int audit_rule_syscall(struct audit_rule *rule, int scall)
{
int word = AUDIT_WORD(scall);
int bit = AUDIT_BIT(scall);
if (word >= (AUDIT_BITMASK_SIZE-1))
return -1;
rule->mask[word] |= bit;
return 0;
}
static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
{
int count = 0;
int all = 1;
unsigned int i;
int machine = audit_detect_machine();
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
return 0;
/* See if its all or specific syscalls */
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
break;
}
}
if (all) {
printf(" -S all");
count = i;
} else for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) {
int word = AUDIT_WORD(i);
int bit = AUDIT_BIT(i);
if (r->mask[word] & bit) {
const char *ptr;
if (_audit_elf)
machine = audit_elf_to_machine(_audit_elf);
if (machine < 0)
ptr = NULL;
else
ptr = audit_syscall_to_name(i, machine);
if (!count)
printf(" -S ");
if (ptr)
printf("%s%s", !count ? "" : ",", ptr);
else
printf("%s%d", !count ? "" : ",", i);
count++;
*sc = i;
}
}
return count;
}
/*
* This function interprets the reply and prints it to stdout. It returns
* 0 if no more should be read and 1 to indicate that more messages of this
* type may need to be read.
*/
static int audit_print_reply(struct audit_reply *rep)
{
unsigned int i;
int first;
int sparse;
int machine = audit_detect_machine();
size_t boffset;
int show_syscall;
_audit_elf = 0;
switch (rep->type) {
case NLMSG_NOOP:
return 1;
case NLMSG_DONE:
if (printed == 0)
printf("No rules\n");
return 0;
case NLMSG_ERROR:
printf("NLMSG_ERROR %d (%s)\n",
-rep->error->error,
strerror(-rep->error->error));
printed = 1;
return 0;
case AUDIT_GET:
printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
" rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n",
rep->status->enabled, rep->status->failure,
rep->status->pid, rep->status->rate_limit,
rep->status->backlog_limit, rep->status->lost,
rep->status->backlog);
printed = 1;
return 0;
case AUDIT_LIST_RULES:
list_requested = 0;
boffset = 0;
show_syscall = 1;
if (key_match(rep) == 0)
return 1;
printed = 1;
printf("%s: %s,%s", audit_msg_type_to_name(rep->type),
audit_flag_to_name((int)rep->ruledata->flags),
audit_action_to_name(rep->ruledata->action));
for (i = 0; i < rep->ruledata->field_count; i++) {
const char *name;
int op = rep->ruledata->fieldflags[i] &
AUDIT_OPERATORS;
int field = rep->ruledata->fields[i] &
~AUDIT_OPERATORS;
name = audit_field_to_name(field);
if (name) {
if (strcmp(name, "arch") == 0) {
_audit_elf =
rep->ruledata->values[i];
printf(" %s%s%u", name,
audit_operator_to_symbol(op),
(unsigned)rep->ruledata->values[i]);
}
else if (strcmp(name, "msgtype") == 0) {
if (!audit_msg_type_to_name(
rep->ruledata->values[i]))
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
else {
printf(" %s%s%s", name,
audit_operator_to_symbol(op),
audit_msg_type_to_name(rep->ruledata->values[i]));
}
} else if ((field >= AUDIT_SUBJ_USER &&
field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID &&
rep->type == AUDIT_LIST_RULES) {
printf(" %s%s%.*s", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
} else if (field == AUDIT_WATCH) {
printf(" watch=%.*s",
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
} else if (field == AUDIT_DIR) {
printf(" dir=%.*s",
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr;
asprintf(&rkey, "%.*s",
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
ptr = strtok(rkey, key_sep);
while (ptr) {
printf(" key=%s", ptr);
ptr = strtok(NULL,
key_sep);
}
free(rkey);
} else if (field == AUDIT_PERM) {
char perms[5];
int val=rep->ruledata->values[i];
perms[0] = 0;
if (val & AUDIT_PERM_READ)
strcat(perms, "r");
if (val & AUDIT_PERM_WRITE)
strcat(perms, "w");
if (val & AUDIT_PERM_EXEC)
strcat(perms, "x");
if (val & AUDIT_PERM_ATTR)
strcat(perms, "a");
printf(" perm=%s", perms);
show_syscall = 0;
} else if (field == AUDIT_INODE) {
// Unsigned items
printf(" %s%s%u", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
} else if (field == AUDIT_FIELD_COMPARE) {
switch (rep->ruledata->values[i])
{
case AUDIT_COMPARE_UID_TO_OBJ_UID:
printf(" uid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_OBJ_GID:
printf(" gid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EUID_TO_OBJ_UID:
printf(" euid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
printf(" egid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
printf(" auid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
printf(" suid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
printf(" sgid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
printf(" fsuid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
printf(" fsgid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_AUID:
printf(" uid%sauid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_EUID:
printf(" uid%seuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_FSUID:
printf(" uid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_SUID:
printf(" uid%ssuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_FSUID:
printf(" auid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_SUID:
printf(" auid%ssuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_EUID:
printf(" auid%seuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EUID_TO_SUID:
printf(" euid%ssuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EUID_TO_FSUID:
printf(" euid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SUID_TO_FSUID:
printf(" suid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_EGID:
printf(" gid%segid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_FSGID:
printf(" gid%sfsgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_SGID:
printf(" gid%ssgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EGID_TO_FSGID:
printf(" egid%sfsgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EGID_TO_SGID:
printf(" egid%ssgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SGID_TO_FSGID:
printf(" sgid%sfsgid",audit_operator_to_symbol(op));
break;
}
} else {
// Signed items
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
}
} else {
printf(" f%d%s%d", rep->ruledata->fields[i],
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
}
/* Avoid printing value if the field type is
* known to return a string. */
if (rep->ruledata->values[i] &&
(field < AUDIT_SUBJ_USER ||
field > AUDIT_SUBJ_CLR) &&
field != AUDIT_WATCH &&
field != AUDIT_FILTERKEY &&
field != AUDIT_PERM &&
field != AUDIT_FIELD_COMPARE)
printf(" (0x%x)", rep->ruledata->values[i]);
}
if (show_syscall &&
((rep->ruledata->flags & AUDIT_FILTER_MASK) !=
AUDIT_FILTER_USER) &&
((rep->ruledata->flags & AUDIT_FILTER_MASK) !=
AUDIT_FILTER_TASK) &&
((rep->ruledata->flags & AUDIT_FILTER_MASK) !=
AUDIT_FILTER_EXCLUDE)) {
printf(" syscall=");
for (sparse = 0, i = 0;
i < (AUDIT_BITMASK_SIZE-1); i++) {
if (rep->ruledata->mask[i] != (uint32_t)~0)
sparse = 1;
}
if (!sparse) {
printf("all");
} else for (first = 1, i = 0;
i < AUDIT_BITMASK_SIZE * 32; i++) {
int word = AUDIT_WORD(i);
int bit = AUDIT_BIT(i);
if (rep->ruledata->mask[word] & bit) {
const char *ptr;
if (_audit_elf)
machine =
audit_elf_to_machine(
_audit_elf);
if (machine < 0)
ptr = NULL;
else
ptr =
audit_syscall_to_name(i,
machine);
if (ptr)
printf("%s%s",
first ? "" : ",", ptr);
else
printf("%s%d",
first ? "" : ",", i);
first = 0;
}
}
}
printf("\n");
return 1; /* get more messages until NLMSG_DONE */
default:
printf("Unknown: type=%d, len=%d\n", rep->type,
rep->nlh->nlmsg_len);
printed = 1;
return 0;
}
}
