static const char *print_a2(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; char *out; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strncmp(sys, "fcntl", 5) == 0) { int ival; errno = 0; ival = strtoul(val, NULL, 16); if (errno) { asprintf(&out, "conversion error(%s)", val); return out; } switch (r->a1) { case F_SETOWN: return print_uid(val, 16); case F_SETFD: if (ival == FD_CLOEXEC) return strdup("FD_CLOEXEC"); /* Fall thru okay. */ case F_SETFL: case F_SETLEASE: case F_GETLEASE: case F_NOTIFY: break; } } else if (strcmp(sys, "openat") == 0) return print_open_flags(val); else if (strcmp(sys, "fchmodat") == 0) return print_mode_short(val); else if (strstr(sys, "chown")) return print_gid(val, 16); else if (strcmp(sys, "setresuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setresgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "tgkill") == 0) return print_signals(val, 16); else if (strcmp(sys, "mkdirat") == 0) return print_mode_short(val); else if (strcmp(sys, "mmap") == 0) return print_prot(val, 1); else if (strcmp(sys, "mprotect") == 0) return print_prot(val, 0); else if (strcmp(sys, "socket") == 0) return print_socket_proto(val); else if (strcmp(sys, "clone") == 0) return print_clone_flags(val); else if (strcmp(sys, "recvmsg") == 0) return print_recv(val); } return strdup(val); }
static void print_file_info(const struct stat *file_st, const struct print_f *format) { print_mode(file_st->st_mode, format->mode_flag); print_nlink(file_st->st_nlink, format->link_flag); print_uid(file_st->st_uid, format->id_name_flag); print_gid(file_st->st_gid, format->id_name_flag); print_size(file_st->st_size, format->size_flag); print_time(file_st, format->date_flag, format->time_form); return; }
static const char *print_a1(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strcmp(sys, "open") == 0) return print_open_flags(val); else if (strcmp(sys, "epoll_ctl") == 0) return print_epoll_ctl(val); else if (strcmp(sys, "chmod") == 0) return print_mode_short(val); else if (strcmp(sys, "fchmod") == 0) return print_mode_short(val); else if (strstr(sys, "chown")) return print_uid(val, 16); else if (strcmp(sys, "setreuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setresuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setregid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setresgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "kill") == 0) return print_signals(val, 16); else if (strcmp(sys, "tkill") == 0) return print_signals(val, 16); else if (strcmp(sys, "mkdir") == 0) return print_mode_short(val); else if (strcmp(sys, "creat") == 0) return print_mode_short(val); else if (strncmp(sys, "fcntl", 5) == 0) return print_fcntl_cmd(val); else if (strcmp(sys, "mknod") == 0) return print_mode(val, 16); else if (strcmp(sys, "socket") == 0) return print_socket_type(val); } return strdup(val); }
void long_entry(const char *file, const struct stat *st) { printf("%s%s %2u %7s %7s %10u %s\n", print_serial(st), mode2str(st->st_mode), st->st_nlink, print_uid(st), print_gid(st), st->st_size, print_name(file, st) ); }
static const char *print_a0(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strcmp(sys, "rt_sigaction") == 0) return print_signals(val, 16); else if (strcmp(sys, "setuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setreuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setresuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setfsuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setregid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setresgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setfsgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "clock_settime") == 0) return print_clock_id(val); else if (strcmp(sys, "personality") == 0) return print_personality(val); else if (strcmp(sys, "ptrace") == 0) return print_ptrace(val); else if (strstr(sys, "etrlimit")) return print_rlimit(val); else if (strcmp(sys, "socket") == 0) return print_socket_domain(val); } return strdup(val); }
static void interpret(char *name, char *val, int comma, int rtype) { int type; while (*name == ' '||*name == '(') name++; /* Do some fixups */ if (rtype == AUDIT_EXECVE && name[0] == 'a') type = T_ESCAPED; else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0) type = -1; else if (strcmp(name, "acct") == 0) { // Remove trailing punctuation int len = strlen(val); if (val[len-1] == ':') val[len-1] = 0; if (val[0] == '"') type = T_ESCAPED; else if (is_hex_string(val)) type = T_ESCAPED; else type = -1; } else type = audit_lookup_type(name); switch(type) { case T_UID: print_uid(val); break; case T_GID: print_gid(val); break; case T_SYSCALL: print_syscall(val); break; case T_ARCH: print_arch(val); break; case T_EXIT: print_exit(val); break; case T_ESCAPED: print_escaped(val); break; case T_PERM: print_perm(val); break; case T_MODE: print_mode(val); break; case T_SOCKADDR: print_sockaddr(val); break; case T_FLAGS: print_flags(val); break; case T_PROMISC: print_promiscuous(val); break; case T_CAPABILITY: print_capabilities(val); break; case T_SIGNAL: print_signals(val); break; case T_KEY: print_key(val); break; case T_LIST: print_list(val); break; case T_TTY_DATA: print_tty_data(val); break; default: printf("%s%c", val, comma ? ',' : ' '); } }