2 * ausearch-match.c - Extract interesting fields and check for match
3 * Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina.
4 * Copyright (c) 2011 IBM Corp.
7 * This software may be freely redistributed and/or modified under the
8 * terms of the GNU General Public License as published by the Free
9 * Software Foundation; either version 2, or (at your option) any
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; see the file COPYING. If not, write to the
19 * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 * Steve Grubb <sgrubb@redhat.com>
23 * Marcelo Henrique Cerri <mhcerri@br.ibm.com>
29 #include "ausearch-options.h"
30 #include "ausearch-parse.h"
32 static int strmatch(const char *needle, const char *haystack);
33 static int user_match(llist *l);
34 static int group_match(llist *l);
35 static int context_match(llist *l);
38 * This function performs that matching of search params with the record.
39 * It returns 1 on a match, and 0 if no match. The way that this function
40 * works is that it will try to determine if there is not a match and exit
41 * as soon as possible. We can do this since all command line params form
42 * an 'and' statement. If anything does not match, no need to evaluate the
48 // Are we within time range?
49 if (start_time == 0 || l->e.sec >= start_time) {
50 if (end_time == 0 || l->e.sec <= end_time) {
51 if (event_id == -1 || event_id == l->e.serial) {
52 // OK - do the heavier checking
53 if (extract_search_items(l)) {
57 // perform additional tests for the field
58 if (event_node_list) {
61 slist *sptr = event_node_list;
63 if (l->e.node == NULL)
67 sn=slist_get_cur(sptr);
68 while (sn && !found) {
69 if (sn->str && (!strcmp(sn->str, l->e.node)))
77 if (user_match(l) == 0)
79 if (group_match(l) == 0)
81 if ((event_ppid != -1) &&
82 (event_ppid != l->s.ppid))
84 if ((event_pid != -1) &&
85 (event_pid != l->s.pid))
87 if (event_machine != -1 &&
89 audit_elf_to_machine(l->s.arch)))
91 if ((event_syscall != -1) &&
92 (event_syscall != l->s.syscall))
94 if ((event_session_id != -2) &&
95 (event_session_id != l->s.session_id))
97 if (event_exit_is_set) {
98 if (l->s.exit_is_set == 0)
100 if (event_exit != l->s.exit)
104 if ((event_success != S_UNSET) &&
105 (event_success != l->s.success))
107 // event_type requires looking at each item
108 if (event_type != NULL) {
116 ilist_first(event_type);
117 in = ilist_get_cur(event_type);
119 if (in->num == n->type){
124 ilist_next(event_type)));
127 } while ((n = list_next(l)));
132 // Done all the easy compares, now do the
134 if (event_filename) {
136 if (l->s.filename == NULL && l->s.cwd == NULL)
140 slist *sptr = l->s.filename;
143 sn=slist_get_cur(sptr);
153 } while ((sn=slist_next(sptr)));
155 if (!found && l->s.cwd == NULL)
158 if (l->s.cwd && !found) {
160 if (strmatch(event_filename,
165 if (event_hostname) {
166 if (l->s.hostname == NULL)
168 if (strmatch(event_hostname,
172 if (event_terminal) {
173 if (l->s.terminal == NULL)
175 if (strmatch(event_terminal,
180 if (l->s.exe == NULL)
182 if (strmatch(event_exe,
187 if (l->s.comm == NULL)
189 if (strmatch(event_comm,
194 if (l->s.key == NULL)
199 slist *sptr = l->s.key;
202 sn=slist_get_cur(sptr);
212 } while ((sn=slist_next(sptr)));
218 if (l->s.vmname == NULL)
220 if (strmatch(event_vmname,
225 if (l->s.uuid == NULL)
227 if (strmatch(event_uuid,
231 if (context_match(l) == 0)
241 * This function compares strings. It returns a 0 if no match and a 1 if
244 static int strmatch(const char *needle, const char *haystack)
246 if (event_exact_match) {
247 if (strcmp(haystack, needle) != 0)
250 if (strstr(haystack, needle) == NULL)
257 * This function compares user id's. It returns a 0 if no match and a 1 if
260 static int user_match(llist *l)
263 // This will "or" the user tests
264 if (event_uid == l->s.uid)
266 if (event_euid == l->s.euid)
268 if (event_loginuid == l->s.loginuid)
272 // This will "and" the user tests
273 if ((event_uid != -1) && (event_uid != l->s.uid))
275 if ((event_euid != -1) &&(event_euid != l->s.euid))
277 if ((event_loginuid != -2) &&
278 (event_loginuid != l->s.loginuid))
285 * This function compares group id's. It returns a 0 if no match and a 1 if
288 static int group_match(llist *l)
291 // This will "or" the group tests
292 if (event_gid == l->s.gid)
294 if (event_egid == l->s.egid)
298 // This will "and" the group tests
299 if ((event_gid != -1) && (event_gid != l->s.gid))
301 if ((event_egid != -1) &&(event_egid != l->s.egid))
308 * This function compares contexts. It returns a 0 if no match and a 1 if
311 static int context_match(llist *l)
313 if (event_se) { /* This does the "or" check if -se test */
315 if (l->s.avc && alist_find_subj(l->s.avc)) {
317 if (strmatch(event_subject,
318 l->s.avc->cur->scontext))
320 } while(alist_next_subj(l->s.avc));
325 alist_first(l->s.avc);
326 if (alist_find_obj(l->s.avc)) {
328 if (strmatch(event_object,
329 l->s.avc->cur->tcontext))
331 } while(alist_next_obj(l->s.avc));
338 if (l->s.avc == NULL)
340 if (alist_find_subj(l->s.avc)) {
342 if (strmatch(event_subject,
343 l->s.avc->cur->scontext))
345 } while(alist_next_subj(l->s.avc));
350 if (l->s.avc == NULL)
352 if (alist_find_obj(l->s.avc)) {
354 if (strmatch(event_object,
355 l->s.avc->cur->tcontext))
357 } while(alist_next_obj(l->s.avc));