mirror of
https://github.com/Fishwaldo/Star64_linux.git
synced 2025-06-19 21:21:09 +00:00
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis. Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly. Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules. Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
This commit is contained in:
Amy Griffis
Al Viro
parent
9262e9149f
commit
5adc8a6adc
4 changed files with 78 additions and 36 deletions
|
|
@ -81,6 +81,7 @@ struct audit_krule {
|
|||
u32 mask[AUDIT_BITMASK_SIZE];
|
||||
u32 buflen; /* for data alloc on list rules */
|
||||
u32 field_count;
|
||||
char *filterkey; /* ties events to rules */
|
||||
struct audit_field *fields;
|
||||
struct audit_field *inode_f; /* quick access to an inode field */
|
||||
struct audit_watch *watch; /* associated watch */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue