It is more helpful to show system call number than smack function.
For example, whatever file operation is denied, smack function is just
"smack_inode_getattr", which doesn't help to analyze.
Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
Change-Id: Id74ec4583b30b82b229b49d27a46fbe254734ca0
return AUDIT_TRAIL_ERROR_NONE;
}
-int audit_trail_get_mac_action_function(audit_trail_mac_h handle, const char **func)
+int audit_trail_get_mac_action_syscall(audit_trail_mac_h handle, unsigned int *syscall)
{
RET_ON_FAILURE(handle, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
- RET_ON_FAILURE(func, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
+ RET_ON_FAILURE(syscall, AUDIT_TRAIL_ERROR_INVALID_PARAMETER);
const auto *pAudit = (MandatoryAccessControl::AuditTrail*)handle;
- *func = pAudit->action.function.c_str();
+ *syscall = pAudit->action.systemCall;
return AUDIT_TRAIL_ERROR_NONE;
}
* @details This API can be used to get the function that causes a MAC log.
* @since_tizen 5.0
* @param[in] handle The audit-trail MAC log handle
- * @param[out] func The fungtion name
+ * @param[out] syscall the system call number
* @return #AUDIT_TRAIL_ERROR_NONE on success, otherwise a negative value
* @retval #AUDIT_TRAIL_ERROR_NONE Successful
* @retval #AUDIT_TRAIL_ERROR_TIMED_OUT Time out
* @retval #AUDIT_TRAIL_ERROR_INVALID_PARAMETER Invalid parameter
* @post The function name must not be freed.
*/
-AUDIT_TRAIL_API int audit_trail_get_mac_action_function(audit_trail_mac_h handle, const char **func);
+AUDIT_TRAIL_API int audit_trail_get_mac_action_syscall(audit_trail_mac_h handle, unsigned int *syscall);
/**
* @brief Get what operation is requested by the function of the MAC log
REFLECTABLE(label, name);
} object;
struct {
- std::string function;
+ unsigned int systemCall;
std::string request;
- REFLECTABLE(function, request);
+ REFLECTABLE(systemCall, request);
} action;
REFLECTABLE(time, subject, object, action);
};
std::vector<MandatoryAccessControl::AuditTrail> logs;
bool enabled;
+std::string logNoSyscall;
+
MandatoryAccessControl::AuditTrail convertLog(std::string &log)
{
MandatoryAccessControl::AuditTrail ret;
ret.object.label = value.substr(1, value.size() - 2);
} else if (item == "path") {
ret.object.name = value.substr(1, value.size() - 2);
- } else if (item == "fn") {
- ret.action.function = value;
- } else if (item == "requested") {
+ } else if (item == "syscall") {
+ ret.action.systemCall = std::stoi(value);
+ } else if (item == "requested") {
ret.action.request = value;
}
+
}
return ret;
enabled = false;
context.setAuditHandler([&ctx] (int type, std::vector<char> &buf) {
- if (type == AUDIT_AVC && enabled) {
+ if (!enabled) {
+ return;
+ }
+
+ if (type == AUDIT_AVC) {
+ std::string log(buf.begin(), buf.end());
+ logNoSyscall = log;
+ } else if (type == AUDIT_SYSCALL && logNoSyscall.size() > 0) {
std::string log(buf.begin(), buf.end());
+ log += " " + logNoSyscall;
logs.push_back(convertLog(log));
ctx.notify("MandatoryAccessControl", logs.size() - 1);
+ logNoSyscall.clear();
}
});
}
{
std::stringstream str;
const char *text;
+ unsigned int uint;
pid_t pid;
time_t time;
str << ",label=" << text;
str << "},action={";
- audit_trail_get_mac_action_function(log, &text);
- str << "function=" << text;
+ audit_trail_get_mac_action_syscall(log, &uint);
+ str << "syscall=" << uint;
audit_trail_get_mac_action_request(log, &text);
str << ",request=" << text;
str << "}";
projects / platform / core / security / audit-trail.git / commitdiff