journal: use audit event names instead of numbers

<audit-1400> is replaced by AVC, etc. A fallback mechanism is provided for unlisted event types. Occasionally new types are added to the kernel, but not too often. Add a simple "test", which simply prints the mapping.
2024-07-21 10:17:21 +00:00 · 2015-04-14 10:29:03 -04:00 · 2015-04-14 10:29:03 -04:00 · 8bb3626dac
parent 4733607eec
commit 8bb3626dac
6 changed files with 72 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -141,6 +141,7 @@
 /systemd-vconsole-setup
 /tags
 /test-architecture
+/test-audit-type
 /test-async
 /test-barrier
 /test-boot-timestamp
--- a/Makefile.am
+++ b/Makefile.am
@ -4533,6 +4533,12 @@ test_compress_benchmark_LDADD = \
 	libsystemd-journal-internal.la \
 	libsystemd-shared.la

+test_audit_type_SOURCES = \
+	src/journal/test-audit-type.c
+
+test_audit_type_LDADD = \
+	libsystemd-journal-core.la
+
 libsystemd_journal_core_la_SOURCES = \
 	src/journal/journald-kmsg.c \
 	src/journal/journald-kmsg.h \
@ -4615,7 +4621,8 @@ tests += \
 	test-journal-interleaving \
 	test-journal-flush \
 	test-mmap-cache \
-	test-catalog
+	test-catalog \
+	test-audit-type

 if HAVE_COMPRESSION
 tests += \
--- a/src/journal/audit-type.c
+++ b/src/journal/audit-type.c
@ -19,6 +19,7 @@
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/

+#include <stdio.h>
 #include <linux/audit.h>
 #ifdef HAVE_AUDIT
 #  include <libaudit.h>
--- a/src/journal/audit-type.h
+++ b/src/journal/audit-type.h
@ -21,6 +21,19 @@
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/

+#include "macro.h"

 const char *audit_type_to_string(int type);
 int audit_type_from_string(const char *s);
+
+/* This is inspired by DNS TYPEnnn formatting */
+#define audit_type_name_alloca(type)                                    \
+        ({                                                              \
+                const char *_s_;                                        \
+                _s_ = audit_type_to_string(type);                       \
+                if (!_s_) {                                             \
+                        _s_ = alloca(strlen("AUDIT") + DECIMAL_STR_MAX(int)); \
+                        sprintf((char*) _s_, "AUDIT%04i", type);        \
+                }                                                       \
+                _s_;                                                    \
+        })
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@ -21,6 +21,7 @@

 #include "missing.h"
 #include "journald-audit.h"
+#include "audit-type.h"

 typedef struct MapField {
        const char *audit_field;
@ -336,7 +337,7 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
        size_t n_iov_allocated = 0;
        unsigned n_iov = 0, k;
        uint64_t seconds, msec, id;
-        const char *p;
+        const char *p, *type_name;
        unsigned z;
        char id_field[sizeof("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
             type_field[sizeof("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)],
@ -396,8 +397,9 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
        IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_FACILITY=32");
        IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_IDENTIFIER=audit");

-        m = alloca(strlen("MESSAGE=<audit-") + DECIMAL_STR_MAX(int) + strlen("> ") + strlen(p) + 1);
-        sprintf(m, "MESSAGE=<audit-%i> %s", type, p);
+        type_name = audit_type_name_alloca(type);
+
+        m = strjoina("MESSAGE=", type_name, " ", p);
        IOVEC_SET_STRING(iov[n_iov++], m);

        z = n_iov;
--- a/src/journal/test-audit-type.c
+++ b/src/journal/test-audit-type.c
@ -0,0 +1,44 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2015 Zbigniew Jędrzejewski-Szmek
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdio.h>
+#include <linux/audit.h>
+
+#include "audit-type.h"
+
+static void print_audit_label(int i) {
+        const char *name;
+
+        name = audit_type_name_alloca(i);
+        /* This is a separate function only because of alloca */
+        printf("%i → %s → %s\n", i, audit_type_to_string(i), name);
+}
+
+static void test_audit_type(void) {
+        int i;
+
+        for (i = 0; i <= AUDIT_KERNEL; i++)
+                print_audit_label(i);
+}
+
+int main(int argc, char **argv) {
+        test_audit_type();
+}