[PATCH 1/2] audit string fields interface + consumer

Tue Jan 17 22:23:23 UTC 2006

On Mon, Jan 16, 2006 at 03:16:04PM -0600, Dustin Kirkland wrote:
> On 1/11/06, Amy Griffis <amy.griffis at hp.com> wrote:
> > +static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
> > +                                              size_t datasz)
> >  {
> > +       int err = 0;
> > +       struct audit_entry *entry;
> > +       void *bufp;
> > +       /* size_t remain = datasz - sizeof(struct audit_rule_data); */
> >         int i;
> >
> > -       if (a->flags != b->flags)
> > -               return 1;
> > +       entry = audit_to_entry_common((struct audit_rule *)data);
> > +       if (IS_ERR(entry))
> > +               goto exit_nofree;
> > +
> > +       bufp = data->buf;
> > +       entry->rule.vers_ops = 2;
> > +       for (i = 0; i < data->field_count; i++) {
> > +               struct audit_field *f = &entry->rule.fields[i];
> > +
> > +               err = -EINVAL;
> > +               if (!(data->fieldflags[i] & AUDIT_OPERATORS) ||
> > +                   data->fieldflags[i] & ~AUDIT_OPERATORS)
> > +                       goto exit_free;
> > +
> > +               f->op = data->fieldflags[i] & AUDIT_OPERATORS;
> > +               f->type = data->fields[i];
> > +               switch(f->type) {
> > +               /* call type-specific conversion routines here */
> > +               default:
> > +                       f->val = data->values[i];
> > +               }
> > +       }
> >
> > -       if (a->action != b->action)
> > -               return 1;
> > +exit_nofree:
> > +       return entry;
> > +
> > +exit_free:
> > +       kfree(entry);
> > +       return ERR_PTR(err);
> > +}
> 
> Amy-
> 
> I'm noticing that this code does not yet do anything with the the
> strings potentially in data->buf...  Is this still on your to-do, or
> was this intentional?

Yes, it was intentional.  I tried to split the two patches between the
interface changes themselves, and the code added for the field
AUDIT_WATCH.

The second patch adds the following changes to this block:

@@ -161,8 +195,9 @@ static struct audit_entry *audit_data_to
 	int err = 0;
 	struct audit_entry *entry;
 	void *bufp;
-	/* size_t remain = datasz - sizeof(struct audit_rule_data); */
+	size_t remain = datasz - sizeof(struct audit_rule_data);
 	int i;
+	char *path;
 
 	entry = audit_to_entry_common((struct audit_rule *)data);
 	if (IS_ERR(entry))
@@ -180,10 +215,20 @@ static struct audit_entry *audit_data_to
 
 		f->op = data->fieldflags[i] & AUDIT_OPERATORS;
 		f->type = data->fields[i];
+		f->val = data->values[i];
 		switch(f->type) {
-		/* call type-specific conversion routines here */
-		default:
-			f->val = data->values[i];
+		case AUDIT_WATCH:
+			path = audit_unpack_string(&bufp, &remain, f->val);
+			if (IS_ERR(path))
+				goto exit_free;
+			entry->rule.buflen += f->val;
+
+			err = audit_to_watch(path, &entry->rule, i);
+			if (err) {
+				kfree(path);
+				goto exit_free;
+			}
+			break;
 		}
 	}
 
So any type that uses a string field should add a case here, call
audit_unpack_string() to unpack the buffer, and then do whatever else
is needed to translate the resulting string to the values used in the
audit rule.

Hope this helps,
Amy


