[PATCH 0/2] audit string fields interface + consumer

Wed Jan 11 23:05:39 UTC 2006

Here is some additional description of the functionality provided with
the new AUDIT_WATCH field.  I posted it in a previous iteration of
this code, but thought I'd include it here for cohesiveness.

On Wed, Jan 11, 2006 at 01:59:21PM -0500, Amy Griffis wrote:
> Following are two patches, the first of which provides an interface
> for specifying audit rules with string fields.  The second patch adds
> a new string field AUDIT_WATCH.  These patches are an update of the
> previous audit interface patches I have posted to this list.
> 
> These patches are functionally similar to the previous posts; however,
> I believe you will find the organization of the code to be quite
> different and much improved.  I have updated the interface based on
> the feedback I received.  I also resolved the issue of differentiating
> between inode-based and path-based (or watch-based) filtering by
> creating a new field AUDIT_WATCH and adding it to the switch in
> audit_filter_rules().
> 
> Following is a summary of the interface.
> 
> A new struct audit_rule_data and corresponding netlink message types
> have been added.  Additionally, the SELinux nlmsg_audit_perms[] table
> has been updated with the new netlink message types.
> 
> The new struct allows userspace to supply one or more string fields
> packed in a variable length buffer.  The kernel expects the buffer to
> be neither null-delimited nor null-terminated.
> 
> The length of string data for a given field is provided as its value
> element in the array.  The kernel provides the buflen element for
> convenience on rule listing, to allow userspace to allocate memory for
> the buffer without walking the array to tabulate lengths.  Buflen is
> ignored coming from userspace.  Instead, the kernel ensures that the
> total of the lengths specified in the value elements do not exceed the
> length of the message payload minus sizeof(struct audit_rule_data).
> 
> Several routines have been added to auditfilter.c to translate between
> the kernel's rule representation and the two userspace rule
> representations using structs audit_rule and audit_rule_data.

With the AUDIT_WATCH field, userspace may specify a path filter, akin
to specifying an inode filter.  If a filename exists at the specified
path, audit records will be generated as they are for inode filters.
If a filename does not exist at the specified path, the rule will be
added, but no records will be generated.

In the next patch set, I will provide the functionality necessary to
support persistence for path-based filters (aka watches).  This will
enable audit to generate audit records whenever an inode exists at the
specified path.