mirror of
https://github.com/Fishwaldo/linux-bl808.git
synced 2025-06-17 20:25:19 +00:00
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis. Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly. Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules. Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
This commit is contained in:
Amy Griffis
Al Viro
parent
9262e9149f
commit
5adc8a6adc
4 changed files with 78 additions and 36 deletions
|
|
@ -122,6 +122,7 @@
|
|||
/* Rule structure sizes -- if these change, different AUDIT_ADD and
|
||||
* AUDIT_LIST commands must be implemented. */
|
||||
#define AUDIT_MAX_FIELDS 64
|
||||
#define AUDIT_MAX_KEY_LEN 32
|
||||
#define AUDIT_BITMASK_SIZE 64
|
||||
#define AUDIT_WORD(nr) ((__u32)((nr)/32))
|
||||
#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
|
||||
|
|
@ -171,6 +172,8 @@
|
|||
#define AUDIT_ARG2 (AUDIT_ARG0+2)
|
||||
#define AUDIT_ARG3 (AUDIT_ARG0+3)
|
||||
|
||||
#define AUDIT_FILTERKEY 210
|
||||
|
||||
#define AUDIT_NEGATE 0x80000000
|
||||
|
||||
/* These are the supported operators.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue