void check_rule_mismatch(int lineno, const char *option)
{
struct audit_rule_data tmprule;
unsigned int old_audit_elf = _audit_elf;
int rc = 0;
switch (_audit_elf)
{
case AUDIT_ARCH_X86_64:
_audit_elf = AUDIT_ARCH_I386;
break;
case AUDIT_ARCH_PPC64:
_audit_elf = AUDIT_ARCH_PPC;
break;
case AUDIT_ARCH_S390X:
_audit_elf = AUDIT_ARCH_S390;
break;
}
memset(&tmprule, 0, sizeof(struct audit_rule_data));
audit_rule_syscallbyname_data(&tmprule, option);
if (memcmp(tmprule.mask, rule_new->mask, AUDIT_BITMASK_SIZE))
rc = 1;
_audit_elf = old_audit_elf;
if (rc) {
fprintf(stderr, "WARNING - 32/64 bit syscall mismatch");
if (lineno)
fprintf(stderr, " in line %d", lineno);
fprintf(stderr, ", you should specify an arch\n");
}
}
int audit_add_watch_dir(int type, struct audit_rule_data **rulep,
const char *path)
{
size_t len = strlen(path);
struct audit_rule_data *rule = *rulep;
if (rule && rule->field_count) {
audit_msg(LOG_ERR, "Rule is not empty\n");
return -1;
}
if (type != AUDIT_WATCH && type != AUDIT_DIR) {
audit_msg(LOG_ERR, "Invalid type used\n");
return -1;
}
*rulep = realloc(rule, len + sizeof(*rule));
if (*rulep == NULL) {
free(rule);
audit_msg(LOG_ERR, "Cannot realloc memory!\n");
return -1;
}
rule = *rulep;
memset(rule, 0, len + sizeof(*rule));
rule->flags = AUDIT_FILTER_EXIT;
rule->action = AUDIT_ALWAYS;
audit_rule_syscallbyname_data(rule, "all");
rule->field_count = 2;
rule->fields[0] = type;
rule->values[0] = len;
rule->fieldflags[0] = AUDIT_EQUAL;
rule->buflen = len;
memcpy(&rule->buf[0], path, len);
// Default to all permissions
rule->fields[1] = AUDIT_PERM;
rule->fieldflags[1] = AUDIT_EQUAL;
rule->values[1] = AUDIT_PERM_READ | AUDIT_PERM_WRITE |
AUDIT_PERM_EXEC | AUDIT_PERM_ATTR;
_audit_permadded = 1;
return 0;
}
/*
* returns: -3 deprecated, -2 success - no reply, -1 error - noreply,
* 0 success - reply, > 0 success - rule
*/
static int setopt(int count, int lineno, char *vars[])
{
int c;
int retval = 0, rc;
optind = 0;
opterr = 0;
key[0] = 0;
keylen = AUDIT_MAX_KEY_LEN;
while ((retval >= 0) && (c = getopt(count, vars,
"hicslDvtC:e:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) {
int flags = AUDIT_FILTER_UNSET;
rc = 10; // Init to something impossible to see if unused.
switch (c) {
case 'h':
usage();
retval = -1;
break;
case 'i':
ignore = 1;
retval = -2;
break;
case 'c':
ignore = 1;
continue_error = 1;
retval = -2;
break;
case 's':
retval = audit_request_status(fd);
if (retval <= 0)
retval = -1;
else
retval = 0; /* success - just get the reply */
break;
case 'e':
if (optarg && ((strcmp(optarg, "0") == 0) ||
(strcmp(optarg, "1") == 0) ||
(strcmp(optarg, "2") == 0))) {
if (audit_set_enabled(fd, strtoul(optarg,NULL,0)) > 0)
audit_request_status(fd);
else
retval = -1;
} else {
fprintf(stderr, "Enable must be 0, 1, or 2 was %s\n",
optarg);
retval = -1;
}
break;
case 'f':
if (optarg && ((strcmp(optarg, "0") == 0) ||
(strcmp(optarg, "1") == 0) ||
(strcmp(optarg, "2") == 0))) {
if (audit_set_failure(fd, strtoul(optarg,NULL,0)) > 0)
audit_request_status(fd);
else
return -1;
} else {
fprintf(stderr, "Failure must be 0, 1, or 2 was %s\n",
optarg);
retval = -1;
}
break;
case 'r':
if (optarg && isdigit(optarg[0])) {
uint32_t rate;
errno = 0;
rate = strtoul(optarg,NULL,0);
if (errno) {
fprintf(stderr, "Error converting rate\n");
return -1;
}
if (audit_set_rate_limit(fd, rate) > 0)
audit_request_status(fd);
else
return -1;
} else {
fprintf(stderr, "Rate must be a numeric value was %s\n",
optarg);
retval = -1;
}
break;
case 'b':
if (optarg && isdigit(optarg[0])) {
uint32_t limit;
errno = 0;
limit = strtoul(optarg,NULL,0);
if (errno) {
fprintf(stderr, "Error converting backlog\n");
return -1;
}
if (audit_set_backlog_limit(fd, limit) > 0)
audit_request_status(fd);
else
return -1;
} else {
fprintf(stderr,
"Backlog must be a numeric value was %s\n",
optarg);
retval = -1;
}
break;
case 'l':
if (count > 4 || count == 3) {
fprintf(stderr,
"Wrong number of options for list request\n");
retval = -1;
break;
}
if (count == 4) {
if (strcmp(vars[optind], "-k") == 0) {
strncat(key, vars[3], keylen);
count -= 2;
} else {
fprintf(stderr,
"Only the -k option is allowed\n");
retval = -1;
break;
}
}
if (audit_request_rule_list(fd))
retval = -2;
else
retval = -1;
break;
case 'a':
if (strstr(optarg, "task") && _audit_syscalladded) {
fprintf(stderr,
"Syscall auditing requested for task list\n");
retval = -1;
} else {
rc = audit_rule_setup(optarg, &add, &action, lineno);
if (rc == 3) {
fprintf(stderr,
"Multiple rule insert/delete operations are not allowed\n");
retval = -1;
} else if (rc == 2) {
fprintf(stderr,
"Append rule - bad keyword %s\n",
optarg);
retval = -1;
} else if (rc == 1) {
fprintf(stderr,
"Append rule - possible is deprecated\n");
return -3; /* deprecated - eat it */
} else
retval = 1; /* success - please send */
}
break;
case 'A':
if (strstr(optarg, "task") && _audit_syscalladded) {
fprintf(stderr,
"Error: syscall auditing requested for task list\n");
retval = -1;
} else {
rc = audit_rule_setup(optarg, &add, &action, lineno);
if (rc == 3) {
fprintf(stderr,
"Multiple rule insert/delete operations are not allowed\n");
retval = -1;
} else if (rc == 2) {
fprintf(stderr,
"Add rule - bad keyword %s\n", optarg);
retval = -1;
} else if (rc == 1) {
fprintf(stderr,
"Append rule - possible is deprecated\n");
return -3; /* deprecated - eat it */
} else {
add |= AUDIT_FILTER_PREPEND;
retval = 1; /* success - please send */
}
}
break;
case 'd':
rc = audit_rule_setup(optarg, &del, &action, lineno);
if (rc == 3) {
fprintf(stderr,
"Multiple rule insert/delete operations are not allowed\n");
retval = -1;
} else if (rc == 2) {
fprintf(stderr, "Delete rule - bad keyword %s\n",
optarg);
retval = -1;
} else if (rc == 1) {
fprintf(stderr,
"Delete rule - possible is deprecated\n");
return -3; /* deprecated - eat it */
} else
retval = 1; /* success - please send */
break;
case 'S': {
int unknown_arch = !_audit_elf;
/* Do some checking to make sure that we are not adding a
* syscall rule to a list that does not make sense. */
if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
AUDIT_FILTER_TASK || (del &
(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
AUDIT_FILTER_TASK)) {
fprintf(stderr,
"Error: syscall auditing being added to task list\n");
return -1;
} else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
AUDIT_FILTER_USER || (del &
(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
AUDIT_FILTER_USER)) {
fprintf(stderr,
"Error: syscall auditing being added to user list\n");
return -1;
} else if (exclude) {
fprintf(stderr,
"Error: syscall auditing cannot be put on exclude list\n");
return -1;
} else {
if (unknown_arch) {
int machine;
unsigned int elf;
machine = audit_detect_machine();
if (machine < 0) {
fprintf(stderr,
"Error detecting machine type\n");
return -1;
}
elf = audit_machine_to_elf(machine);
if (elf == 0) {
fprintf(stderr,
"Error looking up elf type\n");
return -1;
}
_audit_elf = elf;
}
}
rc = audit_rule_syscallbyname_data(rule_new, optarg);
switch (rc)
{
case 0:
_audit_syscalladded = 1;
if (unknown_arch && add != AUDIT_FILTER_UNSET)
check_rule_mismatch(lineno, optarg);
break;
case -1:
fprintf(stderr, "Syscall name unknown: %s\n",
optarg);
retval = -1;
break;
case -2:
fprintf(stderr, "Elf type unknown: 0x%x\n",
_audit_elf);
retval = -1;
break;
}}
break;
case 'F':
if (add != AUDIT_FILTER_UNSET)
flags = add & AUDIT_FILTER_MASK;
else if (del != AUDIT_FILTER_UNSET)
flags = del & AUDIT_FILTER_MASK;
// if the field is arch & there is a -t option...we
// can allow it
else if ((optind >= count) || (strstr(optarg, "arch=") == NULL)
|| (strcmp(vars[optind], "-t") != 0)) {
fprintf(stderr, "List must be given before field\n");
retval = -1;
break;
}
rc = audit_rule_fieldpair_data(&rule_new,optarg,flags);
if (rc != 0) {
audit_number_to_errmsg(rc, optarg);
retval = -1;
} else {
if (rule_new->fields[rule_new->field_count-1] ==
AUDIT_PERM)
_audit_permadded = 1;
}
break;
case 'C':
if (add != AUDIT_FILTER_UNSET)
flags = add & AUDIT_FILTER_MASK;
else if (del != AUDIT_FILTER_UNSET)
flags = del & AUDIT_FILTER_MASK;
rc = audit_rule_interfield_comp_data(&rule_new, optarg, flags);
if (rc != 0) {
audit_number_to_errmsg(rc, optarg);
retval = -1;
} else {
if (rule_new->fields[rule_new->field_count - 1] ==
AUDIT_PERM)
_audit_permadded = 1;
}
break;
case 'm':
if (count > 3) {
fprintf(stderr,
"The -m option must be only the only option and takes 1 parameter\n");
retval = -1;
} else if (audit_log_user_message( fd, AUDIT_USER,
optarg, NULL, NULL, NULL, 1) <= 0)
retval = -1;
else
return -2; // success - no reply for this
break;
case 'R':
fprintf(stderr, "Error - nested rule files not supported\n");
retval = -1;
break;
case 'D':
if (count > 4 || count == 3) {
fprintf(stderr,
"Wrong number of options for Delete all request\n");
retval = -1;
break;
}
if (count == 4) {
if (strcmp(vars[optind], "-k") == 0) {
strncat(key, vars[3], keylen);
count -= 2;
} else {
fprintf(stderr,
"Only the -k option is allowed\n");
retval = -1;
break;
}
}
retval = delete_all_rules(fd);
if (retval == 0) {
(void)audit_request_rule_list(fd);
key[0] = 0;
retval = -2;
}
break;
case 'w':
if (add != AUDIT_FILTER_UNSET ||
del != AUDIT_FILTER_UNSET) {
fprintf(stderr,
"watch option can't be given with a syscall\n");
retval = -1;
} else if (optarg) {
add = AUDIT_FILTER_EXIT;
action = AUDIT_ALWAYS;
_audit_syscalladded = 1;
retval = audit_setup_watch_name(&rule_new, optarg);
} else {
fprintf(stderr, "watch option needs a path\n");
retval = -1;
}
break;
case 'W':
if (optarg) {
del = AUDIT_FILTER_EXIT;
action = AUDIT_ALWAYS;
_audit_syscalladded = 1;
retval = audit_setup_watch_name(&rule_new, optarg);
} else {
fprintf(stderr, "watch option needs a path\n");
retval = -1;
}
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ) ||
(add==AUDIT_FILTER_UNSET &&
del==AUDIT_FILTER_UNSET)) {
fprintf(stderr,
"key option needs a watch or syscall given prior to it\n");
retval = -1;
} else if (!optarg) {
fprintf(stderr, "key option needs a value\n");
retval = -1;
} else if ((strlen(optarg)+strlen(key)+(!!key[0])) >
AUDIT_MAX_KEY_LEN) {
fprintf(stderr, "key option exceeds size limit\n");
retval = -1;
} else {
if (strncmp(optarg, "ids-", 4) == 0) {
if (check_ids_key(optarg)) {
retval = -1;
break;
}
}
if (strchr(optarg, AUDIT_KEY_SEPARATOR))
fprintf(stderr,
"key %s has illegal character\n", optarg);
if (key[0]) { // Add the separator if we need to
strcat(key, key_sep);
keylen--;
}
strncat(key, optarg, keylen);
keylen = AUDIT_MAX_KEY_LEN - strlen(key);
}
break;
case 'p':
if (!add && !del) {
fprintf(stderr,
"permission option needs a watch given prior to it\n");
retval = -1;
} else if (!optarg) {
fprintf(stderr, "permission option needs a filter\n");
retval = -1;
} else
retval = audit_setup_perms(rule_new, optarg);
break;
case 'q':
if (_audit_syscalladded) {
fprintf(stderr,
"Syscall auditing requested for make equivalent\n");
retval = -1;
} else {
char *mp, *sub;
retval = equiv_parse(optarg, &mp, &sub);
if (retval < 0) {
fprintf(stderr,
"Error parsing equivalent parts\n");
retval = -1;
} else {
retval = audit_make_equivalent(fd, mp, sub);
if (retval <= 0) {
retval = -1;
} else
return -2; // success - no reply needed
}
}
break;
case 't':
retval = audit_trim_subtrees(fd);
if (retval <= 0)
retval = -1;
else
return -2; // success - no reply for this
break;
case 'v':
printf("auditctl version %s\n", VERSION);
retval = -2;
break;
default:
usage();
retval = -1;
break;
}
}
/* catch extra args or errors where the user types "- s" */
if (optind == 1)
retval = -1;
else if ((optind < count) && (retval != -1)) {
fprintf(stderr, "parameter passed without an option given\n");
retval = -1;
}
/* See if we were adding a key */
if (key[0] && list_requested == 0) {
int flags = 0;
char *cmd=NULL;
/* Get the flag */
if (add != AUDIT_FILTER_UNSET)
flags = add & AUDIT_FILTER_MASK;
else if (del != AUDIT_FILTER_UNSET)
flags = del & AUDIT_FILTER_MASK;
/* Build the command */
asprintf(&cmd, "key=%s", key);
if (cmd) {
/* Add this to the rule */
int ret = audit_rule_fieldpair_data(&rule_new, cmd, flags);
if (ret < 0)
retval = -1;
free(cmd);
} else {
fprintf(stderr, "Out of memory adding key\n");
retval = -1;
}
}
if (retval == -1 && errno == ECONNREFUSED)
fprintf(stderr, "The audit system is disabled\n");
return retval;
}
/*
* This function is called after setopt to handle the return code.
* On entry, status = 0 means just get the reply. Greater than 0 means we
* are adding or deleting a rule or watch. -1 means an error occurred.
* -2 means everything is OK and no reply needed. Even if there's an
* error, we need to call this routine to close up the audit fd.
* The return code from this function is 0 success and -1 error.
*/
static int handle_request(int status)
{
if (status == 0) {
if (_audit_syscalladded) {
fprintf(stderr, "Error - no list specified\n");
return -1;
}
get_reply();
} else if (status == -2)
status = 0; // report success
else if (status > 0) {
int rc;
if (add != AUDIT_FILTER_UNSET) {
// if !task add syscall any if not specified
if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
_audit_syscalladded != 1) {
audit_rule_syscallbyname_data(
rule_new, "all");
}
set_aumessage_mode(MSG_QUIET, DBG_NO);
rc = audit_add_rule_data(fd, rule_new, add, action);
set_aumessage_mode(MSG_STDERR, DBG_NO);
/* Retry for legacy kernels */
if (rc < 0) {
if (errno == EINVAL &&
rule_new->fields[0] == AUDIT_DIR) {
rule_new->fields[0] = AUDIT_WATCH;
rc = audit_add_rule_data(fd, rule_new,
add, action);
} else {
fprintf(stderr,
"Error sending add rule data request (%s)\n",
errno == EEXIST ?
"Rule exists" : strerror(-rc));
}
}
}
else if (del != AUDIT_FILTER_UNSET) {
if ((del & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
_audit_syscalladded != 1) {
audit_rule_syscallbyname_data(
rule_new, "all");
}
set_aumessage_mode(MSG_QUIET, DBG_NO);
rc = audit_delete_rule_data(fd, rule_new,
del, action);
set_aumessage_mode(MSG_STDERR, DBG_NO);
/* Retry for legacy kernels */
if (rc < 0) {
if (errno == EINVAL &&
rule_new->fields[0] == AUDIT_DIR) {
rule_new->fields[0] = AUDIT_WATCH;
rc = audit_delete_rule_data(fd,rule_new,
del, action);
} else {
fprintf(stderr,
"Error sending delete rule data request (%s)\n",
errno == EEXIST ?
"Rule exists" : strerror(-rc));
}
}
} else {
usage();
audit_close(fd);
exit(1);
}
if (rc <= 0)
status = -1;
else
status = 0;
} else
status = -1;
audit_close(fd);
fd = -1;
return status;
}
static int insert_rule(int audit_fd, const char *field)
{
int rc;
int flags = AUDIT_FILTER_EXIT;
int action = AUDIT_ALWAYS;
struct audit_rule_data *rule = malloc(sizeof(struct audit_rule_data));
int machine = audit_detect_machine();
char *t_field = NULL;
if (rule == NULL)
goto err;
memset(rule, 0, sizeof(struct audit_rule_data));
if (threat) {
rc = 0;
rc |= audit_rule_syscallbyname_data(rule, "open");
rc |= audit_rule_syscallbyname_data(rule, "openat");
rc |= audit_rule_syscallbyname_data(rule, "creat");
rc |= audit_rule_syscallbyname_data(rule, "truncate");
rc |= audit_rule_syscallbyname_data(rule, "rename");
rc |= audit_rule_syscallbyname_data(rule, "renameat");
rc |= audit_rule_syscallbyname_data(rule, "unlink");
rc |= audit_rule_syscallbyname_data(rule, "unlinkat");
rc |= audit_rule_syscallbyname_data(rule, "mknod");
rc |= audit_rule_syscallbyname_data(rule, "mknodat");
rc |= audit_rule_syscallbyname_data(rule, "mkdir");
rc |= audit_rule_syscallbyname_data(rule, "mkdirat");
rc |= audit_rule_syscallbyname_data(rule, "rmdir");
rc |= audit_rule_syscallbyname_data(rule, "chdir");
rc |= audit_rule_syscallbyname_data(rule, "chown");
rc |= audit_rule_syscallbyname_data(rule, "lchown");
rc |= audit_rule_syscallbyname_data(rule, "fchownat");
rc |= audit_rule_syscallbyname_data(rule, "chmod");
rc |= audit_rule_syscallbyname_data(rule, "fchmodat");
rc |= audit_rule_syscallbyname_data(rule, "link");
rc |= audit_rule_syscallbyname_data(rule, "linkat");
rc |= audit_rule_syscallbyname_data(rule, "symlink");
rc |= audit_rule_syscallbyname_data(rule, "symlinkat");
rc |= audit_rule_syscallbyname_data(rule, "readlink");
rc |= audit_rule_syscallbyname_data(rule, "readlinkat");
rc |= audit_rule_syscallbyname_data(rule, "execve");
rc |= audit_rule_syscallbyname_data(rule, "name_to_handle_at");
if (machine != MACH_X86 && machine != MACH_S390X &&
machine != MACH_S390) {
rc |= audit_rule_syscallbyname_data(rule, "connect");
rc |= audit_rule_syscallbyname_data(rule, "bind");
rc |= audit_rule_syscallbyname_data(rule, "accept");
rc |= audit_rule_syscallbyname_data(rule, "sendto");
rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
rc |= audit_rule_syscallbyname_data(rule, "accept4");
}
rc |= audit_rule_syscallbyname_data(rule, "sendfile");
} else
rc = audit_rule_syscallbyname_data(rule, "all");
if (rc < 0)
goto err;
t_field = strdup(field);
rc = audit_rule_fieldpair_data(&rule, t_field, flags);
free(t_field);
if (rc < 0)
goto err;
rc = audit_add_rule_data(audit_fd, rule, flags, action);
if (rc < 0)
goto err;
// Now if i386, lets add its network rules
if (machine == MACH_X86 || machine == MACH_S390X ||
machine == MACH_S390) {
int i, a0[6] = { SYS_CONNECT, SYS_BIND, SYS_ACCEPT, SYS_SENDTO,
SYS_RECVFROM, SYS_ACCEPT4 };
for (i=0; i<6; i++) {
char pair[32];
memset(rule, 0, sizeof(struct audit_rule_data));
rc |= audit_rule_syscallbyname_data(rule, "socketcall");
snprintf(pair, sizeof(pair), "a0=%d", a0[i]);
rc |= audit_rule_fieldpair_data(&rule, pair, flags);
t_field = strdup(field);
rc |= audit_rule_fieldpair_data(&rule, t_field, flags);
free(t_field);
rc |= audit_add_rule_data(audit_fd, rule, flags, action);
}
}
free(rule);
return 0;
err:
fprintf(stderr, "Error inserting audit rule for %s\n", field);
free(rule);
return 1;
}
static int insert_rule(int audit_fd, const char *field)
{
int rc;
int flags = AUDIT_FILTER_ENTRY;
int action = AUDIT_ALWAYS;
struct audit_rule_data *rule = malloc(sizeof(struct audit_rule_data));
if (rule == NULL)
goto err;
memset(rule, 0, sizeof(struct audit_rule_data));
if (threat) {
rc = 0;
rc |= audit_rule_syscallbyname_data(rule, "open");
rc |= audit_rule_syscallbyname_data(rule, "openat");
rc |= audit_rule_syscallbyname_data(rule, "creat");
rc |= audit_rule_syscallbyname_data(rule, "truncate");
rc |= audit_rule_syscallbyname_data(rule, "rename");
rc |= audit_rule_syscallbyname_data(rule, "renameat");
rc |= audit_rule_syscallbyname_data(rule, "unlink");
rc |= audit_rule_syscallbyname_data(rule, "unlinkat");
rc |= audit_rule_syscallbyname_data(rule, "mknod");
rc |= audit_rule_syscallbyname_data(rule, "mknodat");
rc |= audit_rule_syscallbyname_data(rule, "mkdir");
rc |= audit_rule_syscallbyname_data(rule, "mkdirat");
rc |= audit_rule_syscallbyname_data(rule, "rmdir");
rc |= audit_rule_syscallbyname_data(rule, "chdir");
rc |= audit_rule_syscallbyname_data(rule, "chown");
rc |= audit_rule_syscallbyname_data(rule, "lchown");
rc |= audit_rule_syscallbyname_data(rule, "fchownat");
rc |= audit_rule_syscallbyname_data(rule, "chmod");
rc |= audit_rule_syscallbyname_data(rule, "fchmodat");
rc |= audit_rule_syscallbyname_data(rule, "link");
rc |= audit_rule_syscallbyname_data(rule, "linkat");
rc |= audit_rule_syscallbyname_data(rule, "symlink");
rc |= audit_rule_syscallbyname_data(rule, "symlinkat");
rc |= audit_rule_syscallbyname_data(rule, "readlink");
rc |= audit_rule_syscallbyname_data(rule, "readlinkat");
rc |= audit_rule_syscallbyname_data(rule, "execve");
rc |= audit_rule_syscallbyname_data(rule, "connect");
rc |= audit_rule_syscallbyname_data(rule, "bind");
rc |= audit_rule_syscallbyname_data(rule, "accept");
rc |= audit_rule_syscallbyname_data(rule, "sendto");
rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
rc |= audit_rule_syscallbyname_data(rule, "sendfile");
} else
rc = audit_rule_syscallbyname_data(rule, "all");
if (rc < 0)
goto err;
rc = audit_rule_fieldpair_data(&rule, field, flags);
if (rc < 0)
goto err;
rc = audit_add_rule_data(audit_fd, rule, flags, action);
if (rc < 0)
goto err;
return 0;
err:
fprintf(stderr, "Error inserting audit rule for %s\n", field);
return 1;
}
