions filter on watch\n"
+ " r=read, w=write, e=execute, a=append\n"
" -r <rate> Set limit in messages/sec (0=none)\n"
" -R <file> read rules from file\n"
" -s Report status\n"
@@ -125,7 +128,6 @@ static void usage(void)
" -v Version\n"
" -w <path> Insert watch at <path>\n"
" -W <path> Remove watch at <path>\n"
- " r=read, w=write, e=execute, a=append\n"
);
}
@@ -183,24 +185,47 @@ static int check_path(const char *path)
return 0;
}
+static int make_watch(struct audit_transport *wreq, struct audit_watch *watch)
+{
+ watch->path = (char*)malloc(wreq->pathlen);
+ if (!watch->path)
+ return 0;
+
+ memcpy(watch->path, wreq->buf, wreq->pathlen);
+
+ if (wreq->fklen) {
+ watch->filterkey = (char*)malloc(wreq->fklen);
+ if (!watch->filterkey) {
+ free(watch->path);
+ return 0;
+ }
+ }
+
+ memcpy(watch->filterkey, wreq->buf+wreq->pathlen, wreq->fklen);
+
+ watch->dev_major = wreq->dev_major;
+ watch->dev_minor = wreq->dev_minor;
+ watch->perms = wreq->perms;
+ watch->valid = wreq->valid;
+
+ return 1;
+}
+
/*
- * Setup a watch. The "name" of the watch in userspace will be the <path> to
- * the watch. When this potential watch reaches the kernel, it will resolve
- * down to <name> (of terminating file or directory).
* Returns a 1 on success & -1 on failure.
*/
-static int audit_setup_watch_name(struct audit_watch *req, const char *opt,
+static int audit_setup_watch_path(struct audit_transport *req, const char *opt,
int *act)
{
- if (!req->name) {
+ if (!wreq_buf[0]) {
if (check_path(opt))
return -1;
- req->name = strdup(opt);
- if (!req->name) {
+ wreq_buf[0] = strdup(opt);
+ if (!wreq_buf[0]) {
fprintf(stderr, "Out of memory\n");
return -1;
}
- req->namelen = strlen(req->name) + 1;
+ req->pathlen = strlen(wreq_buf[0]) + 1;
*act = 1;
return 1;
}
@@ -212,18 +237,18 @@ static int audit_setup_watch_name(struct
* Setup a filterkey for the watch.
* Returns a 1 on success & -1 on failure.
*/
-static int audit_setup_filterkey(struct audit_watch *req, const char *opt)
+static int audit_setup_filterkey(struct audit_transport *req, const char *opt)
{
- if (!req->filterkey) {
- req->filterkey = strdup(opt);
- if (!req->filterkey) {
+ if (!wreq_buf[1]) {
+ wreq_buf[1] = strdup(opt);
+ if (!wreq_buf[1]) {
fprintf(stderr, "Out of memory\n");
return -1;
}
req->fklen = strlen(opt) + 1;
if (req->fklen > AUDIT_FILTERKEY_MAX) {
fprintf(stderr, "The filterkey is too big\n");
- free(req->filterkey);
+ free(wreq_buf[1]);
return -1;
}
return 1;
@@ -236,7 +261,7 @@ static int audit_setup_filterkey(struct
* Setup a watch permissions.
* Returns a 1 on success & -1 on failure.
*/
-static int audit_setup_perms(struct audit_watch *req, const char *opt)
+static int audit_setup_perms(struct audit_transport *req, const char *opt)
{
int i;
@@ -453,7 +478,7 @@ static int setopt(int count, char *vars[
break;
case 'w':
if (optarg)
- retval = audit_setup_watch_name(&watch, optarg, &ins);
+ retval = audit_setup_watch_path(&wreq, optarg, &ins);
else {
fprintf(stderr, "watch option needs a path\n");
retval = -1;
@@ -461,7 +486,7 @@ static int setopt(int count, char *vars[
break;
case 'W':
if (optarg)
- retval = audit_setup_watch_name(&watch, optarg, &rem);
+ retval = audit_setup_watch_path(&wreq, optarg, &rem);
else {
fprintf(stderr, "watch option needs a path\n");
retval = -1;
@@ -478,7 +503,7 @@ static int setopt(int count, char *vars[
retval = -1;
}
else
- retval = audit_setup_filterkey(&watch, optarg);
+ retval = audit_setup_filterkey(&wreq, optarg);
break;
case 'p':
if (!ins) {
@@ -491,7 +516,7 @@ static int setopt(int count, char *vars[
retval = -1;
}
else
- retval = audit_setup_perms(&watch, optarg);
+ retval = audit_setup_perms(&wreq, optarg);
break;
case 'v':
printf("auditctl version %s\n", VERSION);
@@ -664,9 +689,9 @@ static int handle_request(int status)
else if (del & 0x07)
rc = audit_delete_rule(fd, &rule, del, action);
else if (ins && !rem)
- rc = audit_insert_watch(fd, &watch);
+ rc = audit_insert_watch(fd, &wreq, wreq_buf);
else if (rem && !ins)
- rc = audit_remove_watch(fd, &watch);
+ rc = audit_remove_watch(fd, &wreq, wreq_buf);
else {
usage();
audit_close(fd);
@@ -730,7 +755,7 @@ static int audit_print_reply(struct audi
return 1;
case NLMSG_DONE:
if (list_requested)
- printf("No rules\n");
+ return 1;
return 0;
case NLMSG_ERROR:
printf("NLMSG_ERROR %d (%s) type=%d seq=%d\n",
@@ -797,6 +822,23 @@ static int audit_print_reply(struct audi
}
printf("\n");
return 1; /* get more messages until NLMSG_DONE */
+ case AUDIT_WATCH_LIST: {
+ int ret = make_watch(rep->watch, &watch);
+ if (!ret)
+ return ret;
+
+ list_requested = 0;
+ printf("AUDIT_WATCH_LIST: dev=%u:%u, path=%s, "
+ "filterkey=%s, perms=%u, valid=%d\n",
+ watch.dev_major, watch.dev_minor, watch.path,
+ watch.filterkey, watch.perms, watch.valid);
+
+ free(watch.path);
+ free(watch.filterkey);
+ memset(&watch, 0, sizeof(watch));
+
+ return 1;
+ }
default:
printf("Unknown: type=%d, len=%d\n", rep->type,
rep->nlh->nlmsg_len);
More information about the Linux-audit
mailing list