Add auparse_normalize_object_primary2 API

caidongyun · Sep 19, 2017 · 1d99c3a · 1d99c3a
1 parent 887b707
commit 1d99c3a
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 2.8
 - Add support for ambient capability fields (Richard Guy Briggs)
 - Update auparse-normalizer to support TTY events
+- Add auparse_normalize_object_primary2 API
 
 2.7.8
 - Add config option to auditd to not verify email addr domain (#1406887)

diff --git a/TODO b/TODO
@@ -2,7 +2,6 @@ Things that need to be done:
 ===========================
 2.8
 * Support FANOTIFY record
-* Add object2 API to auparse-normalize
 * ausearch text format, add 'to xxx' for file perm/owner, & uid/gid changes
 * ausearch text format, add 'to xxx' for mount operations
 * There are 3 kinds of mount: failed, fuser success, kernel success

diff --git a/auparse/auparse.h b/auparse/auparse.h
@@ -91,6 +91,7 @@ const char *auparse_normalize_get_action(auparse_state_t *au);
 // Object accessing functions
 int auparse_normalize_object_primary(auparse_state_t *au);
 int auparse_normalize_object_secondary(auparse_state_t *au);
+int auparse_normalize_object_primary2(auparse_state_t *au);
 int auparse_normalize_object_first_attribute(auparse_state_t *au);
 int auparse_normalize_object_next_attribute(auparse_state_t *au);
 const char *auparse_normalize_object_kind(auparse_state_t *au);

diff --git a/auparse/internal.h b/auparse/internal.h
@@ -120,12 +120,13 @@ typedef struct subj
 	value_t secondary;      // typically uid
 	cllist attr;            // List of attributes
 	const char *what;	// What the subject is
-}subject;
+} subject;
 
 typedef struct obj
 {
 	value_t primary;
 	value_t secondary;
+	value_t two;		// Sometimes we have a second e.g. rename/mount
 	cllist attr;            // List of attributes
 	unsigned int what;      // What the primary object is
 } object;

diff --git a/auparse/normalize.c b/auparse/normalize.c
@@ -63,6 +63,7 @@ void init_normalizer(normalize_data *d)
 	d->action = NULL;
 	d->thing.primary = set_record(0, UNSET);
 	d->thing.secondary = set_record(0, UNSET);
+	d->thing.two = set_record(0, UNSET);
 	cllist_create(&d->thing.attr, NULL);
 	d->thing.what = NORM_WHAT_UNKNOWN;
 	d->results = set_record(0, UNSET);
@@ -84,6 +85,7 @@ void clear_normalizer(normalize_data *d)
 	d->action = NULL;
 	d->thing.primary = set_record(0, UNSET);
 	d->thing.secondary = set_record(0, UNSET);
+	d->thing.two = set_record(0, UNSET);
 	cllist_clear(&d->thing.attr);
 	d->thing.what = NORM_WHAT_UNKNOWN;
 	d->results = set_record(0, UNSET);
@@ -1567,6 +1569,11 @@ int auparse_normalize_object_secondary(auparse_state_t *au)
 	return seek_field(au, D.thing.secondary);
 }
 
+int auparse_normalize_object_primary2(auparse_state_t *au)
+{
+	return seek_field(au, D.thing.two);
+}
+
 // Returns: -1 = error, 0 uninitialized, 1 == success
 int auparse_normalize_object_first_attribute(auparse_state_t *au)
 {

diff --git a/docs/auparse_normalize_functions.3 b/docs/auparse_normalize_functions.3
@@ -1,7 +1,7 @@
 .TH "AUPARSE_NORMALIZE_FUNCTIONS" "3" "March 2017" "Red Hat" "Linux Audit API"
 .SH NAME
 .nf
-auparse_normalize_get_event_kind, auparse_normalize_subject_kind, auparse_normalize_get_action, auparse_normalize_object_kind, auparse_normalize_how, auparse_normalize_session, auparse_normalize_subject_primary, auparse_normalize_subject_secondary, auparse_normalize_subject_first_attribute, auparse_normalize_subject_next_attribute, auparse_normalize_object_primary, auparse_normalize_object_secondary, auparse_normalize_object_first_attribute, auparse_normalize_object_next_attribute, auparse_normalize_get_results, auparse_normalize_key \- Access normalized fields
+auparse_normalize_get_event_kind, auparse_normalize_subject_kind, auparse_normalize_get_action, auparse_normalize_object_kind, auparse_normalize_how, auparse_normalize_session, auparse_normalize_subject_primary, auparse_normalize_subject_secondary, auparse_normalize_subject_first_attribute, auparse_normalize_subject_next_attribute, auparse_normalize_object_primary, auparse_normalize_object_secondary, auparse_normalize_object_primary2, auparse_normalize_object_first_attribute, auparse_normalize_object_next_attribute, auparse_normalize_get_results, auparse_normalize_key \- Access normalized fields
 .fi
 .SH "SYNOPSIS"
 .nf
@@ -22,6 +22,7 @@ Positioning Functions:
 .B int auparse_normalize_subject_next_attribute(auparse_state_t *au);
 .B int auparse_normalize_object_primary(auparse_state_t *au);
 .B int auparse_normalize_object_secondary(auparse_state_t *au);
+.B int auparse_normalize_object_primary2(auparse_state_t *au);
 .B int auparse_normalize_object_first_attribute(auparse_state_t *au);
 .B int auparse_normalize_object_next_attribute(auparse_state_t *au);
 .B int auparse_normalize_get_results(auparse_state_t *au);