summaryrefslogtreecommitdiffstats
path: root/include/linux/audit.h
diff options
context:
space:
mode:
authorAmy Griffis <amy.griffis@hp.com>2006-06-14 18:45:21 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2006-07-01 05:43:06 -0400
commit5adc8a6adc91c4c85a64c75a70a619fffc924817 (patch)
treeace9af6bbc3cf711f43cfd88e834baeb6989ca3f /include/linux/audit.h
parent9262e9149f346a5443300f8c451b8e7631e81a42 (diff)
downloadlinux-5adc8a6adc91c4c85a64c75a70a619fffc924817.tar.gz
linux-5adc8a6adc91c4c85a64c75a70a619fffc924817.tar.bz2
linux-5adc8a6adc91c4c85a64c75a70a619fffc924817.zip
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis. Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly. Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules. Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
Diffstat (limited to 'include/linux/audit.h')
-rw-r--r--include/linux/audit.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index e051ff9c5b50..a489104ae3a4 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -122,6 +122,7 @@
/* Rule structure sizes -- if these change, different AUDIT_ADD and
* AUDIT_LIST commands must be implemented. */
#define AUDIT_MAX_FIELDS 64
+#define AUDIT_MAX_KEY_LEN 32
#define AUDIT_BITMASK_SIZE 64
#define AUDIT_WORD(nr) ((__u32)((nr)/32))
#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
@@ -171,6 +172,8 @@
#define AUDIT_ARG2 (AUDIT_ARG0+2)
#define AUDIT_ARG3 (AUDIT_ARG0+3)
+#define AUDIT_FILTERKEY 210
+
#define AUDIT_NEGATE 0x80000000
/* These are the supported operators.