[PATCH] add rule filterkey Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis. Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly. Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules. Signed-off-by: Amy Griffis <amy.griffis@hpd.com>

commit: 5adc8a6adc91c4c85a64c75a70a619fffc924817 [log] [tgz]
author: Amy Griffis <amy.griffis@hp.com> Wed Jun 14 18:45:21 2006 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> Sat Jul 01 05:43:06 2006 -0400
tree: ace9af6bbc3cf711f43cfd88e834baeb6989ca3f
parent: 9262e9149f346a5443300f8c451b8e7631e81a42 [diff] [blame]
diff --git a/kernel/audit.h b/kernel/audit.h
index 8323e41..6aa33b8 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h

@@ -81,6 +81,7 @@
 	u32			mask[AUDIT_BITMASK_SIZE];
 	u32			buflen; /* for data alloc on list rules */
 	u32			field_count;
+	char			*filterkey; /* ties events to rules */
 	struct audit_field	*fields;
 	struct audit_field	*inode_f; /* quick access to an inode field */
 	struct audit_watch	*watch;	/* associated watch */
commit	5adc8a6adc91c4c85a64c75a70a619fffc924817	[log] [tgz]
author	Amy Griffis <amy.griffis@hp.com>	Wed Jun 14 18:45:21 2006 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	Sat Jul 01 05:43:06 2006 -0400
tree	ace9af6bbc3cf711f43cfd88e834baeb6989ca3f
parent	9262e9149f346a5443300f8c451b8e7631e81a42 [diff] [blame]