[PATCH] audit: path-based rules

#define AUDIT_INODE	102

#define AUDIT_EXIT	103

#define AUDIT_SUCCESS   104	/* exit >= 0; value ignored */

#define AUDIT_WATCH	105

#define AUDIT_ARG0      200

#define AUDIT_ARG1      (AUDIT_ARG0+1)

	help

	  Enable low-overhead system-call auditing infrastructure that

	  can be used independently or with another kernel subsystem,

	  such as SELinux.

	  such as SELinux.  To use audit's filesystem watch feature, please

	  ensure that INOTIFY is configured.

config IKCONFIG

	bool "Kernel .config support"

#include <linux/skbuff.h>

#include <linux/netlink.h>

#include <linux/selinux.h>

#include <linux/inotify.h>

#include "audit.h"

/* The netlink socket. */

static struct sock *audit_sock;

/* Inotify handle. */

struct inotify_handle *audit_ih;

/* Hash for inode-based rules */

struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

/* The audit_freelist is a list of pre-allocated audit buffers (if more

 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of

 * being placed on the freelist). */

static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);

static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);

/* The netlink socket is only to be read by 1 CPU, which lets us assume

 * that list additions and deletions never happen simultaneously in

 * auditsc.c */

DEFINE_MUTEX(audit_netlink_mutex);

/* Serialize requests from userspace. */

static DEFINE_MUTEX(audit_cmd_mutex);

/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting

 * audit records.  Since printk uses a 1024 byte buffer, this buffer

	struct sk_buff *skb;

	/* wait for parent to finish and send an ACK */

	mutex_lock(&audit_netlink_mutex);

	mutex_unlock(&audit_netlink_mutex);

	mutex_lock(&audit_cmd_mutex);

	mutex_unlock(&audit_cmd_mutex);

	while ((skb = __skb_dequeue(&dest->q)) != NULL)

		netlink_unicast(audit_sock, skb, pid, 0);

	struct sk_buff  *skb;

	unsigned int qlen;

	mutex_lock(&audit_netlink_mutex);

	mutex_lock(&audit_cmd_mutex);

	for (qlen = skb_queue_len(&sk->sk_receive_queue); qlen; qlen--) {

		skb = skb_dequeue(&sk->sk_receive_queue);

		audit_receive_skb(skb);

		kfree_skb(skb);

	}

	mutex_unlock(&audit_netlink_mutex);

	mutex_unlock(&audit_cmd_mutex);

}

#ifdef CONFIG_AUDITSYSCALL

static const struct inotify_operations audit_inotify_ops = {

	.handle_event	= audit_handle_ievent,

	.destroy_watch	= audit_free_parent,

};

#endif

/* Initialize audit support at boot time. */

static int __init audit_init(void)

{

#ifdef CONFIG_AUDITSYSCALL

	int i;

#endif

	printk(KERN_INFO "audit: initializing netlink socket (%s)\n",

	       audit_default ? "enabled" : "disabled");

	audit_sock = netlink_kernel_create(NETLINK_AUDIT, 0, audit_receive,

	selinux_audit_set_callback(&selinux_audit_rule_update);

	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");

#ifdef CONFIG_AUDITSYSCALL

	audit_ih = inotify_init(&audit_inotify_ops);

	if (IS_ERR(audit_ih))

		audit_panic("cannot initialize inotify handle");

	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)

		INIT_LIST_HEAD(&audit_inode_hash[i]);

#endif

	return 0;

}

__initcall(audit_init);

 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

 */

#include <linux/mutex.h>

#include <linux/fs.h>

#include <linux/audit.h>

#include <linux/skbuff.h>

};

/* Rule lists */

struct audit_parent;

struct audit_watch {

	atomic_t		count;	/* reference count */

	char			*path;	/* insertion path */

	dev_t			dev;	/* associated superblock device */

	unsigned long		ino;	/* associated inode number */

	struct audit_parent	*parent; /* associated parent */

	struct list_head	wlist;	/* entry in parent->watches list */

	struct list_head	rules;	/* associated rules */

};

struct audit_field {

	u32				type;

	u32				val;

	u32			buflen; /* for data alloc on list rules */

	u32			field_count;

	struct audit_field	*fields;

	struct audit_field	*inode_f; /* quick access to an inode field */

	struct audit_watch	*watch;	/* associated watch */

	struct list_head	rlist;	/* entry in audit_watch.rules list */

};

struct audit_entry {

	struct audit_krule	rule;

};

extern int audit_pid;

extern int audit_comparator(const u32 left, const u32 op, const u32 right);

#define AUDIT_INODE_BUCKETS	32

extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

static inline int audit_hash_ino(u32 ino)

{

	return (ino & (AUDIT_INODE_BUCKETS-1));

}

extern int audit_comparator(const u32 left, const u32 op, const u32 right);

extern int audit_compare_dname_path(const char *dname, const char *path);

extern struct sk_buff *	    audit_make_reply(int pid, int seq, int type,

					     int done, int multi,

					     void *payload, int size);

					     void *payload, int size);

extern void		    audit_log_lost(const char *message);

extern void		    audit_panic(const char *message);

extern struct mutex audit_netlink_mutex;

struct audit_netlink_list {

	int pid;

int audit_send_list(void *);

struct inotify_watch;

extern void audit_free_parent(struct inotify_watch *);

extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,

				const char *, struct inode *);

extern int selinux_audit_rule_update(void);

#ifdef CONFIG_AUDITSYSCALL

	if (unlikely(audit_pid && t->tgid == audit_pid))

		__audit_signal_info(sig, t);

}

extern enum audit_state audit_filter_inodes(struct task_struct *,

					    struct audit_context *);

extern void audit_set_auditable(struct audit_context *);

#else

#define audit_signal_info(s,t)

#define audit_filter_inodes(t,c) AUDIT_DISABLED

#define audit_set_auditable(c)

#endif