2 * interpret.c - Lookup values to something more readable
3 * Copyright (c) 2007-09,2011-14 Red Hat Inc., Durham, North Carolina.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 * Steve Grubb <sgrubb@redhat.com>
29 #include "interpret.h"
30 #include "auparse-idata.h"
41 #include <linux/net.h>
44 #include <linux/ax25.h>
45 #include <linux/atm.h>
46 #include <linux/x25.h>
47 #include <linux/if.h> // FIXME: remove when ipx.h is fixed
48 #include <linux/ipx.h>
49 #include <linux/capability.h>
50 #include <sys/personality.h>
51 #include <sys/prctl.h>
53 #include "auparse-defs.h"
54 #include "gen_tables.h"
56 #if !HAVE_DECL_ADDR_NO_RANDOMIZE
57 # define ADDR_NO_RANDOMIZE 0x0040000
60 /* This is from asm/ipc.h. Copying it for now as some platforms
61 * have broken headers. */
77 #include "clone-flagtabs.h"
78 #include "epoll_ctls.h"
80 #include "fcntl-cmdtabs.h"
83 #include "ipccmdtabs.h"
85 #include "mounttabs.h"
86 #include "open-flagtabs.h"
87 #include "persontabs.h"
89 #include "ptracetabs.h"
91 #include "rlimittabs.h"
94 #include "socktypetabs.h"
95 #include "signaltabs.h"
96 #include "clocktabs.h"
98 #include "nfprototabs.h"
99 #include "icmptypetabs.h"
100 #include "seccomptabs.h"
101 #include "accesstabs.h"
102 #include "prctl_opttabs.h"
103 #include "schedtabs.h"
104 #include "shm_modetabs.h"
105 #include "sockoptnametabs.h"
106 #include "sockleveltabs.h"
107 #include "ipoptnametabs.h"
108 #include "ip6optnametabs.h"
109 #include "tcpoptnametabs.h"
110 #include "pktoptnametabs.h"
111 #include "umounttabs.h"
112 #include "ioctlreqtabs.h"
114 typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t;
115 typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t;
117 static const char *print_signals(const char *val, unsigned int base);
121 * This function will take a pointer to a 2 byte Ascii character buffer and
122 * return the actual hex value.
124 static unsigned char x2c(const unsigned char *buf)
126 static const char AsciiArray[17] = "0123456789ABCDEF";
128 unsigned char total=0;
130 ptr = strchr(AsciiArray, (char)toupper(buf[0]));
132 total = (unsigned char)(((ptr-AsciiArray) & 0x0F)<<4);
133 ptr = strchr(AsciiArray, (char)toupper(buf[1]));
135 total += (unsigned char)((ptr-AsciiArray) & 0x0F);
140 static int is_hex_string(const char *str)
150 /* returns a freshly malloc'ed and converted buffer */
151 char *au_unescape(char *buf)
154 char saved, *str, *ptr = buf;
156 /* Find the end of the name */
158 ptr = strchr(ptr, ')');
164 while (isxdigit(*ptr))
172 /* See if its '(null)' from the kernel */
176 /* We can get away with this since the buffer is 2 times
177 * bigger than what we are putting there.
185 for (i=0; i<len; i+=2) {
186 *ptr = x2c((unsigned char *)&str[i]);
193 static const char *success[3]= { "unset", "no", "yes" };
194 static const char *aulookup_success(int s)
210 static nvpair uid_nvl;
211 static int uid_list_created=0;
212 static const char *aulookup_uid(uid_t uid, char *buf, size_t size)
218 snprintf(buf, size, "unset");
222 // Check the cache first
223 if (uid_list_created == 0) {
224 nvpair_create(&uid_nvl);
225 nvpair_clear(&uid_nvl);
226 uid_list_created = 1;
228 rc = nvpair_find_val(&uid_nvl, uid);
230 name = uid_nvl.cur->name;
237 nv.name = strdup(pw->pw_name);
239 nvpair_append(&uid_nvl, &nv);
240 name = uid_nvl.cur->name;
244 snprintf(buf, size, "%s", name);
246 snprintf(buf, size, "unknown(%d)", uid);
250 void aulookup_destroy_uid_list(void)
252 if (uid_list_created == 0)
255 nvpair_clear(&uid_nvl);
256 uid_list_created = 0;
259 static nvpair gid_nvl;
260 static int gid_list_created=0;
261 static const char *aulookup_gid(gid_t gid, char *buf, size_t size)
267 snprintf(buf, size, "unset");
271 // Check the cache first
272 if (gid_list_created == 0) {
273 nvpair_create(&gid_nvl);
274 nvpair_clear(&gid_nvl);
275 gid_list_created = 1;
277 rc = nvpair_find_val(&gid_nvl, gid);
279 name = gid_nvl.cur->name;
286 nv.name = strdup(gr->gr_name);
288 nvpair_append(&gid_nvl, &nv);
289 name = gid_nvl.cur->name;
293 snprintf(buf, size, "%s", name);
295 snprintf(buf, size, "unknown(%d)", gid);
299 void aulookup_destroy_gid_list(void)
301 if (gid_list_created == 0)
304 nvpair_clear(&gid_nvl);
305 gid_list_created = 0;
308 static const char *print_uid(const char *val, unsigned int base)
314 uid = strtoul(val, NULL, base);
317 if (asprintf(&out, "conversion error(%s)", val) < 0)
322 return strdup(aulookup_uid(uid, name, sizeof(name)));
325 static const char *print_gid(const char *val, unsigned int base)
331 gid = strtoul(val, NULL, base);
334 if (asprintf(&out, "conversion error(%s)", val) < 0)
339 return strdup(aulookup_gid(gid, name, sizeof(name)));
342 static const char *print_arch(const char *val, unsigned int machine)
347 if (machine > MACH_AARCH64) {
351 ival = strtoul(val, NULL, 16);
353 if (asprintf(&out, "conversion error(%s) ", val) < 0)
357 machine = audit_elf_to_machine(ival);
359 if ((int)machine < 0) {
360 if (asprintf(&out, "unknown elf type(%s)", val) < 0)
364 ptr = audit_machine_to_name(machine);
368 if (asprintf(&out, "unknown machine type(%d)", machine) < 0)
374 static const char *print_ipccall(const char *val, unsigned int base)
378 const char *func = NULL;
381 a0 = strtol(val, NULL, base);
384 if (asprintf(&out, "conversion error(%s)", val) < 0)
392 if (asprintf(&out, "unknown ipccall(%s)", val) < 0)
398 static const char *print_socketcall(const char *val, unsigned int base)
402 const char *func = NULL;
405 a0 = strtol(val, NULL, base);
408 if (asprintf(&out, "conversion error(%s)", val) < 0)
416 if (asprintf(&out, "unknown socketcall(%s)", val) < 0)
422 static const char *print_syscall(const idata *id)
426 int machine = id->machine, syscall = id->syscall;
427 unsigned long long a0 = id->a0;
430 machine = audit_detect_machine();
432 out = strdup(id->val);
435 sys = audit_syscall_to_name(syscall, machine);
437 const char *func = NULL;
438 if (strcmp(sys, "socketcall") == 0) {
441 } else if (strcmp(sys, "ipc") == 0)
445 if (asprintf(&out, "%s(%s)", sys, func) < 0)
450 if (asprintf(&out, "unknown syscall(%d)", syscall) < 0)
457 static const char *print_exit(const char *val)
463 ival = strtoll(val, NULL, 10);
465 if (asprintf(&out, "conversion error(%s)", val) < 0)
471 if (asprintf(&out, "%lld(%s)", ival, strerror(-ival)) < 0)
478 static const char *print_escaped(const char *val)
485 term = strchr(val, '"');
492 // FIXME: working here...was trying to detect (null) and handle that
493 // differently. The other 2 should have " around the file names.
494 /* } else if (*val == '(') {
497 term = strchr(val, ' ');
501 printf("%s ", val); */
502 } else if (val[0] == '0' && val[1] == '0')
503 out = au_unescape((char *)&val[2]); // Abstract name af_unix
505 out = au_unescape((char *)val);
508 return strdup(val); // Something is wrong with string, just send as is
511 static const char *print_proctitle(const char *val)
513 char *out = (char *)print_escaped(val);
515 size_t len = strlen(val) / 2;
516 const char *end = out + len;
518 while ((ptr = rawmemchr(ptr, '\0'))) {
528 static const char *print_perm(const char *val)
534 ival = strtol(val, NULL, 10);
537 if (asprintf(&out, "conversion error(%s)", val) < 0)
544 /* The kernel treats nothing (0x00) as everything (0x0F) */
547 if (ival & AUDIT_PERM_READ) {
551 if (ival & AUDIT_PERM_WRITE) {
553 strcat(buf, ",write");
555 strcat(buf, "write");
558 if (ival & AUDIT_PERM_EXEC) {
560 strcat(buf, ",exec");
565 if (ival & AUDIT_PERM_ATTR) {
567 strcat(buf, ",attr");
574 static const char *print_mode(const char *val, unsigned int base)
581 ival = strtoul(val, NULL, base);
583 if (asprintf(&out, "conversion error(%s)", val) < 0)
588 // detect the file type
589 name = audit_ftype_to_name(ival & S_IFMT);
593 unsigned first_ifmt_bit;
595 // The lowest-valued "1" bit in S_IFMT
596 first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
597 sprintf(buf, "%03o", (ival & S_IFMT) / first_ifmt_bit);
600 // check on special bits
602 strcat(buf, ",suid");
604 strcat(buf, ",sgid");
606 strcat(buf, ",sticky");
608 // and the read, write, execute flags in octal
609 if (asprintf(&out, "%s,%03o", buf,
610 (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
615 static const char *print_mode_short_int(unsigned int ival)
619 // check on special bits
623 if (S_ISGID & ival) {
628 if (S_ISVTX & ival) {
631 strcat(buf, "sticky");
634 // and the read, write, execute flags in octal
636 if (asprintf(&out, "0%03o",
637 (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
640 if (asprintf(&out, "%s,0%03o", buf,
641 (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
646 static const char *print_mode_short(const char *val, int base)
652 ival = strtoul(val, NULL, base);
654 if (asprintf(&out, "conversion error(%s)", val) < 0)
658 return print_mode_short_int(ival);
661 static const char *print_socket_domain(const char *val)
668 i = strtoul(val, NULL, 16);
670 if (asprintf(&out, "conversion error(%s)", val) < 0)
676 if (asprintf(&out, "unknown family(0x%s)", val) < 0)
683 static const char *print_socket_type(const char *val)
690 type = 0xFF & strtoul(val, NULL, 16);
692 if (asprintf(&out, "conversion error(%s)", val) < 0)
696 str = sock_type_i2s(type);
698 if (asprintf(&out, "unknown type(%s)", val) < 0)
705 static const char *print_socket_proto(const char *val)
712 proto = strtoul(val, NULL, 16);
714 if (asprintf(&out, "conversion error(%s)", val) < 0)
718 p = getprotobynumber(proto);
720 if (asprintf(&out, "unknown proto(%s)", val) < 0)
724 return strdup(p->p_name);
727 static const char *print_sockaddr(const char *val)
730 const struct sockaddr *saddr;
731 char name[NI_MAXHOST], serv[NI_MAXSERV];
736 slen = strlen(val)/2;
737 host = au_unescape((char *)val);
739 if (asprintf(&out, "malformed host(%s)", val) < 0)
743 saddr = (struct sockaddr *)host;
746 str = fam_i2s(saddr->sa_family);
748 if (asprintf(&out, "unknown family(%d)", saddr->sa_family) < 0)
754 // Now print address for some families
755 switch (saddr->sa_family) {
758 const struct sockaddr_un *un =
759 (struct sockaddr_un *)saddr;
761 rc = asprintf(&out, "%s %s", str,
763 else // abstract name
764 rc = asprintf(&out, "%s %.108s", str,
769 if (slen < sizeof(struct sockaddr_in)) {
770 rc = asprintf(&out, "%s sockaddr len too short",
774 slen = sizeof(struct sockaddr_in);
775 if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv,
776 NI_MAXSERV, NI_NUMERICHOST |
777 NI_NUMERICSERV) == 0 ) {
778 rc = asprintf(&out, "%s host:%s serv:%s", str,
781 rc = asprintf(&out, "%s (error resolving addr)",
786 const struct sockaddr_ax25 *x =
787 (struct sockaddr_ax25 *)saddr;
788 rc = asprintf(&out, "%s call:%c%c%c%c%c%c%c",
790 x->sax25_call.ax25_call[0],
791 x->sax25_call.ax25_call[1],
792 x->sax25_call.ax25_call[2],
793 x->sax25_call.ax25_call[3],
794 x->sax25_call.ax25_call[4],
795 x->sax25_call.ax25_call[5],
796 x->sax25_call.ax25_call[6]);
801 const struct sockaddr_ipx *ip =
802 (struct sockaddr_ipx *)saddr;
803 rc = asprintf(&out, "%s port:%d net:%u", str,
804 ip->sipx_port, ip->sipx_network);
809 const struct sockaddr_atmpvc* at =
810 (struct sockaddr_atmpvc *)saddr;
811 rc = asprintf(&out, "%s int:%d", str,
817 const struct sockaddr_x25* x =
818 (struct sockaddr_x25 *)saddr;
819 rc = asprintf(&out, "%s addr:%.15s", str,
820 x->sx25_addr.x25_addr);
824 if (slen < sizeof(struct sockaddr_in6)) {
826 "%s sockaddr6 len too short",
830 slen = sizeof(struct sockaddr_in6);
831 if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv,
832 NI_MAXSERV, NI_NUMERICHOST |
833 NI_NUMERICSERV) == 0 ) {
834 rc = asprintf(&out, "%s host:%s serv:%s", str,
837 rc = asprintf(&out, "%s (error resolving addr)",
842 const struct sockaddr_nl *n =
843 (struct sockaddr_nl *)saddr;
844 rc = asprintf(&out, "%s pid:%u", str,
855 /* This is only used in the RHEL4 kernel */
856 static const char *print_flags(const char *val)
863 flags = strtoul(val, NULL, 16);
865 if (asprintf(&out, "conversion error(%s)", val) < 0)
870 if (asprintf(&out, "none") < 0)
875 for (i=0; i<FLAG_NUM_ENTRIES; i++) {
876 if (flag_table[i].value & flags) {
879 flag_strings + flag_table[i].offset);
884 flag_strings + flag_table[i].offset);
889 snprintf(buf, sizeof(buf), "0x%s", val);
893 static const char *print_promiscuous(const char *val)
898 ival = strtol(val, NULL, 10);
901 if (asprintf(&out, "conversion error(%s)", val) < 0)
909 return strdup("yes");
912 static const char *print_capabilities(const char *val, int base)
919 cap = strtoul(val, NULL, base);
921 if (asprintf(&out, "conversion error(%s)", val) < 0)
929 if (asprintf(&out, "unknown capability(%s%s)",
930 base == 16 ? "0x" : "", val) < 0)
935 static const char *print_cap_bitmap(const char *val)
937 #define MASK(x) (1U << (x))
938 unsigned long long temp;
941 char *p, buf[600]; // 17 per cap * 33
944 temp = strtoull(val, NULL, 16);
947 if (asprintf(&out, "conversion error(%s)", val) < 0)
952 caps[0] = temp & 0x00000000FFFFFFFFLL;
953 caps[1] = (temp & 0xFFFFFFFF00000000LL) >> 32;
955 for (i=0; i <= CAP_LAST_CAP; i++) {
956 if (MASK(i%32) & caps[i/32]) {
967 return strdup("none");
971 static const char *print_success(const char *val)
977 res = strtoul(val, NULL, 10);
980 if (asprintf(&out, "conversion error(%s)", val) < 0)
985 return strdup(aulookup_success(res));
990 static const char *print_open_flags(const char *val)
998 flags = strtoul(val, NULL, 16);
1000 if (asprintf(&out, "conversion error(%s)", val) < 0)
1006 if ((flags & O_ACCMODE) == 0) {
1007 // Handle O_RDONLY specially
1008 strcat(buf, "O_RDONLY");
1011 for (i=0; i<OPEN_FLAG_NUM_ENTRIES; i++) {
1012 if (open_flag_table[i].value & flags) {
1015 open_flag_strings + open_flag_table[i].offset);
1020 open_flag_strings + open_flag_table[i].offset);
1025 snprintf(buf, sizeof(buf), "0x%s", val);
1029 static const char *print_clone_flags(const char *val)
1031 unsigned int flags, i, clone_sig;
1033 char *out, buf[362]; // added 10 for signal name
1036 flags = strtoul(val, NULL, 16);
1038 if (asprintf(&out, "conversion error(%s)", val) < 0)
1044 for (i=0; i<CLONE_FLAG_NUM_ENTRIES; i++) {
1045 if (clone_flag_table[i].value & flags) {
1048 clone_flag_strings + clone_flag_table[i].offset);
1053 clone_flag_strings + clone_flag_table[i].offset);
1057 clone_sig = flags & 0xFF;
1058 if (clone_sig && (clone_sig < 32)) {
1059 const char *s = signal_i2s(clone_sig);
1068 snprintf(buf, sizeof(buf), "0x%x", flags);
1072 static const char *print_fcntl_cmd(const char *val)
1079 cmd = strtoul(val, NULL, 16);
1081 if (asprintf(&out, "conversion error(%s)", val) < 0)
1089 if (asprintf(&out, "unknown fcntl command(%d)", cmd) < 0)
1094 static const char *print_epoll_ctl(const char *val)
1101 cmd = strtoul(val, NULL, 16);
1103 if (asprintf(&out, "conversion error(%s)", val) < 0)
1108 s = epoll_ctl_i2s(cmd);
1111 if (asprintf(&out, "unknown epoll_ctl operation (%d)", cmd) < 0)
1116 static const char *print_clock_id(const char *val)
1122 i = strtoul(val, NULL, 16);
1124 if (asprintf(&out, "conversion error(%s)", val) < 0)
1129 const char *s = clock_i2s(i);
1133 if (asprintf(&out, "unknown clk_id (0x%s)", val) < 0)
1138 static const char *print_prot(const char *val, unsigned int is_mmap)
1140 unsigned int prot, i;
1146 prot = strtoul(val, NULL, 16);
1148 if (asprintf(&out, "conversion error(%s)", val) < 0)
1153 if ((prot & 0x07) == 0) {
1154 // Handle PROT_NONE specially
1155 strcat(buf, "PROT_NONE");
1162 for (i=0; i<limit; i++) {
1163 if (prot_table[i].value & prot) {
1166 prot_strings + prot_table[i].offset);
1171 prot_strings + prot_table[i].offset);
1176 snprintf(buf, sizeof(buf), "0x%s", val);
1180 static const char *print_mmap(const char *val)
1182 unsigned int maps, i;
1188 maps = strtoul(val, NULL, 16);
1190 if (asprintf(&out, "conversion error(%s)", val) < 0)
1195 if ((maps & 0x0F) == 0) {
1196 // Handle MAP_FILE specially
1197 strcat(buf, "MAP_FILE");
1200 for (i=0; i<MMAP_NUM_ENTRIES; i++) {
1201 if (mmap_table[i].value & maps) {
1204 mmap_strings + mmap_table[i].offset);
1209 mmap_strings + mmap_table[i].offset);
1214 snprintf(buf, sizeof(buf), "0x%s", val);
1218 static const char *print_personality(const char *val)
1225 pers = strtoul(val, NULL, 16);
1227 if (asprintf(&out, "conversion error(%s)", val) < 0)
1232 pers2 = pers & ~ADDR_NO_RANDOMIZE;
1233 s = person_i2s(pers2);
1235 if (pers & ADDR_NO_RANDOMIZE) {
1236 if (asprintf(&out, "%s|~ADDR_NO_RANDOMIZE", s) < 0)
1242 if (asprintf(&out, "unknown personality (0x%s)", val) < 0)
1247 static const char *print_ptrace(const char *val)
1254 trace = strtoul(val, NULL, 16);
1256 if (asprintf(&out, "conversion error(%s)", val) < 0)
1261 s = ptrace_i2s(trace);
1264 if (asprintf(&out, "unknown ptrace (0x%s)", val) < 0)
1269 static const char *print_prctl_opt(const char *val)
1276 opt = strtoul(val, NULL, 16);
1278 if (asprintf(&out, "conversion error(%s)", val) < 0)
1283 s = prctl_opt_i2s(opt);
1286 if (asprintf(&out, "unknown prctl option (0x%s)", val) < 0)
1291 static const char *print_mount(const char *val)
1293 unsigned int mounts, i;
1299 mounts = strtoul(val, NULL, 16);
1301 if (asprintf(&out, "conversion error(%s)", val) < 0)
1306 for (i=0; i<MOUNT_NUM_ENTRIES; i++) {
1307 if (mount_table[i].value & mounts) {
1310 mount_strings + mount_table[i].offset);
1315 mount_strings + mount_table[i].offset);
1320 snprintf(buf, sizeof(buf), "0x%s", val);
1324 static const char *print_rlimit(const char *val)
1330 i = strtoul(val, NULL, 16);
1332 if (asprintf(&out, "conversion error(%s)", val) < 0)
1337 const char *s = rlimit_i2s(i);
1341 if (asprintf(&out, "unknown rlimit (0x%s)", val) < 0)
1346 static const char *print_recv(const char *val)
1348 unsigned int rec, i;
1354 rec = strtoul(val, NULL, 16);
1356 if (asprintf(&out, "conversion error(%s)", val) < 0)
1361 for (i=0; i<RECV_NUM_ENTRIES; i++) {
1362 if (recv_table[i].value & rec) {
1365 recv_strings + recv_table[i].offset);
1370 recv_strings + recv_table[i].offset);
1375 snprintf(buf, sizeof(buf), "0x%s", val);
1379 static const char *print_access(const char *val)
1383 unsigned int i, cnt = 0;
1386 mode = strtoul(val, NULL, 16);
1389 if (asprintf(&out, "conversion error(%s)", val) < 0)
1394 if ((mode & 0xF) == 0)
1395 return strdup("F_OK");
1397 for (i=0; i<3; i++) {
1398 if (access_table[i].value & mode) {
1401 access_strings + access_table[i].offset);
1406 access_strings + access_table[i].offset);
1411 snprintf(buf, sizeof(buf), "0x%s", val);
1415 static char *print_dirfd(const char *val)
1419 if (strcmp(val, "-100") == 0) {
1420 if (asprintf(&out, "AT_FDCWD") < 0)
1423 if (asprintf(&out, "0x%s", val) < 0)
1429 #ifndef SCHED_RESET_ON_FORK
1430 #define SCHED_RESET_ON_FORK 0x40000000
1432 static const char *print_sched(const char *val)
1439 pol = strtoul(val, NULL, 16);
1441 if (asprintf(&out, "conversion error(%s)", val) < 0)
1446 s = sched_i2s(pol & 0x0F);
1451 if (pol & SCHED_RESET_ON_FORK )
1452 strcat(buf, "|SCHED_RESET_ON_FORK");
1455 if (asprintf(&out, "unknown scheduler policy (0x%s)", val) < 0)
1460 static const char *print_sock_opt_level(const char *val)
1466 lvl = strtoul(val, NULL, 16);
1468 if (asprintf(&out, "conversion error(%s)", val) < 0)
1472 if (lvl == SOL_SOCKET)
1473 return strdup("SOL_SOCKET");
1475 struct protoent *p = getprotobynumber(lvl);
1477 const char *s = socklevel_i2s(lvl);
1480 if (asprintf(&out, "unknown sockopt level (0x%s)", val) < 0)
1483 return strdup(p->p_name);
1489 static const char *print_sock_opt_name(const char *val, int machine)
1496 opt = strtoul(val, NULL, 16);
1498 if (asprintf(&out, "conversion error(%s)", val) < 0)
1502 // PPC's tables are different
1503 if ((machine == MACH_PPC64 || machine == MACH_PPC) &&
1504 opt >= 16 && opt <= 21)
1507 s = sockoptname_i2s(opt);
1510 if (asprintf(&out, "unknown sockopt name (0x%s)", val) < 0)
1515 static const char *print_ip_opt_name(const char *val)
1522 opt = strtoul(val, NULL, 16);
1524 if (asprintf(&out, "conversion error(%s)", val) < 0)
1529 s = ipoptname_i2s(opt);
1532 if (asprintf(&out, "unknown ipopt name (0x%s)", val) < 0)
1537 static const char *print_ip6_opt_name(const char *val)
1544 opt = strtoul(val, NULL, 16);
1546 if (asprintf(&out, "conversion error(%s)", val) < 0)
1551 s = ip6optname_i2s(opt);
1554 if (asprintf(&out, "unknown ip6opt name (0x%s)", val) < 0)
1559 static const char *print_tcp_opt_name(const char *val)
1566 opt = strtoul(val, NULL, 16);
1568 if (asprintf(&out, "conversion error(%s)", val) < 0)
1573 s = tcpoptname_i2s(opt);
1576 if (asprintf(&out, "unknown tcpopt name (0x%s)", val) < 0)
1581 static const char *print_udp_opt_name(const char *val)
1587 opt = strtoul(val, NULL, 16);
1589 if (asprintf(&out, "conversion error(%s)", val) < 0)
1595 out = strdup("UDP_CORK");
1596 else if (opt == 100)
1597 out = strdup("UDP_ENCAP");
1598 else if (asprintf(&out, "unknown udpopt name (0x%s)", val) < 0)
1603 static const char *print_pkt_opt_name(const char *val)
1610 opt = strtoul(val, NULL, 16);
1612 if (asprintf(&out, "conversion error(%s)", val) < 0)
1617 s = pktoptname_i2s(opt);
1620 if (asprintf(&out, "unknown pktopt name (0x%s)", val) < 0)
1625 static const char *print_shmflags(const char *val)
1627 unsigned int flags, partial, i;
1632 flags = strtoul(val, NULL, 16);
1634 if (asprintf(&out, "conversion error(%s)", val) < 0)
1639 partial = flags & 00003000;
1641 for (i=0; i<IPCCMD_NUM_ENTRIES; i++) {
1642 if (ipccmd_table[i].value & partial) {
1645 ipccmd_strings + ipccmd_table[i].offset);
1650 ipccmd_strings + ipccmd_table[i].offset);
1655 partial = flags & 00014000;
1656 for (i=0; i<SHM_MODE_NUM_ENTRIES; i++) {
1657 if (shm_mode_table[i].value & partial) {
1660 shm_mode_strings + shm_mode_table[i].offset);
1665 shm_mode_strings + shm_mode_table[i].offset);
1670 partial = flags & 000777;
1671 const char *tmode = print_mode_short_int(partial);
1676 free((void *)tmode);
1680 snprintf(buf, sizeof(buf), "0x%x", flags);
1684 static const char *print_seek(const char *val)
1686 unsigned int whence;
1691 whence = 0xFF & strtoul(val, NULL, 16);
1693 if (asprintf(&out, "conversion error(%s)", val) < 0)
1697 str = seek_i2s(whence);
1699 if (asprintf(&out, "unknown whence(%s)", val) < 0)
1706 static const char *print_umount(const char *val)
1708 unsigned int flags, i;
1714 flags = strtoul(val, NULL, 16);
1716 if (asprintf(&out, "conversion error(%s)", val) < 0)
1721 for (i=0; i<UMOUNT_NUM_ENTRIES; i++) {
1722 if (umount_table[i].value & flags) {
1725 umount_strings + umount_table[i].offset);
1730 umount_strings + umount_table[i].offset);
1735 snprintf(buf, sizeof(buf), "0x%s", val);
1739 static const char *print_ioctl_req(const char *val)
1746 req = strtoul(val, NULL, 16);
1748 if (asprintf(&out, "conversion error(%s)", val) < 0)
1753 r = ioctlreq_i2s(req);
1756 if (asprintf(&out, "0x%s", val) < 0)
1761 static const char *print_a0(const char *val, const idata *id)
1764 int machine = id->machine, syscall = id->syscall;
1765 const char *sys = audit_syscall_to_name(syscall, machine);
1768 if (strcmp(sys, "rt_sigaction") == 0)
1769 return print_signals(val, 16);
1770 else if (strcmp(sys, "renameat") == 0)
1771 return print_dirfd(val);
1772 else if (strcmp(sys, "readlinkat") == 0)
1773 return print_dirfd(val);
1774 } else if (*sys == 'c') {
1775 if (strcmp(sys, "clone") == 0)
1776 return print_clone_flags(val);
1777 else if (strcmp(sys, "clock_settime") == 0)
1778 return print_clock_id(val);
1779 } else if (*sys == 'p') {
1780 if (strcmp(sys, "personality") == 0)
1781 return print_personality(val);
1782 else if (strcmp(sys, "ptrace") == 0)
1783 return print_ptrace(val);
1784 else if (strcmp(sys, "prctl") == 0)
1785 return print_prctl_opt(val);
1786 } else if (*sys == 'm') {
1787 if (strcmp(sys, "mkdirat") == 0)
1788 return print_dirfd(val);
1789 else if (strcmp(sys, "mknodat") == 0)
1790 return print_dirfd(val);
1791 } else if (*sys == 'f') {
1792 if (strcmp(sys, "fchownat") == 0)
1793 return print_dirfd(val);
1794 else if (strcmp(sys, "futimesat") == 0)
1795 return print_dirfd(val);
1796 else if (strcmp(sys, "fchmodat") == 0)
1797 return print_dirfd(val);
1798 else if (strcmp(sys, "faccessat") == 0)
1799 return print_dirfd(val);
1800 else if (strcmp(sys, "futimensat") == 0)
1801 return print_dirfd(val);
1802 } else if (*sys == 'u') {
1803 if (strcmp(sys, "unshare") == 0)
1804 return print_clone_flags(val);
1805 else if (strcmp(sys, "unlinkat") == 0)
1806 return print_dirfd(val);
1807 else if (strcmp(sys, "utimensat") == 0)
1808 return print_dirfd(val);
1809 } else if (strcmp(sys+1, "etrlimit") == 0)
1810 return print_rlimit(val);
1811 else if (*sys == 's') {
1812 if (strcmp(sys, "setuid") == 0)
1813 return print_uid(val, 16);
1814 else if (strcmp(sys, "setreuid") == 0)
1815 return print_uid(val, 16);
1816 else if (strcmp(sys, "setresuid") == 0)
1817 return print_uid(val, 16);
1818 else if (strcmp(sys, "setfsuid") == 0)
1819 return print_uid(val, 16);
1820 else if (strcmp(sys, "setgid") == 0)
1821 return print_gid(val, 16);
1822 else if (strcmp(sys, "setregid") == 0)
1823 return print_gid(val, 16);
1824 else if (strcmp(sys, "setresgid") == 0)
1825 return print_gid(val, 16);
1826 else if (strcmp(sys, "socket") == 0)
1827 return print_socket_domain(val);
1828 else if (strcmp(sys, "setfsgid") == 0)
1829 return print_gid(val, 16);
1830 else if (strcmp(sys, "socketcall") == 0)
1831 return print_socketcall(val, 16);
1833 else if (strcmp(sys, "linkat") == 0)
1834 return print_dirfd(val);
1835 else if (strcmp(sys, "newfstatat") == 0)
1836 return print_dirfd(val);
1837 else if (strcmp(sys, "openat") == 0)
1838 return print_dirfd(val);
1839 else if (strcmp(sys, "ipccall") == 0)
1840 return print_ipccall(val, 16);
1842 if (asprintf(&out, "0x%s", val) < 0)
1847 static const char *print_a1(const char *val, const idata *id)
1850 int machine = id->machine, syscall = id->syscall;
1851 const char *sys = audit_syscall_to_name(syscall, machine);
1854 if (strcmp(sys, "fchmod") == 0)
1855 return print_mode_short(val, 16);
1856 else if (strncmp(sys, "fcntl", 5) == 0)
1857 return print_fcntl_cmd(val);
1858 } else if (*sys == 'c') {
1859 if (strcmp(sys, "chmod") == 0)
1860 return print_mode_short(val, 16);
1861 else if (strstr(sys, "chown"))
1862 return print_uid(val, 16);
1863 else if (strcmp(sys, "creat") == 0)
1864 return print_mode_short(val, 16);
1866 if (strcmp(sys+1, "etsockopt") == 0)
1867 return print_sock_opt_level(val);
1868 else if (*sys == 's') {
1869 if (strcmp(sys, "setreuid") == 0)
1870 return print_uid(val, 16);
1871 else if (strcmp(sys, "setresuid") == 0)
1872 return print_uid(val, 16);
1873 else if (strcmp(sys, "setregid") == 0)
1874 return print_gid(val, 16);
1875 else if (strcmp(sys, "setresgid") == 0)
1876 return print_gid(val, 16);
1877 else if (strcmp(sys, "socket") == 0)
1878 return print_socket_type(val);
1879 else if (strcmp(sys, "setns") == 0)
1880 return print_clone_flags(val);
1881 else if (strcmp(sys, "sched_setscheduler") == 0)
1882 return print_sched(val);
1883 } else if (*sys == 'm') {
1884 if (strcmp(sys, "mkdir") == 0)
1885 return print_mode_short(val, 16);
1886 else if (strcmp(sys, "mknod") == 0)
1887 return print_mode(val, 16);
1888 else if (strcmp(sys, "mq_open") == 0)
1889 return print_open_flags(val);
1891 else if (strcmp(sys, "open") == 0)
1892 return print_open_flags(val);
1893 else if (strcmp(sys, "access") == 0)
1894 return print_access(val);
1895 else if (strcmp(sys, "epoll_ctl") == 0)
1896 return print_epoll_ctl(val);
1897 else if (strcmp(sys, "kill") == 0)
1898 return print_signals(val, 16);
1899 else if (strcmp(sys, "prctl") == 0) {
1900 if (id->a0 == PR_CAPBSET_READ ||
1901 id->a0 == PR_CAPBSET_DROP)
1902 return print_capabilities(val, 16);
1903 else if (id->a0 == PR_SET_PDEATHSIG)
1904 return print_signals(val, 16);
1906 else if (strcmp(sys, "tkill") == 0)
1907 return print_signals(val, 16);
1908 else if (strcmp(sys, "umount2") == 0)
1909 return print_umount(val);
1910 else if (strcmp(sys, "ioctl") == 0)
1911 return print_ioctl_req(val);
1913 if (asprintf(&out, "0x%s", val) < 0)
1918 static const char *print_a2(const char *val, const idata *id)
1921 int machine = id->machine, syscall = id->syscall;
1922 const char *sys = audit_syscall_to_name(syscall, machine);
1924 if (strncmp(sys, "fcntl", 5) == 0) {
1928 ival = strtoul(val, NULL, 16);
1930 if (asprintf(&out, "conversion error(%s)",
1938 return print_uid(val, 16);
1940 if (ival == FD_CLOEXEC)
1941 return strdup("FD_CLOEXEC");
1942 /* Fall thru okay. */
1949 } else if (strcmp(sys+1, "etsockopt") == 0) {
1950 if (id->a1 == IPPROTO_IP)
1951 return print_ip_opt_name(val);
1952 else if (id->a1 == SOL_SOCKET)
1953 return print_sock_opt_name(val, machine);
1954 else if (id->a1 == IPPROTO_TCP)
1955 return print_tcp_opt_name(val);
1956 else if (id->a1 == IPPROTO_UDP)
1957 return print_udp_opt_name(val);
1958 else if (id->a1 == IPPROTO_IPV6)
1959 return print_ip6_opt_name(val);
1960 else if (id->a1 == SOL_PACKET)
1961 return print_pkt_opt_name(val);
1964 } else if (*sys == 'o') {
1965 if (strcmp(sys, "openat") == 0)
1966 return print_open_flags(val);
1967 if ((strcmp(sys, "open") == 0) && (id->a1 & O_CREAT))
1968 return print_mode_short(val, 16);
1969 } else if (*sys == 'f') {
1970 if (strcmp(sys, "fchmodat") == 0)
1971 return print_mode_short(val, 16);
1972 else if (strcmp(sys, "faccessat") == 0)
1973 return print_access(val);
1974 } else if (*sys == 's') {
1975 if (strcmp(sys, "setresuid") == 0)
1976 return print_uid(val, 16);
1977 else if (strcmp(sys, "setresgid") == 0)
1978 return print_gid(val, 16);
1979 else if (strcmp(sys, "socket") == 0)
1980 return print_socket_proto(val);
1981 else if (strcmp(sys, "sendmsg") == 0)
1982 return print_recv(val);
1983 else if (strcmp(sys, "shmget") == 0)
1984 return print_shmflags(val);
1985 } else if (*sys == 'm') {
1986 if (strcmp(sys, "mmap") == 0)
1987 return print_prot(val, 1);
1988 else if (strcmp(sys, "mkdirat") == 0)
1989 return print_mode_short(val, 16);
1990 else if (strcmp(sys, "mknodat") == 0)
1991 return print_mode_short(val, 16);
1992 else if (strcmp(sys, "mprotect") == 0)
1993 return print_prot(val, 0);
1994 else if ((strcmp(sys, "mq_open") == 0) &&
1996 return print_mode_short(val, 16);
1997 } else if (*sys == 'r') {
1998 if (strcmp(sys, "recvmsg") == 0)
1999 return print_recv(val);
2000 else if (strcmp(sys, "readlinkat") == 0)
2001 return print_dirfd(val);
2002 } else if (*sys == 'l') {
2003 if (strcmp(sys, "linkat") == 0)
2004 return print_dirfd(val);
2005 else if (strcmp(sys, "lseek") == 0)
2006 return print_seek(val);
2008 else if (strstr(sys, "chown"))
2009 return print_gid(val, 16);
2010 else if (strcmp(sys, "tgkill") == 0)
2011 return print_signals(val, 16);
2014 if (asprintf(&out, "0x%s", val) < 0)
2019 static const char *print_a3(const char *val, const idata *id)
2022 int machine = id->machine, syscall = id->syscall;
2023 const char *sys = audit_syscall_to_name(syscall, machine);
2026 if (strcmp(sys, "mmap") == 0)
2027 return print_mmap(val);
2028 else if (strcmp(sys, "mount") == 0)
2029 return print_mount(val);
2030 } else if (*sys == 'r') {
2031 if (strcmp(sys, "recv") == 0)
2032 return print_recv(val);
2033 else if (strcmp(sys, "recvfrom") == 0)
2034 return print_recv(val);
2035 else if (strcmp(sys, "recvmmsg") == 0)
2036 return print_recv(val);
2037 } else if (*sys == 's') {
2038 if (strcmp(sys, "send") == 0)
2039 return print_recv(val);
2040 else if (strcmp(sys, "sendto") == 0)
2041 return print_recv(val);
2042 else if (strcmp(sys, "sendmmsg") == 0)
2043 return print_recv(val);
2046 if (asprintf(&out, "0x%s", val) < 0)
2051 static const char *print_signals(const char *val, unsigned int base)
2057 i = strtoul(val, NULL, base);
2059 if (asprintf(&out, "conversion error(%s)", val) < 0)
2064 const char *s = signal_i2s(i);
2068 if (asprintf(&out, "unknown signal (%s%s)",
2069 base == 16 ? "0x" : "", val) < 0)
2074 static const char *print_nfproto(const char *val)
2081 proto = strtoul(val, NULL, 10);
2083 if (asprintf(&out, "conversion error(%s)", val) < 0)
2088 s = nfproto_i2s(proto);
2091 if (asprintf(&out, "unknown netfilter protocol (%s)", val) < 0)
2096 static const char *print_icmptype(const char *val)
2103 icmptype = strtoul(val, NULL, 10);
2105 if (asprintf(&out, "conversion error(%s)", val) < 0)
2110 s = icmptype_i2s(icmptype);
2113 if (asprintf(&out, "unknown icmp type (%s)", val) < 0)
2118 static const char *print_protocol(const char *val)
2124 i = strtoul(val, NULL, 10);
2126 if (asprintf(&out, "conversion error(%s)", val) < 0)
2129 struct protoent *p = getprotobynumber(i);
2131 out = strdup(p->p_name);
2133 out = strdup("undefined protocol");
2138 static const char *print_addr(const char *val)
2140 char *out = strdup(val);
2144 static const char *print_list(const char *val)
2150 i = strtoul(val, NULL, 10);
2152 if (asprintf(&out, "conversion error(%s)", val) < 0)
2155 out = strdup(audit_flag_to_name(i));
2160 char *buf; /* NULL if was ever out of memory */
2165 /* Append c to buf. */
2166 static void append_char(struct string_buf *buf, char c)
2168 if (buf->buf == NULL)
2170 if (buf->pos == buf->allocated) {
2173 buf->allocated *= 2;
2174 p = realloc(buf->buf, buf->allocated);
2182 buf->buf[buf->pos] = c;
2186 /* Represent c as a character within a quoted string, and append it to buf. */
2187 static void tty_append_printable_char(struct string_buf *buf, unsigned char c)
2189 if (c < 0x20 || c > 0x7E) {
2190 append_char(buf, '\\');
2191 append_char(buf, '0' + ((c >> 6) & 07));
2192 append_char(buf, '0' + ((c >> 3) & 07));
2193 append_char(buf, '0' + (c & 07));
2195 if (c == '\\' || c == '"')
2196 append_char(buf, '\\');
2197 append_char(buf, c);
2201 /* Search for a name of a sequence of TTY bytes.
2202 If found, return the name and advance *INPUT. Return NULL otherwise. */
2203 static const char *tty_find_named_key(unsigned char **input, size_t input_len)
2205 /* NUL-terminated list of (sequence, NUL, name, NUL) entries.
2206 First match wins, even if a longer match were possible later */
2207 static const unsigned char named_keys[] =
2208 #define E(SEQ, NAME) SEQ "\0" NAME "\0"
2209 #include "tty_named_keys.h"
2214 const unsigned char *nk;
2217 if (*src >= ' ' && (*src < 0x7F || *src >= 0xA0))
2218 return NULL; /* Fast path */
2221 const unsigned char *p;
2224 p = strchr(nk, '\0');
2226 if (nk_len <= input_len && memcmp(src, nk, nk_len) == 0) {
2230 nk = strchr(p + 1, '\0') + 1;
2231 } while (*nk != '\0');
2235 static const char *print_tty_data(const char *raw_data)
2237 struct string_buf buf;
2239 unsigned char *data, *data_pos, *data_end;
2241 if (!is_hex_string(raw_data))
2242 return strdup(raw_data);
2243 data = au_unescape((char *)raw_data);
2246 data_end = data + strlen(raw_data) / 2;
2249 buf.buf = malloc(buf.allocated); /* NULL handled in append_char() */
2253 while (data_pos < data_end) {
2254 /* FIXME: Unicode */
2257 desc = tty_find_named_key(&data_pos, data_end - data_pos);
2259 if (in_printable != 0) {
2260 append_char(&buf, '"');
2264 append_char(&buf, ',');
2265 append_char(&buf, '<');
2266 while (*desc != '\0') {
2267 append_char(&buf, *desc);
2270 append_char(&buf, '>');
2272 if (in_printable == 0) {
2274 append_char(&buf, ',');
2275 append_char(&buf, '"');
2278 tty_append_printable_char(&buf, *data_pos);
2282 if (in_printable != 0)
2283 append_char(&buf, '"');
2284 append_char(&buf, '\0');
2289 static const char *print_session(const char *val)
2291 if (strcmp(val, "4294967295") == 0)
2292 return strdup("unset");
2297 #define SECCOMP_RET_ACTION 0x7fff0000U
2298 static const char *print_seccomp_code(const char *val)
2305 code = strtoul(val, NULL, 16);
2307 if (asprintf(&out, "conversion error(%s)", val) < 0)
2311 s = seccomp_i2s(code & SECCOMP_RET_ACTION);
2314 if (asprintf(&out, "unknown seccomp code (%s)", val) < 0)
2319 int lookup_type(const char *name)
2323 if (type_s2i(name, &i) != 0)
2325 return AUPARSE_TYPE_UNCLASSIFIED;
2328 const char *interpret(const rnode *r)
2330 const nvlist *nv = &r->nv;
2336 id.machine = r->machine;
2337 id.syscall = r->syscall;
2340 id.name = nvlist_get_cur_name(nv);
2341 id.val = nvlist_get_cur_val(nv);
2342 type = auparse_interp_adjust_type(r->type, id.name, id.val);
2344 out = auparse_do_interpretation(type, &id);
2345 n = nvlist_get_cur(nv);
2346 n->interp_val = (char *)out;
2352 * rtype: the record type
2353 * name: the current field name
2354 * value: the current field value
2355 * Returns: field's internal type is returned
2357 int auparse_interp_adjust_type(int rtype, const char *name, const char *val)
2361 /* This set of statements overrides or corrects the detection.
2362 * In almost all cases its a double use of a field. */
2363 if (rtype == AUDIT_EXECVE && *name == 'a' && strcmp(name, "argc") &&
2364 !strstr(name, "_len"))
2365 type = AUPARSE_TYPE_ESCAPED;
2366 else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0)
2367 type = AUPARSE_TYPE_UNCLASSIFIED;
2368 else if (rtype == AUDIT_USER_TTY && strcmp(name, "msg") == 0)
2369 type = AUPARSE_TYPE_ESCAPED;
2370 else if (rtype == AUDIT_NETFILTER_PKT && strcmp(name, "saddr") == 0)
2371 type = AUPARSE_TYPE_ADDR;
2372 else if (strcmp(name, "acct") == 0) {
2374 type = AUPARSE_TYPE_ESCAPED;
2375 else if (is_hex_string(val))
2376 type = AUPARSE_TYPE_ESCAPED;
2378 type = AUPARSE_TYPE_UNCLASSIFIED;
2379 } else if (rtype == AUDIT_PATH && *name =='f' &&
2380 strcmp(name, "flags") == 0)
2381 type = AUPARSE_TYPE_FLAGS;
2382 else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0)
2383 type = AUPARSE_TYPE_MODE_SHORT;
2384 else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0)
2385 type = AUPARSE_TYPE_UNCLASSIFIED;
2386 else if ((strcmp(name, "id") == 0) &&
2387 (rtype == AUDIT_ADD_GROUP || rtype == AUDIT_GRP_MGMT ||
2388 rtype == AUDIT_DEL_GROUP))
2389 type = AUPARSE_TYPE_GID;
2391 type = lookup_type(name);
2395 hidden_def(auparse_interp_adjust_type)
2397 const char *auparse_do_interpretation(int type, const idata *id)
2401 case AUPARSE_TYPE_UID:
2402 out = print_uid(id->val, 10);
2404 case AUPARSE_TYPE_GID:
2405 out = print_gid(id->val, 10);
2407 case AUPARSE_TYPE_SYSCALL:
2408 out = print_syscall(id);
2410 case AUPARSE_TYPE_ARCH:
2411 out = print_arch(id->val, id->machine);
2413 case AUPARSE_TYPE_EXIT:
2414 out = print_exit(id->val);
2416 case AUPARSE_TYPE_ESCAPED:
2417 out = print_escaped(id->val);
2419 case AUPARSE_TYPE_PERM:
2420 out = print_perm(id->val);
2422 case AUPARSE_TYPE_MODE:
2423 out = print_mode(id->val,8);
2425 case AUPARSE_TYPE_MODE_SHORT:
2426 out = print_mode_short(id->val,8);
2428 case AUPARSE_TYPE_SOCKADDR:
2429 out = print_sockaddr(id->val);
2431 case AUPARSE_TYPE_FLAGS:
2432 out = print_flags(id->val);
2434 case AUPARSE_TYPE_PROMISC:
2435 out = print_promiscuous(id->val);
2437 case AUPARSE_TYPE_CAPABILITY:
2438 out = print_capabilities(id->val, 10);
2440 case AUPARSE_TYPE_SUCCESS:
2441 out = print_success(id->val);
2443 case AUPARSE_TYPE_A0:
2444 out = print_a0(id->val, id);
2446 case AUPARSE_TYPE_A1:
2447 out = print_a1(id->val, id);
2449 case AUPARSE_TYPE_A2:
2450 out = print_a2(id->val, id);
2452 case AUPARSE_TYPE_A3:
2453 out = print_a3(id->val, id);
2455 case AUPARSE_TYPE_SIGNAL:
2456 out = print_signals(id->val, 10);
2458 case AUPARSE_TYPE_LIST:
2459 out = print_list(id->val);
2461 case AUPARSE_TYPE_TTY_DATA:
2462 out = print_tty_data(id->val);
2464 case AUPARSE_TYPE_SESSION:
2465 out = print_session(id->val);
2467 case AUPARSE_TYPE_CAP_BITMAP:
2468 out = print_cap_bitmap(id->val);
2470 case AUPARSE_TYPE_NFPROTO:
2471 out = print_nfproto(id->val);
2473 case AUPARSE_TYPE_ICMPTYPE:
2474 out = print_icmptype(id->val);
2476 case AUPARSE_TYPE_PROTOCOL:
2477 out = print_protocol(id->val);
2479 case AUPARSE_TYPE_ADDR:
2480 out = print_addr(id->val);
2482 case AUPARSE_TYPE_PERSONALITY:
2483 out = print_personality(id->val);
2485 case AUPARSE_TYPE_SECCOMP:
2486 out = print_seccomp_code(id->val);
2488 case AUPARSE_TYPE_OFLAG:
2489 out = print_open_flags(id->val);
2491 case AUPARSE_TYPE_MMAP:
2492 out = print_mmap(id->val);
2494 case AUPARSE_TYPE_PROCTITLE:
2495 out = print_proctitle(id->val);
2497 case AUPARSE_TYPE_MAC_LABEL:
2498 case AUPARSE_TYPE_UNCLASSIFIED:
2500 out = strdup(id->val);
2506 hidden_def(auparse_do_interpretation)