On Tue, Oct 29, 2013 at 5:52 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 10/29/2013 12:11 AM, William Roberts wrote:
> > FYI This is a DRAFT patch. Just mostly to show how you can test the
> kernel
> > patches I have been
> > putting out recently. You can toggle the false/true in auditd.c and then
> > re-push the auditd daemon.
>
> I think you want to default-true but ignore errors or at least ones that
> merely signify that the kernel doesn't support it.
>
Agree with you here, realized I had this on false from testing after I sent
it.
Once I get traction on the upstream kernel patches, I'll chnage this and get
pull requests to you
>
> >
> >
> > On Mon, Oct 28, 2013 at 9:09 PM, William Roberts
> > <bill.c.robe...@gmail.com>wrote:
> >
> >> Change-Id: I82f39aae8264707bdc8eae9e32cfbf650545a0fa
> >> ---
> >> auditd/auditd.c | 8 ++++++++
> >> auditd/libaudit.c | 25 +++++++++++++++++++++++++
> >> auditd/libaudit.h | 33 +++++++++++++++++++++++++++++++++
> >> 3 files changed, 66 insertions(+)
> >>
> >> diff --git a/auditd/auditd.c b/auditd/auditd.c
> >> index 6a4ecae..beaff51 100644
> >> --- a/auditd/auditd.c
> >> +++ b/auditd/auditd.c
> >> @@ -19,6 +19,7 @@
> >> #define LOG_TAG "auditd"
> >>
> >> #include <stdio.h>
> >> +#include <stdbool.h>
> >> #include <stdlib.h>
> >>
> >> #include <errno.h>
> >> @@ -188,6 +189,13 @@ int main(int argc, char *argv[])
> >> goto err;
> >> }
> >>
> >> + if (audit_set_cmdline_output(audit_fd, false, WAIT_NO) < 0) {
> >> + rc = errno;
> >> + SLOGE("Failed on audit_set_cmdline_feature with error: %s",
> >> strerror(errno));
> >> + goto err;
> >> + }
> >> +
> >> +
> >> pfds.fd = audit_fd;
> >> pfds.events = POLLIN;
> >>
> >> diff --git a/auditd/libaudit.c b/auditd/libaudit.c
> >> index 06e5557..2771d92 100644
> >> --- a/auditd/libaudit.c
> >> +++ b/auditd/libaudit.c
> >> @@ -220,6 +220,31 @@ out:
> >> return rc;
> >> }
> >>
> >> +int audit_set_cmdline_output(int fd, bool val, rep_wait_t wmode)
> >> +{
> >> + int rc;
> >> + struct audit_reply rep;
> >> + struct audit_features features;
> >> +
> >> + memset(&features, 0, sizeof(features));
> >> +
> >> + features.vers = 1;
> >> + features.mask =
> AUDIT_FEATURE_TO_MASK(AUDIT_FEATURE_CMDLINE_OUTPUT);
> >> + features.features |= (val == true) << AUDIT_FEATURE_CMDLINE_OUTPUT;
> >> +
> >> + rc = audit_send(fd, AUDIT_SET_FEATURE, &features,
> sizeof(features));
> >> + if (rc < 0) {
> >> + SLOGE("Could net set cmdline output for audit events, error:
> %s",
> >> strerror(-rc));
> >> + return rc;
> >> + }
> >> +
> >> + if (wmode != WAIT_NO) {
> >> + audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
> >> + }
> >> +
> >> + return 0;
> >> +}
> >> +
> >> int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
> >> {
> >> int rc;
> >> diff --git a/auditd/libaudit.h b/auditd/libaudit.h
> >> index fbaa7b9..7fc8138 100644
> >> --- a/auditd/libaudit.h
> >> +++ b/auditd/libaudit.h
> >> @@ -22,11 +22,30 @@
> >> #include <stdint.h>
> >> #include <sys/socket.h>
> >> #include <sys/types.h>
> >> +#include <stdbool.h>
> >> #include <linux/netlink.h>
> >> #include <linux/audit.h>
> >>
> >> #define MAX_AUDIT_MESSAGE_LENGTH 8970
> >>
> >> +#define AUDIT_SET_FEATURE 1018
> >> +#define AUDIT_GET_FEATURE 1019
> >> +#define AUDIT_FEATURE_CHANGE 1020
> >> +
> >> +struct audit_features {
> >> +#define AUDIT_FEATURE_VERSION 1
> >> + __u32 vers;
> >> + __u32 mask;
> >> + __u32 features;
> >> + __u32 lock;
> >> +};
> >> +
> >> +#define AUDIT_FEATURE_CMDLINE_OUTPUT 0
> >> +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_CMDLINE_OUTPUT
> >> +
> >> +#define audit_feature_valid(x) ((x) >= 0 && (x) <=
> >> AUDIT_LAST_FEATURE)
> >> +#define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31))
> >> +
> >> typedef enum {
> >> GET_REPLY_BLOCKING=0,
> >> GET_REPLY_NONBLOCKING
> >> @@ -108,4 +127,18 @@ extern int audit_get_reply(int fd, struct
> >> audit_reply *rep, reply_t block,
> >> */
> >> extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
> >>
> >> +/**
> >> + * Turns on (true) or off (false) the cmdline autput of the audit
> records.
> >> + * @param fd
> >> + * The fd returned by a call to audit_open()
> >> + * @param val
> >> + * True for on, flase for off.
> >> + * @param wmode
> >> + * Whether or not to block on the underlying socket io calls.
> >> + * @return
> >> + * This function returns 0 on success, -errno on error.
> >> + */
> >> +extern int audit_set_cmdline_output(int fd, bool val, rep_wait_t
> wmode);
> >> +
> >> +
> >> #endif
> >> --
> >> 1.7.9.5
> >>
> >>
> >
> >
>
>
--
Respectfully,
William C Roberts
