144 lines
4.7 KiB
Diff
144 lines
4.7 KiB
Diff
From 6dabe8de1c502b4bcd0ad945f6d7636d5aeb9fed Mon Sep 17 00:00:00 2001
|
|
From: Steve Grubb <sgrubb@redhat.com>
|
|
Date: Sat, 26 Aug 2023 08:52:25 -0400
|
|
Subject: [PATCH] Consolidate end of event detection to a common function
|
|
|
|
Reference:https://github.com/linux-audit/audit-userspace/commit/6dabe8de1c502b4bcd0ad945f6d7636d5aeb9fed
|
|
Conflict:ChangeLog
|
|
|
|
---
|
|
auparse/auparse.c | 9 +--------
|
|
common/Makefile.am | 2 +-
|
|
common/common.c | 43 +++++++++++++++++++++++++++++++++++++++++++
|
|
common/common.h | 3 ++-
|
|
src/ausearch-lol.c | 9 ++-------
|
|
5 files changed, 49 insertions(+), 17 deletions(-)
|
|
create mode 100644 common/common.c
|
|
|
|
diff --git a/auparse/auparse.c b/auparse/auparse.c
|
|
index 6f3fb945..359b1875 100644
|
|
--- a/auparse/auparse.c
|
|
+++ b/auparse/auparse.c
|
|
@@ -309,14 +309,7 @@ static void au_check_events(auparse_state_t *au, time_t sec)
|
|
if (cur->l->e.sec + eoe_timeout <= sec) {
|
|
cur->status = EBS_COMPLETE;
|
|
au->au_ready++;
|
|
- } else if ( // FIXME: Check this v remains true
|
|
- r->type == AUDIT_PROCTITLE ||
|
|
- r->type == AUDIT_EOE ||
|
|
- r->type < AUDIT_FIRST_EVENT ||
|
|
- r->type >= AUDIT_FIRST_ANOM_MSG ||
|
|
- r->type == AUDIT_KERNEL ||
|
|
- (r->type >= AUDIT_MAC_UNLBL_ALLOW &&
|
|
- r->type <= AUDIT_MAC_CALIPSO_DEL)) {
|
|
+ } else if (audit_is_last_record(r->type)) {
|
|
// If known to be 1 record event, we are done
|
|
cur->status = EBS_COMPLETE;
|
|
au->au_ready++;
|
|
diff --git a/common/Makefile.am b/common/Makefile.am
|
|
index dbf0f76c..9738ee87 100644
|
|
--- a/common/Makefile.am
|
|
+++ b/common/Makefile.am
|
|
@@ -27,6 +27,6 @@ AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib
|
|
|
|
noinst_HEADERS = common.h
|
|
libaucommon_la_DEPENDENCIES = ../config.h
|
|
-libaucommon_la_SOURCES = audit-fgets.c strsplit.c
|
|
+libaucommon_la_SOURCES = audit-fgets.c strsplit.c common.c
|
|
noinst_LTLIBRARIES = libaucommon.la
|
|
|
|
diff --git a/common/common.c b/common/common.c
|
|
new file mode 100644
|
|
index 00000000..cbfa46cb
|
|
--- /dev/null
|
|
+++ b/common/common.c
|
|
@@ -0,0 +1,43 @@
|
|
+/* common.c --
|
|
+ * Copyright 2023 Red Hat Inc.
|
|
+ * All Rights Reserved.
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
+ *
|
|
+ * Authors:
|
|
+ * Steve Grubb <sgrubb@redhat.com>
|
|
+ */
|
|
+
|
|
+#include "libaudit.h"
|
|
+#include "common.h"
|
|
+
|
|
+/*
|
|
+ * This function returns 1 if it is the last record in an event.
|
|
+ * It returns 0 otherwise.
|
|
+ */
|
|
+int audit_is_last_record(int type)
|
|
+{
|
|
+ if (type == AUDIT_PROCTITLE ||
|
|
+ type == AUDIT_EOE ||
|
|
+ type < AUDIT_FIRST_EVENT ||
|
|
+ type >= AUDIT_FIRST_ANOM_MSG ||
|
|
+ type == AUDIT_KERNEL ||
|
|
+ (type >= AUDIT_MAC_UNLBL_ALLOW &&
|
|
+ type <= AUDIT_MAC_CALIPSO_DEL)) {
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
diff --git a/common/common.h b/common/common.h
|
|
index 6a5437e9..1db80d4b 100644
|
|
--- a/common/common.h
|
|
+++ b/common/common.h
|
|
@@ -1,5 +1,5 @@
|
|
/* audit-fgets.h -- a replacement for glibc's fgets
|
|
- * Copyright 2018,2022 Red Hat Inc.
|
|
+ * Copyright 2018-23 Red Hat Inc.
|
|
* All Rights Reserved.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
@@ -38,6 +38,7 @@ int audit_fgets(char *buf, size_t blen, int fd)
|
|
|
|
char *audit_strsplit_r(char *s, char **savedpp);
|
|
char *audit_strsplit(char *s);
|
|
+int audit_is_last_record(int type);
|
|
|
|
AUDIT_HIDDEN_END
|
|
#endif
|
|
diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
|
|
index 4a7e5fdf..9ed39d4f 100644
|
|
--- a/src/ausearch-lol.c
|
|
+++ b/src/ausearch-lol.c
|
|
@@ -252,16 +252,11 @@ static void check_events(lol *lo, time_t sec)
|
|
if (cur->l->e.sec + eoe_timeout <= sec) {
|
|
cur->status = L_COMPLETE;
|
|
ready++;
|
|
- } else if (cur->l->e.type == AUDIT_PROCTITLE ||
|
|
- cur->l->e.type < AUDIT_FIRST_EVENT ||
|
|
- cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ||
|
|
- cur->l->e.type == AUDIT_KERNEL ||
|
|
- (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
|
|
- cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL)) {
|
|
+ } else if (audit_is_last_record(cur->l->e.type)) {
|
|
// If known to be 1 record event, we are done
|
|
cur->status = L_COMPLETE;
|
|
ready++;
|
|
- }
|
|
+ }
|
|
}
|
|
}
|
|
}
|
|
--
|
|
2.33.0
|
|
|