aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/auparse
diff options
context:
space:
mode:
authorAshlee Young <ashlee@wildernessvoice.com>2015-11-29 08:22:13 -0800
committerAshlee Young <ashlee@wildernessvoice.com>2015-11-29 08:22:13 -0800
commitdf5afa4fcd9725380f94ca6476248d4cc24f889a (patch)
tree65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/auparse
parent76f6bf922552c00546e6e85ca471eab28f56986c (diff)
v2.4.4 audit sources
Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/auparse')
-rw-r--r--framework/src/audit/auparse/Makefile.am491
-rw-r--r--framework/src/audit/auparse/accesstab.h27
-rw-r--r--framework/src/audit/auparse/auditd-config.c445
-rw-r--r--framework/src/audit/auparse/auparse-defs.h98
-rw-r--r--framework/src/audit/auparse/auparse-idata.h49
-rw-r--r--framework/src/audit/auparse/auparse.c1377
-rw-r--r--framework/src/audit/auparse/auparse.h112
-rw-r--r--framework/src/audit/auparse/auparse.pc.in11
-rw-r--r--framework/src/audit/auparse/captab.h62
-rw-r--r--framework/src/audit/auparse/clocktab.h36
-rw-r--r--framework/src/audit/auparse/clone-flagtab.h47
-rw-r--r--framework/src/audit/auparse/data_buf.c394
-rw-r--r--framework/src/audit/auparse/data_buf.h80
-rw-r--r--framework/src/audit/auparse/ellist.c428
-rw-r--r--framework/src/audit/auparse/ellist.h66
-rw-r--r--framework/src/audit/auparse/epoll_ctl.h27
-rw-r--r--framework/src/audit/auparse/expression.c1111
-rw-r--r--framework/src/audit/auparse/expression.h133
-rw-r--r--framework/src/audit/auparse/famtab.h62
-rw-r--r--framework/src/audit/auparse/fcntl-cmdtab.h52
-rw-r--r--framework/src/audit/auparse/flagtab.h33
-rw-r--r--framework/src/audit/auparse/icmptypetab.h37
-rw-r--r--framework/src/audit/auparse/internal.h86
-rw-r--r--framework/src/audit/auparse/interpret.c2651
-rw-r--r--framework/src/audit/auparse/interpret.h54
-rw-r--r--framework/src/audit/auparse/ioctlreqtab.h54
-rw-r--r--framework/src/audit/auparse/ip6optnametab.h87
-rw-r--r--framework/src/audit/auparse/ipccmdtab.h28
-rw-r--r--framework/src/audit/auparse/ipctab.h37
-rw-r--r--framework/src/audit/auparse/ipoptnametab.h70
-rw-r--r--framework/src/audit/auparse/message.c58
-rw-r--r--framework/src/audit/auparse/mmaptab.h40
-rw-r--r--framework/src/audit/auparse/mounttab.h53
-rw-r--r--framework/src/audit/auparse/nfprototab.h31
-rw-r--r--framework/src/audit/auparse/nvlist.c137
-rw-r--r--framework/src/audit/auparse/nvlist.h51
-rw-r--r--framework/src/audit/auparse/nvpair.c89
-rw-r--r--framework/src/audit/auparse/nvpair.h56
-rw-r--r--framework/src/audit/auparse/open-flagtab.h44
-rw-r--r--framework/src/audit/auparse/persontab.h45
-rw-r--r--framework/src/audit/auparse/pktoptnametab.h43
-rw-r--r--framework/src/audit/auparse/prctl-opt-tab.h68
-rw-r--r--framework/src/audit/auparse/private.h54
-rw-r--r--framework/src/audit/auparse/prottab.h28
-rw-r--r--framework/src/audit/auparse/ptracetab.h55
-rw-r--r--framework/src/audit/auparse/recvtab.h46
-rw-r--r--framework/src/audit/auparse/rlimittab.h40
-rw-r--r--framework/src/audit/auparse/rnode.h63
-rw-r--r--framework/src/audit/auparse/schedtab.h31
-rw-r--r--framework/src/audit/auparse/seccomptab.h30
-rw-r--r--framework/src/audit/auparse/seektab.h29
-rw-r--r--framework/src/audit/auparse/shm_modetab.h29
-rw-r--r--framework/src/audit/auparse/signaltab.h56
-rw-r--r--framework/src/audit/auparse/sockleveltab.h56
-rw-r--r--framework/src/audit/auparse/sockoptnametab.h84
-rw-r--r--framework/src/audit/auparse/socktab.h44
-rw-r--r--framework/src/audit/auparse/socktypetab.h31
-rw-r--r--framework/src/audit/auparse/tcpoptnametab.h49
-rw-r--r--framework/src/audit/auparse/test/Makefile.am91
-rw-r--r--framework/src/audit/auparse/test/auparse_test.c469
-rwxr-xr-xframework/src/audit/auparse/test/auparse_test.py262
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref803
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref.py793
-rw-r--r--framework/src/audit/auparse/test/test.log10
-rw-r--r--framework/src/audit/auparse/test/test2.log10
-rw-r--r--framework/src/audit/auparse/tty_named_keys.h409
-rw-r--r--framework/src/audit/auparse/typetab.h127
-rw-r--r--framework/src/audit/auparse/umounttab.h30
68 files changed, 12689 insertions, 0 deletions
diff --git a/framework/src/audit/auparse/Makefile.am b/framework/src/audit/auparse/Makefile.am
new file mode 100644
index 00000000..4b864d7c
--- /dev/null
+++ b/framework/src/audit/auparse/Makefile.am
@@ -0,0 +1,491 @@
+# Makefile.am --
+# Copyright 2006-08,2011-15 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Authors:
+# Steve Grubb <sgrubb@redhat.com>
+#
+
+SUBDIRS = test
+CLEANFILES = $(BUILT_SOURCES)
+CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG}
+AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/src -I${top_srcdir}/lib
+LIBS =
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = auparse.pc
+DISTCLEANFILES = $(pkgconfig_DATA)
+
+lib_LTLIBRARIES = libauparse.la
+include_HEADERS = auparse.h auparse-defs.h
+libauparse_la_SOURCES = nvpair.c interpret.c nvlist.c ellist.c \
+ auparse.c auditd-config.c message.c data_buf.c strsplit.c \
+ auparse-defs.h auparse-idata.h data_buf.h \
+ nvlist.h auparse.h ellist.h \
+ internal.h nvpair.h rnode.h interpret.h \
+ private.h expression.c expression.h tty_named_keys.h
+nodist_libauparse_la_SOURCES = $(BUILT_SOURCES)
+
+libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la
+libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h
+libauparse_la_LDFLAGS = -Wl,-z,relro
+
+message.c:
+ cp ${top_srcdir}/lib/message.c .
+
+strsplit.c:
+ cp ${top_srcdir}/lib/strsplit.c .
+
+BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \
+ epoll_ctls.h famtabs.h fcntl-cmdtabs.h \
+ flagtabs.h icmptypetabs.h ipctabs.h ipccmdtabs.h\
+ ioctlreqtabs.h ipoptnametabs.h ip6optnametabs.h \
+ mmaptabs.h mounttabs.h nfprototabs.h open-flagtabs.h \
+ persontabs.h prctl_opttabs.h pktoptnametabs.h \
+ prottabs.h ptracetabs.h \
+ rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \
+ seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ socktabs.h sockleveltabs.h socktypetabs.h \
+ tcpoptnametabs.h typetabs.h umounttabs.h
+noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
+ gen_clone-flagtabs_h \
+ gen_epoll_ctls_h gen_famtabs_h \
+ gen_fcntl-cmdtabs_h gen_flagtabs_h gen_ioctlreqtabs_h \
+ gen_icmptypetabs_h gen_ipctabs_h gen_ipccmdtabs_h\
+ gen_ipoptnametabs_h gen_ip6optnametabs_h gen_nfprototabs_h \
+ gen_mmaptabs_h gen_mounttabs_h \
+ gen_open-flagtabs_h gen_persontabs_h \
+ gen_prctl_opttabs_h gen_pktoptnametabs_h gen_prottabs_h \
+ gen_recvtabs_h gen_rlimit_h gen_ptracetabs_h \
+ gen_schedtabs_h gen_seccomptabs_h \
+ gen_seektabs_h gen_shm_modetabs_h gen_signals_h \
+ gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \
+ gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+ gen_umounttabs_h
+
+gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"'
+$(gen_accesstabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_accesstabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_accesstabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_accesstabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_accesstabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_accesstabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+accesstabs.h: gen_accesstabs_h Makefile
+ ./gen_accesstabs_h --i2s-transtab access > $@
+
+gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+gen_captabs_h_CFLAGS = '-DTABLE_H="captab.h"'
+$(gen_captabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_captabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_captabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_captabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_captabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_captabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+captabs.h: gen_captabs_h Makefile
+ ./gen_captabs_h --i2s cap > $@
+
+gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+gen_clock_h_CFLAGS = '-DTABLE_H="clocktab.h"'
+$(gen_clock_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_clock_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_clock_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_clock_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_clock_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_clock_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+clocktabs.h: gen_clock_h Makefile
+ ./gen_clock_h --i2s clock > $@
+
+gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+ clone-flagtab.h
+gen_clone_flagtabs_h_CFLAGS = '-DTABLE_H="clone-flagtab.h"'
+$(gen_clone_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_clone_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_clone_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_clone-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_clone-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_clone-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+ ./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
+
+gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+gen_epoll_ctls_h_CFLAGS = '-DTABLE_H="epoll_ctl.h"'
+$(gen_epoll_ctls_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_epoll_ctls_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_epoll_ctls_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_epoll_ctls_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_epoll_ctls_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_epoll_ctls_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+epoll_ctls.h: gen_epoll_ctls_h Makefile
+ ./gen_epoll_ctls_h --i2s epoll_ctl > $@
+
+gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+gen_famtabs_h_CFLAGS = '-DTABLE_H="famtab.h"'
+$(gen_famtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_famtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_famtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_famtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_famtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_famtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+famtabs.h: gen_famtabs_h Makefile
+ ./gen_famtabs_h --i2s fam > $@
+
+gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+# ../auparse/ is used to avoid using ../lib/flagtab.h
+gen_flagtabs_h_CFLAGS = '-DTABLE_H="../auparse/flagtab.h"'
+$(gen_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+flagtabs.h: gen_flagtabs_h Makefile
+ ./gen_flagtabs_h --i2s-transtab flag > $@
+
+gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+ fcntl-cmdtab.h
+gen_fcntl_cmdtabs_h_CFLAGS = '-DTABLE_H="fcntl-cmdtab.h"'
+$(gen_fcntl_cmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_fcntl_cmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_fcntl_cmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+ ./gen_fcntl-cmdtabs_h --i2s fcntl > $@
+
+gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+gen_icmptypetabs_h_CFLAGS = '-DTABLE_H="icmptypetab.h"'
+$(gen_icmptypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_icmptypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_icmptypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_icmptypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_icmptypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_icmptypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+icmptypetabs.h: gen_icmptypetabs_h Makefile
+ ./gen_icmptypetabs_h --i2s icmptype > $@
+
+gen_ioctlreqtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ioctlreqtab.h
+gen_ioctlreqtabs_h_CFLAGS = '-DTABLE_H="ioctlreqtab.h"'
+$(gen_ioctlreqtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_ioctlreqtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_ioctlreqtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ioctlreqtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_ioctlreqtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_ioctlreqtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+ioctlreqtabs.h: gen_ioctlreqtabs_h Makefile
+ ./gen_ioctlreqtabs_h --i2s ioctlreq > $@
+
+gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+gen_ipctabs_h_CFLAGS = '-DTABLE_H="ipctab.h"'
+$(gen_ipctabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_ipctabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_ipctabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ipctabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_ipctabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_ipctabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+ipctabs.h: gen_ipctabs_h Makefile
+ ./gen_ipctabs_h --i2s ipc > $@
+
+gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+gen_ipccmdtabs_h_CFLAGS = '-DTABLE_H="ipccmdtab.h"'
+$(gen_ipccmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_ipccmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_ipccmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ipccmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_ipccmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_ipccmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+ ./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
+
+gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+gen_ipoptnametabs_h_CFLAGS = '-DTABLE_H="ipoptnametab.h"'
+$(gen_ipoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_ipoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_ipoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ipoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_ipoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_ipoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+ ./gen_ipoptnametabs_h --i2s ipoptname > $@
+
+gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+gen_ip6optnametabs_h_CFLAGS = '-DTABLE_H="ip6optnametab.h"'
+$(gen_ip6optnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_ip6optnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_ip6optnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ip6optnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_ip6optnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_ip6optnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+ ./gen_ip6optnametabs_h --i2s ip6optname > $@
+
+gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+gen_mmaptabs_h_CFLAGS = '-DTABLE_H="mmaptab.h"'
+$(gen_mmaptabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_mmaptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_mmaptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_mmaptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_mmaptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_mmaptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+mmaptabs.h: gen_mmaptabs_h Makefile
+ ./gen_mmaptabs_h --i2s-transtab mmap > $@
+
+gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+gen_mounttabs_h_CFLAGS = '-DTABLE_H="mounttab.h"'
+$(gen_mounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_mounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_mounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_mounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_mounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_mounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+mounttabs.h: gen_mounttabs_h Makefile
+ ./gen_mounttabs_h --i2s-transtab mount > $@
+
+gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+gen_nfprototabs_h_CFLAGS = '-DTABLE_H="nfprototab.h"'
+$(gen_nfprototabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_nfprototabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_nfprototabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_nfprototabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_nfprototabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_nfprototabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+nfprototabs.h: gen_nfprototabs_h Makefile
+ ./gen_nfprototabs_h --i2s nfproto > $@
+
+gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+ open-flagtab.h
+gen_open_flagtabs_h_CFLAGS = '-DTABLE_H="open-flagtab.h"'
+$(gen_open_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_open_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_open_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_open-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_open-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_open-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+open-flagtabs.h: gen_open-flagtabs_h Makefile
+ ./gen_open-flagtabs_h --i2s-transtab open_flag > $@
+
+gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+gen_persontabs_h_CFLAGS = '-DTABLE_H="persontab.h"'
+$(gen_persontabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_persontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_persontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_persontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_persontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_persontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+persontabs.h: gen_persontabs_h Makefile
+ ./gen_persontabs_h --i2s person > $@
+
+gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+gen_ptracetabs_h_CFLAGS = '-DTABLE_H="ptracetab.h"'
+$(gen_ptracetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_ptracetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_ptracetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ptracetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_ptracetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_ptracetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+ptracetabs.h: gen_ptracetabs_h Makefile
+ ./gen_ptracetabs_h --i2s ptrace > $@
+
+gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+gen_prctl_opttabs_h_CFLAGS = '-DTABLE_H="prctl-opt-tab.h"'
+$(gen_prctl_opttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_prctl_opttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_prctl_opttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_prctl_opttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_prctl_opttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_prctl_opttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+ ./gen_prctl_opttabs_h --i2s prctl_opt > $@
+
+gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+gen_pktoptnametabs_h_CFLAGS = '-DTABLE_H="pktoptnametab.h"'
+$(gen_pktoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_pktoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_pktoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_pktoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_pktoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_pktoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+ ./gen_pktoptnametabs_h --i2s pktoptname > $@
+
+gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+gen_prottabs_h_CFLAGS = '-DTABLE_H="prottab.h"'
+$(gen_prottabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_prottabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_prottabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_prottabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_prottabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_prottabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+prottabs.h: gen_prottabs_h Makefile
+ ./gen_prottabs_h --i2s-transtab prot > $@
+
+gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+gen_recvtabs_h_CFLAGS = '-DTABLE_H="recvtab.h"'
+$(gen_recvtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_recvtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_recvtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_recvtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_recvtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_recvtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+recvtabs.h: gen_recvtabs_h Makefile
+ ./gen_recvtabs_h --i2s-transtab recv > $@
+
+gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+gen_rlimit_h_CFLAGS = '-DTABLE_H="rlimittab.h"'
+$(gen_rlimit_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_rlimit_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_rlimit_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_rlimit_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_rlimit_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_rlimit_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+rlimittabs.h: gen_rlimit_h Makefile
+ ./gen_rlimit_h --i2s rlimit > $@
+
+gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+gen_schedtabs_h_CFLAGS = '-DTABLE_H="schedtab.h"'
+$(gen_schedtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_schedtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_schedtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_schedtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_schedtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_schedtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+schedtabs.h: gen_schedtabs_h Makefile
+ ./gen_schedtabs_h --i2s sched > $@
+
+gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+gen_seccomptabs_h_CFLAGS = '-DTABLE_H="seccomptab.h"'
+$(gen_seccomptabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_seccomptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_seccomptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_seccomptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_seccomptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_seccomptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+seccomptabs.h: gen_seccomptabs_h Makefile
+ ./gen_seccomptabs_h --i2s seccomp > $@
+
+gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+gen_seektabs_h_CFLAGS = '-DTABLE_H="seektab.h"'
+$(gen_seektabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_seektabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_seektabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_seektabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_seektabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_seektabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+seektabs.h: gen_seektabs_h Makefile
+ ./gen_seektabs_h --i2s seek > $@
+
+gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+gen_shm_modetabs_h_CFLAGS = '-DTABLE_H="shm_modetab.h"'
+$(gen_shm_modetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_shm_modetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_shm_modetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_shm_modetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_shm_modetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_shm_modetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+shm_modetabs.h: gen_shm_modetabs_h Makefile
+ ./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
+
+gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+gen_signals_h_CFLAGS = '-DTABLE_H="signaltab.h"'
+$(gen_signals_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_signals_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_signals_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_signals_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_signals_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_signals_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+signaltabs.h: gen_signals_h Makefile
+ ./gen_signals_h --i2s signal > $@
+
+gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+gen_sockleveltabs_h_CFLAGS = '-DTABLE_H="sockleveltab.h"'
+$(gen_sockleveltabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_sockleveltabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_sockleveltabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_sockleveltabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_sockleveltabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_sockleveltabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+sockleveltabs.h: gen_sockleveltabs_h Makefile
+ ./gen_sockleveltabs_h --i2s socklevel > $@
+
+gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+gen_sockoptnametabs_h_CFLAGS = '-DTABLE_H="sockoptnametab.h"'
+$(gen_sockoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_sockoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_sockoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_sockoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_sockoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_sockoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+ ./gen_sockoptnametabs_h --i2s sockoptname > $@
+
+gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+gen_socktabs_h_CFLAGS = '-DTABLE_H="socktab.h"'
+$(gen_socktabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_socktabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_socktabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_socktabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_socktabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_socktabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+socktabs.h: gen_socktabs_h Makefile
+ ./gen_socktabs_h --i2s sock > $@
+
+gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+gen_socktypetabs_h_CFLAGS = '-DTABLE_H="socktypetab.h"'
+$(gen_socktypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_socktypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_socktypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_socktypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_socktypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_socktypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+socktypetabs.h: gen_socktypetabs_h Makefile
+ ./gen_socktypetabs_h --i2s sock_type > $@
+
+gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+gen_tcpoptnametabs_h_CFLAGS = '-DTABLE_H="tcpoptnametab.h"'
+$(gen_tcpoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_tcpoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_tcpoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_tcpoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_tcpoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_tcpoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+ ./gen_tcpoptnametabs_h --i2s tcpoptname > $@
+
+gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+gen_typetabs_h_CFLAGS = '-DTABLE_H="typetab.h"'
+$(gen_typetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_typetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_typetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_typetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_typetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_typetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+typetabs.h: gen_typetabs_h Makefile
+ ./gen_typetabs_h --s2i type > $@
+
+gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+gen_umounttabs_h_CFLAGS = '-DTABLE_H="umounttab.h"'
+$(gen_umounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_umounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_umounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_umounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_umounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_umounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+umounttabs.h: gen_umounttabs_h Makefile
+ ./gen_umounttabs_h --i2s-transtab umount > $@
+
diff --git a/framework/src/audit/auparse/accesstab.h b/framework/src/audit/auparse/accesstab.h
new file mode 100644
index 00000000..439c26d0
--- /dev/null
+++ b/framework/src/audit/auparse/accesstab.h
@@ -0,0 +1,27 @@
+/* accesstab.h --
+ * Copyright 2013 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+
+_S(0x1U, "X_OK" )
+_S(0x2U, "W_OK" )
+_S(0x4U, "R_OK" )
+
diff --git a/framework/src/audit/auparse/auditd-config.c b/framework/src/audit/auparse/auditd-config.c
new file mode 100644
index 00000000..5964538f
--- /dev/null
+++ b/framework/src/audit/auparse/auditd-config.c
@@ -0,0 +1,445 @@
+/* auditd-config.c --
+ * Copyright 2007,2014 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ *
+ */
+
+#include "config.h"
+#include "internal.h"
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <libgen.h>
+#include <dirent.h>
+#include <ctype.h>
+
+/* Local prototypes */
+struct _pair
+{
+ const char *name;
+ const char *value;
+};
+
+struct kw_pair
+{
+ const char *name;
+ int (*parser)(const char *, int, struct daemon_conf *);
+};
+
+struct nv_list
+{
+ const char *name;
+ int option;
+};
+
+static char *get_line(FILE *f, char *buf, unsigned size, int *lineno,
+ const char *file);
+static int nv_split(char *buf, struct _pair *nv);
+static const struct kw_pair *kw_lookup(const char *val);
+static int log_file_parser(const char *val, int line,
+ struct daemon_conf *config);
+static int num_logs_parser(const char *val, int line,
+ struct daemon_conf *config);
+static int log_format_parser(const char *val, int line,
+ struct daemon_conf *config);
+
+static const struct kw_pair keywords[] =
+{
+ {"log_file", log_file_parser },
+ {"log_format", log_format_parser },
+ {"num_logs", num_logs_parser },
+ { NULL, NULL }
+};
+
+static const struct nv_list log_formats[] =
+{
+ {"raw", LF_RAW },
+ {"nolog", LF_NOLOG },
+ { NULL, 0 }
+};
+
+
+/*
+ * Set everything to its default value
+*/
+void clear_config(struct daemon_conf *config)
+{
+ config->qos = QOS_NON_BLOCKING;
+ config->sender_uid = 0;
+ config->sender_pid = 0;
+ config->sender_ctx = NULL;
+ config->log_file = strdup("/var/log/audit/audit.log");
+ config->log_format = LF_RAW;
+ config->log_group = 0;
+ config->priority_boost = 3;
+ config->flush = FT_NONE;
+ config->freq = 0;
+ config->num_logs = 0L;
+ config->dispatcher = NULL;
+ config->node_name_format = N_NONE;
+ config->node_name = NULL;
+ config->max_log_size = 0L;
+ config->max_log_size_action = SZ_IGNORE;
+ config->space_left = 0L;
+ config->space_left_action = FA_IGNORE;
+ config->space_left_exe = NULL;
+ config->action_mail_acct = strdup("root");
+ config->admin_space_left= 0L;
+ config->admin_space_left_action = FA_IGNORE;
+ config->admin_space_left_exe = NULL;
+ config->disk_full_action = FA_IGNORE;
+ config->disk_full_exe = NULL;
+ config->disk_error_action = FA_SYSLOG;
+ config->disk_error_exe = NULL;
+}
+
+int load_config(struct daemon_conf *config, log_test_t lt)
+{
+ int fd, rc, lineno = 1;
+ struct stat st;
+ FILE *f;
+ char buf[160];
+
+ clear_config(config);
+ lt = lt;
+
+ /* open the file */
+ rc = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW);
+ if (rc < 0) {
+ if (errno != ENOENT) {
+ audit_msg(LOG_ERR, "Error opening config file (%s)",
+ strerror(errno));
+ return 1;
+ }
+ audit_msg(LOG_WARNING,
+ "Config file %s doesn't exist, skipping", CONFIG_FILE);
+ return 0;
+ }
+ fd = rc;
+
+ /* check the file's permissions: owned by root, not world writable,
+ * not symlink.
+ */
+ if (fstat(fd, &st) < 0) {
+ audit_msg(LOG_ERR, "Error fstat'ing config file (%s)",
+ strerror(errno));
+ close(fd);
+ return 1;
+ }
+ if (st.st_uid != 0) {
+ audit_msg(LOG_ERR, "Error - %s isn't owned by root",
+ CONFIG_FILE);
+ close(fd);
+ return 1;
+ }
+ if (!S_ISREG(st.st_mode)) {
+ audit_msg(LOG_ERR, "Error - %s is not a regular file",
+ CONFIG_FILE);
+ close(fd);
+ return 1;
+ }
+
+ /* it's ok, read line by line */
+ f = fdopen(fd, "rm");
+ if (f == NULL) {
+ audit_msg(LOG_ERR, "Error - fdopen failed (%s)",
+ strerror(errno));
+ close(fd);
+ return 1;
+ }
+
+ while (get_line(f, buf, sizeof(buf), &lineno, CONFIG_FILE)) {
+ // convert line into name-value pair
+ const struct kw_pair *kw;
+ struct _pair nv;
+ rc = nv_split(buf, &nv);
+ switch (rc) {
+ case 0: // fine
+ break;
+ case 1: // not the right number of tokens.
+ audit_msg(LOG_ERR,
+ "Wrong number of arguments for line %d in %s",
+ lineno, CONFIG_FILE);
+ break;
+ case 2: // no '=' sign
+ audit_msg(LOG_ERR,
+ "Missing equal sign for line %d in %s",
+ lineno, CONFIG_FILE);
+ break;
+ default: // something else went wrong...
+ audit_msg(LOG_ERR,
+ "Unknown error for line %d in %s",
+ lineno, CONFIG_FILE);
+ break;
+ }
+ if (nv.name == NULL) {
+ lineno++;
+ continue;
+ }
+ if (nv.value == NULL) {
+ fclose(f);
+ audit_msg(LOG_ERR,
+ "Not processing any more lines in %s",
+ CONFIG_FILE);
+ return 1;
+ }
+
+ /* identify keyword or error */
+ kw = kw_lookup(nv.name);
+ if (kw->name) {
+ /* dispatch to keyword's local parser */
+ rc = kw->parser(nv.value, lineno, config);
+ if (rc != 0) {
+ fclose(f);
+ return 1; // local parser puts message out
+ }
+ }
+
+ lineno++;
+ }
+
+ fclose(f);
+ return 0;
+}
+
+static char *get_line(FILE *f, char *buf, unsigned size, int *lineno,
+ const char *file)
+{
+ int too_long = 0;
+
+ while (fgets_unlocked(buf, size, f)) {
+ /* remove newline */
+ char *ptr = strchr(buf, 0x0a);
+ if (ptr) {
+ if (!too_long) {
+ *ptr = 0;
+ return buf;
+ }
+ // Reset and start with the next line
+ too_long = 0;
+ *lineno = *lineno + 1;
+ } else {
+ // If a line is too long skip it.
+ // Only output 1 warning
+ if (!too_long)
+ audit_msg(LOG_ERR,
+ "Skipping line %d in %s: too long",
+ *lineno, file);
+ too_long = 1;
+ }
+ }
+ return NULL;
+}
+
+static int nv_split(char *buf, struct _pair *nv)
+{
+ /* Get the name part */
+ char *ptr;
+
+ nv->name = NULL;
+ nv->value = NULL;
+ ptr = audit_strsplit(buf);
+ if (ptr == NULL)
+ return 0; /* If there's nothing, go to next line */
+ if (ptr[0] == '#')
+ return 0; /* If there's a comment, go to next line */
+ nv->name = ptr;
+
+ /* Check for a '=' */
+ ptr = audit_strsplit(NULL);
+ if (ptr == NULL)
+ return 1;
+ if (strcmp(ptr, "=") != 0)
+ return 2;
+
+ /* get the value */
+ ptr = audit_strsplit(NULL);
+ if (ptr == NULL)
+ return 1;
+ nv->value = ptr;
+
+ /* Make sure there's nothing else */
+ ptr = audit_strsplit(NULL);
+ if (ptr) {
+ /* Allow one option, but check that there's not 2 */
+ ptr = audit_strsplit(NULL);
+ if (ptr)
+ return 1;
+ }
+
+ /* Everything is OK */
+ return 0;
+}
+
+static const struct kw_pair *kw_lookup(const char *val)
+{
+ int i = 0;
+ while (keywords[i].name != NULL) {
+ if (strcasecmp(keywords[i].name, val) == 0)
+ break;
+ i++;
+ }
+ return &keywords[i];
+}
+
+static int log_file_parser(const char *val, int line,struct daemon_conf *config)
+{
+ char *dir = NULL, *tdir, *base;
+ DIR *d;
+ int fd, mode;
+ struct stat buf;
+
+ /* split name into dir and basename. */
+ tdir = strdup(val);
+ if (tdir)
+ dir = dirname(tdir);
+ if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
+ audit_msg(LOG_ERR,
+ "The directory name: %s is too short - line %d",
+ dir, line);
+ free((void *)tdir);
+ return 1;
+ }
+
+ base = basename((char *)val);
+ if (base == 0 || strlen(base) == 0) {
+ audit_msg(LOG_ERR, "The file name: %s is too short - line %d",
+ base, line);
+ free((void *)tdir);
+ return 1;
+ }
+
+ /* verify the directory path exists */
+ d = opendir(dir);
+ if (d == NULL) {
+ audit_msg(LOG_ERR, "Could not open dir %s (%s)", dir,
+ strerror(errno));
+ free((void *)tdir);
+ return 1;
+ }
+ free((void *)tdir);
+ closedir(d);
+
+ /* if the file exists, see that its regular, owned by root,
+ * and not world anything */
+ mode = O_RDONLY;
+
+ fd = open(val, mode);
+ if (fd < 0) {
+ audit_msg(LOG_ERR, "Unable to open %s (%s)", val,
+ strerror(errno));
+ return 1;
+ }
+ if (fstat(fd, &buf) < 0) {
+ audit_msg(LOG_ERR, "Unable to stat %s (%s)",
+ val, strerror(errno));
+ close(fd);
+ return 1;
+ }
+ close(fd);
+ if (!S_ISREG(buf.st_mode)) {
+ audit_msg(LOG_ERR, "%s is not a regular file", val);
+ return 1;
+ }
+ if (buf.st_uid != 0) {
+ audit_msg(LOG_ERR, "%s is not owned by root", val);
+ return 1;
+ }
+ if ( (buf.st_mode & (S_IXUSR|S_IWGRP|S_IXGRP|S_IRWXO)) ) {
+ audit_msg(LOG_ERR, "%s permissions should be 0600 or 0640",
+ val);
+ return 1;
+ }
+ if ( !(buf.st_mode & S_IWUSR) ) {
+ audit_msg(LOG_ERR, "audit log is not writable by owner");
+ return 1;
+ }
+
+ free((void *)config->log_file);
+ config->log_file = strdup(val);
+ if (config->log_file == NULL)
+ return 1;
+ return 0;
+}
+
+static int num_logs_parser(const char *val, int line,
+ struct daemon_conf *config)
+{
+ const char *ptr = val;
+ unsigned long i;
+
+ /* check that all chars are numbers */
+ for (i=0; ptr[i]; i++) {
+ if (!isdigit(ptr[i])) {
+ audit_msg(LOG_ERR,
+ "Value %s should only be numbers - line %d",
+ val, line);
+ return 1;
+ }
+ }
+
+ /* convert to unsigned long */
+ errno = 0;
+ i = strtoul(val, NULL, 10);
+ if (errno) {
+ audit_msg(LOG_ERR,
+ "Error converting string to a number (%s) - line %d",
+ strerror(errno), line);
+ return 1;
+ }
+ if (i > 99) {
+ audit_msg(LOG_ERR, "num_logs must be 99 or less");
+ return 1;
+ }
+ config->num_logs = i;
+ return 0;
+}
+
+static int log_format_parser(const char *val, int line,
+ struct daemon_conf *config)
+{
+ int i;
+
+ for (i=0; log_formats[i].name != NULL; i++) {
+ if (strcasecmp(val, log_formats[i].name) == 0) {
+ config->log_format = log_formats[i].option;
+ return 0;
+ }
+ }
+ audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+ return 1;
+}
+
+void free_config(struct daemon_conf *config)
+{
+ free((void*)config->sender_ctx);
+ free((void*)config->log_file);
+ free((void*)config->dispatcher);
+ free((void *)config->node_name);
+ free((void *)config->action_mail_acct);
+ free((void *)config->space_left_exe);
+ free((void *)config->admin_space_left_exe);
+ free((void *)config->disk_full_exe);
+ free((void *)config->disk_error_exe);
+}
+
diff --git a/framework/src/audit/auparse/auparse-defs.h b/framework/src/audit/auparse/auparse-defs.h
new file mode 100644
index 00000000..fd7ed85d
--- /dev/null
+++ b/framework/src/audit/auparse/auparse-defs.h
@@ -0,0 +1,98 @@
+/* auparse-defs.h --
+ * Copyright 2006-07,09,2011-12,2014-15 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#ifndef AUPARSE_DEFS_HEADER
+#define AUPARSE_DEFS_HEADER
+
+#include <time.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/* Library type definitions */
+
+/* This tells the library where the data source is located */
+typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_FILE_ARRAY,
+ AUSOURCE_BUFFER, AUSOURCE_BUFFER_ARRAY,
+ AUSOURCE_DESCRIPTOR, AUSOURCE_FILE_POINTER, AUSOURCE_FEED } ausource_t;
+
+/* This used to define the types of searches that can be done. It is not used
+ any more. */
+typedef enum {
+ AUSEARCH_UNSET,
+ AUSEARCH_EXISTS,
+ AUSEARCH_EQUAL, AUSEARCH_NOT_EQUAL,
+ AUSEARCH_TIME_LT, AUSEARCH_TIME_LE, AUSEARCH_TIME_GE, AUSEARCH_TIME_GT,
+ AUSEARCH_TIME_EQ,
+ AUSEARCH_INTERPRETED = 0x40000000
+} ausearch_op_t;
+
+/* This determines where to position the cursor when a search completes */
+typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
+ AUSEARCH_STOP_FIELD } austop_t;
+
+/* This defines how search rule pieces are treated to decide when
+ * to stop a search */
+typedef enum { AUSEARCH_RULE_CLEAR, AUSEARCH_RULE_OR,
+ AUSEARCH_RULE_AND, AUSEARCH_RULE_REGEX } ausearch_rule_t;
+
+
+typedef struct
+{
+ time_t sec; // Event seconds
+ unsigned int milli; // millisecond of the timestamp
+ unsigned long serial; // Serial number of the event
+ const char *host; // Machine's name
+} au_event_t;
+
+
+/* This indicates why the user supplied callback was invoked */
+typedef enum {AUPARSE_CB_EVENT_READY} auparse_cb_event_t;
+
+/* This determines the type of field at current cursor location
+ * ONLY APPEND - DO NOT DELETE or it will break ABI */
+typedef enum { AUPARSE_TYPE_UNCLASSIFIED, AUPARSE_TYPE_UID, AUPARSE_TYPE_GID,
+ AUPARSE_TYPE_SYSCALL, AUPARSE_TYPE_ARCH, AUPARSE_TYPE_EXIT,
+ AUPARSE_TYPE_ESCAPED, AUPARSE_TYPE_PERM, AUPARSE_TYPE_MODE,
+ AUPARSE_TYPE_SOCKADDR, AUPARSE_TYPE_FLAGS, AUPARSE_TYPE_PROMISC,
+ AUPARSE_TYPE_CAPABILITY, AUPARSE_TYPE_SUCCESS, AUPARSE_TYPE_A0,
+ AUPARSE_TYPE_A1, AUPARSE_TYPE_A2, AUPARSE_TYPE_A3, AUPARSE_TYPE_SIGNAL,
+ AUPARSE_TYPE_LIST, AUPARSE_TYPE_TTY_DATA,
+ AUPARSE_TYPE_SESSION, AUPARSE_TYPE_CAP_BITMAP, AUPARSE_TYPE_NFPROTO,
+ AUPARSE_TYPE_ICMPTYPE, AUPARSE_TYPE_PROTOCOL,
+ AUPARSE_TYPE_ADDR, AUPARSE_TYPE_PERSONALITY,
+ AUPARSE_TYPE_SECCOMP, AUPARSE_TYPE_OFLAG,
+ AUPARSE_TYPE_MMAP, AUPARSE_TYPE_MODE_SHORT, AUPARSE_TYPE_MAC_LABEL,
+ AUPARSE_TYPE_PROCTITLE } auparse_type_t;
+
+/* This type determines what escaping if any gets applied to interpreted fields */
+typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL,
+ AUPARSE_ESC_SHELL_QUOTE } auparse_esc_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/framework/src/audit/auparse/auparse-idata.h b/framework/src/audit/auparse/auparse-idata.h
new file mode 100644
index 00000000..d1995538
--- /dev/null
+++ b/framework/src/audit/auparse/auparse-idata.h
@@ -0,0 +1,49 @@
+/*
+* idata.h - Header file for ausearch-lookup.c
+* Copyright (c) 2013 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#ifndef IDATA_HEADER
+#define IDATA_HEADER
+
+#include "config.h"
+#include "dso.h"
+#include "auparse-defs.h"
+
+typedef struct _idata {
+ unsigned int machine; // The machine type for the event
+ int syscall; // The syscall for the event
+ unsigned long long a0; // arg 0 to the syscall
+ unsigned long long a1; // arg 1 to the syscall
+ const char *name; // name of field being interpretted
+ const char *val; // value of field being interpretted
+} idata;
+
+int auparse_interp_adjust_type(int rtype, const char *name, const char *val);
+const char *auparse_do_interpretation(int type, const idata *id);
+int set_escape_mode(auparse_esc_t mode);
+
+hidden_proto(auparse_interp_adjust_type)
+hidden_proto(auparse_do_interpretation)
+hidden_proto(set_escape_mode)
+
+#endif
+
diff --git a/framework/src/audit/auparse/auparse.c b/framework/src/audit/auparse/auparse.c
new file mode 100644
index 00000000..cd3f1180
--- /dev/null
+++ b/framework/src/audit/auparse/auparse.c
@@ -0,0 +1,1377 @@
+/* auparse.c --
+ * Copyright 2006-08,2012-15 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#include "config.h"
+#include "expression.h"
+#include "internal.h"
+#include "auparse.h"
+#include "interpret.h"
+#include "auparse-idata.h"
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio_ext.h>
+
+static int debug = 0;
+
+/* like strchr except string is delimited by length, not null byte */
+static char *strnchr(const char *s, int c, size_t n)
+{
+ char *p_char;
+ const char *p_end = s + n;
+
+ for (p_char = (char *)s; p_char < p_end && *p_char != c; p_char++);
+ if (p_char == p_end) return NULL;
+ return p_char;
+}
+
+static int setup_log_file_array(auparse_state_t *au)
+{
+ struct daemon_conf config;
+ char *filename, **tmp;
+ int len, num = 0, i = 0;
+
+ /* Load config so we know where logs are */
+ set_aumessage_mode(MSG_STDERR, DBG_NO);
+ load_config(&config, TEST_SEARCH);
+
+ /* for each file */
+ len = strlen(config.log_file) + 16;
+ filename = malloc(len);
+ if (!filename) {
+ fprintf(stderr, "No memory\n");
+ free_config(&config);
+ return 1;
+ }
+ /* Find oldest log file */
+ snprintf(filename, len, "%s", config.log_file);
+ do {
+ if (access(filename, R_OK) != 0)
+ break;
+ num++;
+ snprintf(filename, len, "%s.%d", config.log_file, num);
+ } while (1);
+
+ if (num == 0) {
+ fprintf(stderr, "No log file\n");
+ free_config(&config);
+ free(filename);
+ return 1;
+ }
+ num--;
+ tmp = malloc((num+2)*sizeof(char *));
+
+ /* Got it, now process logs from last to first */
+ if (num > 0)
+ snprintf(filename, len, "%s.%d", config.log_file, num);
+ else
+ snprintf(filename, len, "%s", config.log_file);
+ do {
+ tmp[i++] = strdup(filename);
+
+ /* Get next log file */
+ num--;
+ if (num > 0)
+ snprintf(filename, len, "%s.%d", config.log_file, num);
+ else if (num == 0)
+ snprintf(filename, len, "%s", config.log_file);
+ else
+ break;
+ } while (1);
+ free_config(&config);
+ free(filename);
+
+ // Terminate the list
+ tmp[i] = NULL;
+ au->source_list = tmp;
+ return 0;
+}
+
+/* General functions that affect operation of the library */
+auparse_state_t *auparse_init(ausource_t source, const void *b)
+{
+ char **tmp, **bb = (char **)b, *buf = (char *)b;
+ int n, i;
+ size_t size, len;
+
+ auparse_state_t *au = malloc(sizeof(auparse_state_t));
+ if (au == NULL) {
+ errno = ENOMEM;
+ return NULL;
+ }
+
+ au->in = NULL;
+ au->source_list = NULL;
+ databuf_init(&au->databuf, 0, 0);
+ au->callback = NULL;
+ au->callback_user_data = NULL;
+ au->callback_user_data_destroy = NULL;
+ switch (source)
+ {
+ case AUSOURCE_LOGS:
+ if (geteuid()) {
+ errno = EPERM;
+ goto bad_exit;
+ }
+ setup_log_file_array(au);
+ break;
+ case AUSOURCE_FILE:
+ if (access(b, R_OK))
+ goto bad_exit;
+ tmp = malloc(2*sizeof(char *));
+ tmp[0] = strdup(b);
+ tmp[1] = NULL;
+ au->source_list = tmp;
+ break;
+ case AUSOURCE_FILE_ARRAY:
+ n = 0;
+ while (bb[n]) {
+ if (access(bb[n], R_OK))
+ goto bad_exit;
+ n++;
+ }
+ tmp = malloc((n+1)*sizeof(char *));
+ for (i=0; i<n; i++)
+ tmp[i] = strdup(bb[i]);
+ tmp[n] = NULL;
+ au->source_list = tmp;
+ break;
+ case AUSOURCE_BUFFER:
+ buf = buf;
+ len = strlen(buf);
+ if (databuf_init(&au->databuf, len,
+ DATABUF_FLAG_PRESERVE_HEAD) < 0)
+ goto bad_exit;
+ if (databuf_append(&au->databuf, buf, len) < 0)
+ goto bad_exit;
+ break;
+ case AUSOURCE_BUFFER_ARRAY:
+ size = 0;
+ for (n = 0; (buf = bb[n]); n++) {
+ len = strlen(bb[n]);
+ if (bb[n][len-1] != '\n') {
+ size += len + 1;
+ } else {
+ size += len;
+ }
+ }
+ if (databuf_init(&au->databuf, size,
+ DATABUF_FLAG_PRESERVE_HEAD) < 0)
+ goto bad_exit;
+ for (n = 0; (buf = bb[n]); n++) {
+ len = strlen(buf);
+ if (databuf_append(&au->databuf, buf, len) < 0)
+ goto bad_exit;
+ }
+ break;
+ case AUSOURCE_DESCRIPTOR:
+ n = (long)b;
+ au->in = fdopen(n, "rm");
+ break;
+ case AUSOURCE_FILE_POINTER:
+ au->in = (FILE *)b;
+ break;
+ case AUSOURCE_FEED:
+ if (databuf_init(&au->databuf, 0, 0) < 0) goto bad_exit;
+ break;
+ default:
+ errno = EINVAL;
+ goto bad_exit;
+ break;
+ }
+ au->source = source;
+ au->list_idx = 0;
+ au->line_number = 0;
+ au->next_buf = NULL;
+ au->off = 0;
+ au->cur_buf = NULL;
+ au->line_pushed = 0;
+ aup_list_create(&au->le);
+ au->parse_state = EVENT_EMPTY;
+ au->expr = NULL;
+ au->find_field = NULL;
+ au->search_where = AUSEARCH_STOP_EVENT;
+
+ return au;
+bad_exit:
+ databuf_free(&au->databuf);
+ free(au);
+ return NULL;
+}
+
+
+void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
+ void *user_data, user_destroy user_destroy_func)
+{
+ if (au == NULL) {
+ errno = EINVAL;
+ return;
+ }
+
+ if (au->callback_user_data_destroy) {
+ (*au->callback_user_data_destroy)(au->callback_user_data);
+ au->callback_user_data = NULL;
+ }
+
+ au->callback = callback;
+ au->callback_user_data = user_data;
+ au->callback_user_data_destroy = user_destroy_func;
+}
+
+static void consume_feed(auparse_state_t *au, int flush)
+{
+ while (auparse_next_event(au) > 0) {
+ if (au->callback) {
+ (*au->callback)(au, AUPARSE_CB_EVENT_READY,
+ au->callback_user_data);
+ }
+ }
+ if (flush) {
+ // FIXME: might need a call here to force auparse_next_event()
+ // to consume any partial data not fully consumed.
+ if (au->parse_state == EVENT_ACCUMULATING) {
+ // Emit the event, set event cursors to initial position
+ aup_list_first(&au->le);
+ aup_list_first_field(&au->le);
+ au->parse_state = EVENT_EMITTED;
+ if (au->callback) {
+ (*au->callback)(au, AUPARSE_CB_EVENT_READY,
+ au->callback_user_data);
+ }
+ }
+ }
+}
+
+int auparse_feed(auparse_state_t *au, const char *data, size_t data_len)
+{
+ if (databuf_append(&au->databuf, data, data_len) < 0)
+ return -1;
+ consume_feed(au, 0);
+ return 0;
+}
+
+int auparse_flush_feed(auparse_state_t *au)
+{
+ consume_feed(au, 1);
+ return 0;
+}
+
+// If there is data in the state machine, return 1
+// Otherwise return 0 to indicate its empty
+int auparse_feed_has_data(const auparse_state_t *au)
+{
+ if (au->parse_state == EVENT_ACCUMULATING)
+ return 1;
+ return 0;
+}
+
+void auparse_set_escape_mode(auparse_esc_t mode)
+{
+ set_escape_mode(mode);
+}
+
+int auparse_reset(auparse_state_t *au)
+{
+ if (au == NULL) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ aup_list_clear(&au->le);
+ au->parse_state = EVENT_EMPTY;
+ switch (au->source)
+ {
+ case AUSOURCE_LOGS:
+ case AUSOURCE_FILE:
+ case AUSOURCE_FILE_ARRAY:
+ if (au->in) {
+ fclose(au->in);
+ au->in = NULL;
+ }
+ /* Fall through */
+ case AUSOURCE_DESCRIPTOR:
+ case AUSOURCE_FILE_POINTER:
+ if (au->in)
+ rewind(au->in);
+ /* Fall through */
+ case AUSOURCE_BUFFER:
+ case AUSOURCE_BUFFER_ARRAY:
+ au->list_idx = 0;
+ au->line_number = 0;
+ au->off = 0;
+ databuf_reset(&au->databuf);
+ break;
+ default:
+ return -1;
+ }
+ return 0;
+}
+
+
+/* Add EXPR to AU, using HOW to select the combining operator.
+ On success, return 0.
+ On error, free EXPR set errno and return -1.
+ NOTE: EXPR is freed on error! */
+static int add_expr(auparse_state_t *au, struct expr *expr, ausearch_rule_t how)
+{
+ if (au->expr == NULL)
+ au->expr = expr;
+ else if (how == AUSEARCH_RULE_CLEAR) {
+ expr_free(au->expr);
+ au->expr = expr;
+ } else {
+ struct expr *e;
+
+ e = expr_create_binary(how == AUSEARCH_RULE_OR ? EO_OR : EO_AND,
+ au->expr, expr);
+ if (e == NULL) {
+ int err;
+
+ err = errno;
+ expr_free(expr);
+ errno = err;
+ return -1;
+ }
+ au->expr = e;
+ }
+ return 0;
+}
+
+static int ausearch_add_item_internal(auparse_state_t *au, const char *field,
+ const char *op, const char *value, ausearch_rule_t how, unsigned op_eq,
+ unsigned op_ne)
+{
+ struct expr *expr;
+
+ // Make sure there's a field
+ if (field == NULL)
+ goto err_out;
+
+ // Make sure how is within range
+ if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND)
+ goto err_out;
+
+ // All pre-checks are done, build a rule
+ if (strcmp(op, "exists") == 0)
+ expr = expr_create_field_exists(field);
+ else {
+ unsigned t_op;
+
+ if (strcmp(op, "=") == 0)
+ t_op = op_eq;
+ else if (strcmp(op, "!=") == 0)
+ t_op = op_ne;
+ else
+ goto err_out;
+ if (value == NULL)
+ goto err_out;
+ expr = expr_create_comparison(field, t_op, value);
+ }
+ if (expr == NULL)
+ return -1;
+ if (add_expr(au, expr, how) != 0)
+ return -1; /* expr is freed by add_expr() */
+ return 0;
+
+err_out:
+ errno = EINVAL;
+ return -1;
+}
+
+int ausearch_add_item(auparse_state_t *au, const char *field, const char *op,
+ const char *value, ausearch_rule_t how)
+{
+ return ausearch_add_item_internal(au, field, op, value, how, EO_RAW_EQ,
+ EO_RAW_NE);
+}
+
+int ausearch_add_interpreted_item(auparse_state_t *au, const char *field,
+ const char *op, const char *value, ausearch_rule_t how)
+{
+ return ausearch_add_item_internal(au, field, op, value, how,
+ EO_INTERPRETED_EQ, EO_INTERPRETED_NE);
+}
+
+int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op,
+ time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how)
+{
+ static const struct {
+ unsigned value;
+ const char name[3];
+ } ts_tab[] = {
+ {EO_VALUE_LT, "<"},
+ {EO_VALUE_LE, "<="},
+ {EO_VALUE_GE, ">="},
+ {EO_VALUE_GT, ">"},
+ {EO_VALUE_EQ, "="},
+ };
+
+ struct expr *expr;
+ size_t i;
+ unsigned t_op;
+
+ for (i = 0; i < sizeof(ts_tab) / sizeof(*ts_tab); i++) {
+ if (strcmp(ts_tab[i].name, op) == 0)
+ goto found_op;
+ }
+ goto err_out;
+found_op:
+ t_op = ts_tab[i].value;
+
+ if (milli >= 1000)
+ goto err_out;
+
+ // Make sure how is within range
+ if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND)
+ goto err_out;
+
+ // All pre-checks are done, build a rule
+ expr = expr_create_timestamp_comparison_ex(t_op, sec, milli, serial);
+ if (expr == NULL)
+ return -1;
+ if (add_expr(au, expr, how) != 0)
+ return -1; /* expr is freed by add_expr() */
+ return 0;
+
+err_out:
+ errno = EINVAL;
+ return -1;
+}
+
+int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec,
+ unsigned milli, ausearch_rule_t how)
+{
+ return ausearch_add_timestamp_item_ex(au, op, sec, milli, 0, how);
+}
+
+int ausearch_add_expression(auparse_state_t *au, const char *expression,
+ char **error, ausearch_rule_t how)
+{
+ struct expr *expr;
+
+ if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND)
+ goto err_einval;
+
+ expr = expr_parse(expression, error);
+ if (expr == NULL) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (add_expr(au, expr, how) != 0)
+ goto err; /* expr is freed by add_expr() */
+ return 0;
+
+err_einval:
+ errno = EINVAL;
+err:
+ *error = NULL;
+ return -1;
+}
+
+int ausearch_add_regex(auparse_state_t *au, const char *regexp)
+{
+ struct expr *expr;
+
+ // Make sure there's an expression
+ if (regexp == NULL)
+ goto err_out;
+
+ expr = expr_create_regexp_expression(regexp);
+ if (expr == NULL)
+ return -1;
+ if (add_expr(au, expr, AUSEARCH_RULE_AND) != 0)
+ return -1; /* expr is freed by add_expr() */
+ return 0;
+
+err_out:
+ errno = EINVAL;
+ return -1;
+}
+
+int ausearch_set_stop(auparse_state_t *au, austop_t where)
+{
+ if (where < AUSEARCH_STOP_EVENT || where > AUSEARCH_STOP_FIELD) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ au->search_where = where;
+ return 0;
+}
+
+void ausearch_clear(auparse_state_t *au)
+{
+ if (au->expr != NULL) {
+ expr_free(au->expr);
+ au->expr = NULL;
+ }
+ au->search_where = AUSEARCH_STOP_EVENT;
+}
+
+void auparse_destroy(auparse_state_t *au)
+{
+ aulookup_destroy_uid_list();
+ aulookup_destroy_gid_list();
+ if (au == NULL)
+ return;
+
+ if (au->source_list) {
+ int n = 0;
+ while (au->source_list[n])
+ free(au->source_list[n++]);
+ free(au->source_list);
+ au->source_list = NULL;
+ }
+
+ au->next_buf = NULL;
+ free(au->cur_buf);
+ au->cur_buf = NULL;
+ aup_list_clear(&au->le);
+ au->parse_state = EVENT_EMPTY;
+ free(au->find_field);
+ au->find_field = NULL;
+ ausearch_clear(au);
+ databuf_free(&au->databuf);
+ if (au->callback_user_data_destroy) {
+ (*au->callback_user_data_destroy)(au->callback_user_data);
+ au->callback_user_data = NULL;
+ }
+ if (au->in) {
+ fclose(au->in);
+ au->in = NULL;
+ }
+ free(au);
+}
+
+/* alloc a new buffer, cur_buf which contains a null terminated line
+ * without a newline (note, this implies the line may be empty (strlen == 0)) if
+ * successfully read a blank line (e.g. containing only a single newline).
+ * cur_buf will have been newly allocated with malloc.
+ *
+ * Note: cur_buf will be freed the next time this routine is called if
+ * cur_buf is not NULL, callers who retain a reference to the cur_buf
+ * pointer will need to set cur_buf to NULL to cause the previous cur_buf
+ * allocation to persist.
+ *
+ * Returns:
+ * 1 if successful (errno == 0)
+ * 0 if non-blocking input unavailable (errno == 0)
+ * -1 if error (errno contains non-zero error code)
+ * -2 if EOF (errno == 0)
+ */
+
+static int readline_file(auparse_state_t *au)
+{
+ ssize_t rc;
+ char *p_last_char;
+ size_t n = 0;
+
+ if (au->cur_buf != NULL) {
+ free(au->cur_buf);
+ au->cur_buf = NULL;
+ }
+ if (au->in == NULL) {
+ errno = EBADF;
+ return -1;
+ }
+ if ((rc = getline(&au->cur_buf, &n, au->in)) <= 0) {
+ // Note: getline always malloc's if lineptr==NULL or n==0,
+ // on failure malloc'ed memory is left uninitialized,
+ // caller must free it.
+ free(au->cur_buf);
+ au->cur_buf = NULL;
+
+ // Note: feof() does not set errno
+ if (feof(au->in)) {
+ // return EOF condition
+ errno = 0;
+ return -2;
+ }
+ // return error condition, error code in errno
+ return -1;
+ }
+ p_last_char = au->cur_buf + (rc-1);
+ if (*p_last_char == '\n') { /* nuke newline */
+ *p_last_char = 0;
+ }
+ // return success
+ errno = 0;
+ return 1;
+}
+
+
+/* malloc & copy a line into cur_buf from the internal buffer,
+ * next_buf. cur_buf will contain a null terminated line without a
+ * newline (note, this implies the line may be empty (strlen == 0)) if
+ * successfully read a blank line (e.g. containing only a single
+ * newline).
+ *
+ * Note: cur_buf will be freed the next time this routine is called if
+ * cur_buf is not NULL, callers who retain a reference to the cur_buf
+ * pointer will need to set cur_buf to NULL to cause the previous cur_buf
+ * allocation to persist.
+ *
+ * Returns:
+ * 1 if successful (errno == 0)
+ * 0 if non-blocking input unavailable (errno == 0)
+ * -1 if error (errno contains non-zero error code)
+ * -2 if EOF (errno == 0)
+ */
+
+static int readline_buf(auparse_state_t *au)
+{
+ char *p_newline=NULL;
+ size_t line_len;
+
+ if (au->cur_buf != NULL) {
+ free(au->cur_buf);
+ au->cur_buf = NULL;
+ }
+
+ //if (debug) databuf_print(&au->databuf, 1, "readline_buf");
+ if (au->databuf.len == 0) {
+ // return EOF condition
+ errno = 0;
+ return -2;
+ }
+
+ if ((p_newline = strnchr(databuf_beg(&au->databuf), '\n',
+ au->databuf.len)) != NULL) {
+ line_len = p_newline - databuf_beg(&au->databuf);
+
+ /* dup the line */
+ au->cur_buf = malloc(line_len+1); // +1 for null terminator
+ if (au->cur_buf == NULL)
+ return -1; // return error condition, errno set
+ strncpy(au->cur_buf, databuf_beg(&au->databuf), line_len);
+ au->cur_buf[line_len] = 0;
+
+ if (databuf_advance(&au->databuf, line_len+1) < 0)
+ return -1;
+ // return success
+ errno = 0;
+ return 1;
+
+ } else {
+ // return no data available
+ errno = 0;
+ return 0;
+ }
+}
+
+static int str2event(char *s, au_event_t *e)
+{
+ char *ptr;
+
+ errno = 0;
+ ptr = strchr(s+10, ':');
+ if (ptr) {
+ e->serial = strtoul(ptr+1, NULL, 10);
+ *ptr = 0;
+ if (errno)
+ return -1;
+ } else
+ e->serial = 0;
+ ptr = strchr(s, '.');
+ if (ptr) {
+ e->milli = strtoul(ptr+1, NULL, 10);
+ *ptr = 0;
+ if (errno)
+ return -1;
+ } else
+ e->milli = 0;
+ e->sec = strtoul(s, NULL, 10);
+ if (errno)
+ return -1;
+ return 0;
+}
+
+/* Returns 0 on success and 1 on error */
+static int extract_timestamp(const char *b, au_event_t *e)
+{
+ char *ptr, *tmp;
+ int rc = 1;
+
+ e->host = NULL;
+ if (*b == 'n')
+ tmp = strndupa(b, 340);
+ else
+ tmp = strndupa(b, 80);
+ ptr = audit_strsplit(tmp);
+ if (ptr) {
+ // Optionally grab the node - may or may not be included
+ if (*ptr == 'n') {
+ e->host = strdup(ptr+5);
+ (void)audit_strsplit(NULL); // Bump along to the next one
+ }
+ // at this point we have type=
+ ptr = audit_strsplit(NULL);
+ if (ptr) {
+ if (*(ptr+9) == '(')
+ ptr+=9;
+ else
+ ptr = strchr(ptr, '(');
+ if (ptr) {
+ // now we should be pointed at the timestamp
+ char *eptr;
+ ptr++;
+ eptr = strchr(ptr, ')');
+ if (eptr)
+ *eptr = 0;
+
+ if (str2event(ptr, e) == 0)
+ rc = 0;
+// else {
+// audit_msg(LOG_ERROR,
+// "Error extracting time stamp (%s)\n",
+// ptr);
+// }
+ }
+ // else we have a bad line
+ }
+ // else we have a bad line
+ }
+ // else we have a bad line
+ return rc;
+}
+
+static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
+{
+ // Check time & serial first since its most likely way
+ // to spot 2 different events
+ if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
+ e1->sec == e2->sec))
+ return 0;
+ // Hmm...same so far, check if both have a host, only a string
+ // compare can tell if they are the same. Otherwise, if only one
+ // of them have a host, they are definitely not the same. Its
+ // a boundary on daemon config.
+ if (e1->host && e2->host) {
+ if (strcmp(e1->host, e2->host))
+ return 0;
+ } else if (e1->host || e2->host)
+ return 0;
+ return 1;
+}
+
+/* This function will figure out how to get the next line of input.
+ * storing it cur_buf. cur_buf will be NULL terminated but will not
+ * contain a trailing newline. This implies a successful read
+ * (result == 1) may result in a zero length cur_buf if a blank line
+ * was read.
+ *
+ * cur_buf will have been allocated with malloc. The next time this
+ * routine is called if cur_buf is non-NULL cur_buf will be freed,
+ * thus if the caller wishes to retain a reference to malloc'ed
+ * cur_buf data it should copy the cur_buf pointer and set cur_buf to
+ * NULL.
+ *
+ * Returns:
+ * 1 if successful (errno == 0)
+ * 0 if non-blocking input unavailable (errno == 0)
+ * -1 if error (errno contains non-zero error code)
+ * -2 if EOF (errno == 0)
+ */
+
+static int retrieve_next_line(auparse_state_t *au)
+{
+ int rc;
+
+ // If line was pushed back for re-reading return that
+ if (au->line_pushed) {
+ // Starting new event, clear previous event data,
+ // previous line is returned again for new parsing
+ au->line_pushed = 0;
+ au->line_number++;
+ return 1;
+ }
+
+ switch (au->source)
+ {
+ case AUSOURCE_DESCRIPTOR:
+ case AUSOURCE_FILE_POINTER:
+ rc = readline_file(au);
+ if (rc > 0) au->line_number++;
+ return rc;
+ case AUSOURCE_LOGS:
+ case AUSOURCE_FILE:
+ case AUSOURCE_FILE_ARRAY:
+ // if the first time through, open file
+ if (au->list_idx == 0 && au->in == NULL &&
+ au->source_list != NULL) {
+ if (au->source_list[au->list_idx] == NULL) {
+ errno = 0;
+ return -2;
+ }
+ au->line_number = 0;
+ au->in = fopen(au->source_list[au->list_idx],
+ "rm");
+ if (au->in == NULL)
+ return -1;
+ __fsetlocking(au->in, FSETLOCKING_BYCALLER);
+ }
+
+ // loop reading lines from a file
+ while (au->in) {
+ if ((rc = readline_file(au)) == -2) {
+ // end of file, open next file,
+ // try readline again
+ fclose(au->in);
+ au->in = NULL;
+ au->list_idx++;
+ au->line_number = 0;
+ if (au->source_list[au->list_idx]) {
+ au->in = fopen(
+ au->source_list[au->list_idx],
+ "rm");
+ if (au->in == NULL)
+ return -1;
+ __fsetlocking(au->in,
+ FSETLOCKING_BYCALLER);
+ }
+ } else {
+ if (rc > 0)
+ au->line_number++;
+ return rc;
+ }
+ }
+ return -2; // return EOF
+ case AUSOURCE_BUFFER:
+ case AUSOURCE_BUFFER_ARRAY:
+ rc = readline_buf(au);
+ if (rc > 0)
+ au->line_number++;
+ return rc;
+ case AUSOURCE_FEED:
+ rc = readline_buf(au);
+ // No such thing as EOF for feed, translate EOF
+ // to data not available
+ if (rc == -2)
+ return 0;
+ else
+ if (rc > 0)
+ au->line_number++;
+ return rc;
+ default:
+ return -1;
+ }
+ return -1; /* should never reach here */
+}
+
+static void push_line(auparse_state_t *au)
+{
+ au->line_number--;
+ au->line_pushed = 1;
+}
+
+/*******
+* Functions that traverse events.
+********/
+static int ausearch_reposition_cursors(auparse_state_t *au)
+{
+ int rc = 0;
+
+ switch (au->search_where)
+ {
+ case AUSEARCH_STOP_EVENT:
+ aup_list_first(&au->le);
+ aup_list_first_field(&au->le);
+ break;
+ case AUSEARCH_STOP_RECORD:
+ aup_list_first_field(&au->le);
+ break;
+ case AUSEARCH_STOP_FIELD:
+ // do nothing - this is the normal stopping point
+ break;
+ default:
+ rc = -1;
+ break;
+ }
+ return rc;
+}
+
+/* This is called during search once per each record. It walks the list
+ * of nvpairs and decides if a field matches. */
+static int ausearch_compare(auparse_state_t *au)
+{
+ rnode *r;
+
+ r = aup_list_get_cur(&au->le);
+ if (r)
+ return expr_eval(au, r, au->expr);
+
+ return 0;
+}
+
+// Returns < 0 on error, 0 no data, > 0 success
+int ausearch_next_event(auparse_state_t *au)
+{
+ int rc;
+
+ if (au->expr == NULL) {
+ errno = EINVAL;
+ return -1;
+ }
+ if ((rc = auparse_first_record(au)) <= 0)
+ return rc;
+ do {
+ do {
+ if ((rc = ausearch_compare(au)) > 0) {
+ ausearch_reposition_cursors(au);
+ return 1;
+ } else if (rc < 0)
+ return rc;
+ } while ((rc = auparse_next_record(au)) > 0);
+ if (rc < 0)
+ return rc;
+ } while ((rc = auparse_next_event(au)) > 0);
+ if (rc < 0)
+ return rc;
+
+ return 0;
+}
+
+// Brute force go to next event. Returns < 0 on error, 0 no data, > 0 success
+int auparse_next_event(auparse_state_t *au)
+{
+ int rc;
+ au_event_t event;
+
+ if (au->parse_state == EVENT_EMITTED) {
+ // If the last call resulted in emitting event data then
+ // clear previous event data in preparation to accumulate
+ // new event data
+ aup_list_clear(&au->le);
+ au->parse_state = EVENT_EMPTY;
+ }
+
+ // accumulate new event data
+ while (1) {
+ rc = retrieve_next_line(au);
+ if (debug) printf("next_line(%d) '%s'\n", rc, au->cur_buf);
+ if (rc == 0) return 0; // No data now
+ if (rc == -2) {
+ // We're at EOF, did we read any data previously?
+ // If so return data available, else return no data
+ // available
+ if (au->parse_state == EVENT_ACCUMULATING) {
+ if (debug) printf("EOF, EVENT_EMITTED\n");
+ au->parse_state = EVENT_EMITTED;
+ return 1; // data is available
+ }
+ return 0;
+ }
+ if (rc > 0) { // Input available
+ rnode *r;
+ if (extract_timestamp(au->cur_buf, &event)) {
+ if (debug)
+ printf("Malformed line:%s\n",
+ au->cur_buf);
+ continue;
+ }
+ if (au->parse_state == EVENT_EMPTY) {
+ // First record in new event, initialize event
+ if (debug)
+ printf(
+ "First record in new event, initialize event\n");
+ aup_list_set_event(&au->le, &event);
+ aup_list_append(&au->le, au->cur_buf,
+ au->list_idx, au->line_number);
+ au->parse_state = EVENT_ACCUMULATING;
+ au->cur_buf = NULL;
+ } else if (events_are_equal(&au->le.e, &event)) {
+ // Accumulate data into existing event
+ if (debug)
+ printf(
+ "Accumulate data into existing event\n");
+ aup_list_append(&au->le, au->cur_buf,
+ au->list_idx, au->line_number);
+ au->parse_state = EVENT_ACCUMULATING;
+ au->cur_buf = NULL;
+ } else {
+ // New event, save input for next invocation
+ if (debug)
+ printf(
+ "New event, save current input for next invocation, EVENT_EMITTED\n");
+ push_line(au);
+ // Emit the event, set event cursors to
+ // initial position
+ aup_list_first(&au->le);
+ aup_list_first_field(&au->le);
+ au->parse_state = EVENT_EMITTED;
+ free((char *)event.host);
+ return 1; // data is available
+ }
+ free((char *)event.host);
+ // Check to see if the event can be emitted due to EOE
+ // or something we know is a single record event. At
+ // this point, new record should be pointed at 'cur'
+ if ((r = aup_list_get_cur(&au->le)) == NULL)
+ continue;
+ if ( r->type == AUDIT_EOE ||
+ r->type < AUDIT_FIRST_EVENT ||
+ r->type >= AUDIT_FIRST_ANOM_MSG) {
+ // Emit the event, set event cursors to
+ // initial position
+ aup_list_first(&au->le);
+ aup_list_first_field(&au->le);
+ au->parse_state = EVENT_EMITTED;
+ return 1; // data is available
+ }
+ } else { // Read error
+ return -1;
+ }
+ }
+}
+
+/* Accessors to event data */
+const au_event_t *auparse_get_timestamp(auparse_state_t *au)
+{
+ if (au && au->le.e.sec != 0)
+ return &au->le.e;
+ else
+ return NULL;
+}
+
+
+time_t auparse_get_time(auparse_state_t *au)
+{
+ if (au)
+ return au->le.e.sec;
+ else
+ return 0;
+}
+
+
+unsigned int auparse_get_milli(auparse_state_t *au)
+{
+ if (au)
+ return au->le.e.milli;
+ else
+ return 0;
+}
+
+
+unsigned long auparse_get_serial(auparse_state_t *au)
+{
+ if (au)
+ return au->le.e.serial;
+ else
+ return 0;
+}
+
+
+// Gets the machine node name
+const char *auparse_get_node(auparse_state_t *au)
+{
+ if (au && au->le.e.host != NULL)
+ return strdup(au->le.e.host);
+ else
+ return NULL;
+}
+
+
+int auparse_node_compare(au_event_t *e1, au_event_t *e2)
+{
+ // If both have a host, only a string compare can tell if they
+ // are the same. Otherwise, if only one of them have a host, they
+ // are definitely not the same. Its a boundary on daemon config.
+ if (e1->host && e2->host)
+ return strcmp(e1->host, e2->host);
+ else if (e1->host)
+ return 1;
+ else if (e2->host)
+ return -1;
+
+ return 0;
+}
+
+
+int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2)
+{
+ if (e1->sec > e2->sec)
+ return 1;
+ if (e1->sec < e2->sec)
+ return -1;
+
+ if (e1->milli > e2->milli)
+ return 1;
+ if (e1->milli < e2->milli)
+ return -1;
+
+ if (e1->serial > e2->serial)
+ return 1;
+ if (e1->serial < e2->serial)
+ return -1;
+
+ return 0;
+}
+
+unsigned int auparse_get_num_records(auparse_state_t *au)
+{
+ return aup_list_get_cnt(&au->le);
+}
+
+
+/* Functions that traverse records in the same event */
+int auparse_first_record(auparse_state_t *au)
+{
+ int rc;
+
+ if (aup_list_get_cnt(&au->le) == 0) {
+ rc = auparse_next_event(au);
+ if (rc <= 0)
+ return rc;
+ }
+ aup_list_first(&au->le);
+ aup_list_first_field(&au->le);
+
+ return 1;
+}
+
+
+int auparse_next_record(auparse_state_t *au)
+{
+ if (aup_list_get_cnt(&au->le) == 0) {
+ int rc = auparse_first_record(au);
+ if (rc <= 0)
+ return rc;
+ }
+ if (aup_list_next(&au->le))
+ return 1;
+ else
+ return 0;
+}
+
+
+int auparse_goto_record_num(auparse_state_t *au, unsigned int num)
+{
+ /* Check if a request is out of range */
+ if (num >= aup_list_get_cnt(&au->le))
+ return 0;
+
+ if (aup_list_goto_rec(&au->le, num) != NULL)
+ return 1;
+ else
+ return 0;
+}
+
+
+/* Accessors to record data */
+int auparse_get_type(auparse_state_t *au)
+{
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return r->type;
+ else
+ return 0;
+}
+
+
+const char *auparse_get_type_name(auparse_state_t *au)
+{
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return audit_msg_type_to_name(r->type);
+ else
+ return NULL;
+}
+
+
+unsigned int auparse_get_line_number(auparse_state_t *au)
+{
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return r->line_number;
+ else
+ return 0;
+}
+
+
+const char *auparse_get_filename(auparse_state_t *au)
+{
+ switch (au->source)
+ {
+ case AUSOURCE_FILE:
+ case AUSOURCE_FILE_ARRAY:
+ break;
+ default:
+ return NULL;
+ }
+
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r) {
+ if (r->list_idx < 0) return NULL;
+ return au->source_list[r->list_idx];
+ } else {
+ return NULL;
+ }
+}
+
+
+int auparse_first_field(auparse_state_t *au)
+{
+ return aup_list_first_field(&au->le);
+}
+
+
+int auparse_next_field(auparse_state_t *au)
+{
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r) {
+ if (nvlist_next(&r->nv))
+ return 1;
+ else
+ return 0;
+ }
+ return 0;
+}
+
+
+unsigned int auparse_get_num_fields(auparse_state_t *au)
+{
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return nvlist_get_cnt(&r->nv);
+ else
+ return 0;
+}
+
+const char *auparse_get_record_text(auparse_state_t *au)
+{
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return r->record;
+ else
+ return NULL;
+}
+
+
+/* scan from current location to end of event */
+const char *auparse_find_field(auparse_state_t *au, const char *name)
+{
+ free(au->find_field);
+ au->find_field = strdup(name);
+
+ if (au->le.e.sec) {
+ const char *cur_name;
+ rnode *r;
+
+ // look at current record before moving
+ r = aup_list_get_cur(&au->le);
+ if (r == NULL)
+ return NULL;
+ cur_name = nvlist_get_cur_name(&r->nv);
+ if (cur_name && strcmp(cur_name, name) == 0)
+ return nvlist_get_cur_val(&r->nv);
+
+ return auparse_find_field_next(au);
+ }
+ return NULL;
+}
+
+/* Increment 1 location and then scan for next field */
+const char *auparse_find_field_next(auparse_state_t *au)
+{
+ if (au->find_field == NULL) {
+ errno = EINVAL;
+ return NULL;
+ }
+ if (au->le.e.sec) {
+ int moved = 0;
+
+ rnode *r = aup_list_get_cur(&au->le);
+ while (r) { // For each record in the event...
+ if (!moved) {
+ nvlist_next(&r->nv);
+ moved=1;
+ }
+ if (nvlist_find_name(&r->nv, au->find_field))
+ return nvlist_get_cur_val(&r->nv);
+ r = aup_list_next(&au->le);
+ if (r)
+ aup_list_first_field(&au->le);
+ }
+ }
+ return NULL;
+}
+
+
+/* Accessors to field data */
+const char *auparse_get_field_name(auparse_state_t *au)
+{
+ if (au->le.e.sec) {
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return nvlist_get_cur_name(&r->nv);
+ }
+ return NULL;
+}
+
+
+const char *auparse_get_field_str(auparse_state_t *au)
+{
+ if (au->le.e.sec) {
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return nvlist_get_cur_val(&r->nv);
+ }
+ return NULL;
+}
+
+int auparse_get_field_type(auparse_state_t *au)
+{
+ if (au->le.e.sec) {
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return nvlist_get_cur_type(r);
+ }
+ return AUPARSE_TYPE_UNCLASSIFIED;
+}
+
+int auparse_get_field_int(auparse_state_t *au)
+{
+ const char *v = auparse_get_field_str(au);
+ if (v) {
+ int val;
+
+ errno = 0;
+ val = strtol(v, NULL, 10);
+ if (errno == 0)
+ return val;
+ } else
+ errno = ENODATA;
+ return -1;
+}
+
+const char *auparse_interpret_field(auparse_state_t *au)
+{
+ if (au->le.e.sec) {
+ rnode *r = aup_list_get_cur(&au->le);
+ if (r)
+ return nvlist_interp_cur_val(r);
+ }
+ return NULL;
+}
+
diff --git a/framework/src/audit/auparse/auparse.h b/framework/src/audit/auparse/auparse.h
new file mode 100644
index 00000000..78504ffe
--- /dev/null
+++ b/framework/src/audit/auparse/auparse.h
@@ -0,0 +1,112 @@
+/* auparse.h --
+ * Copyright 2006-08,2012,2014,2015 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#ifndef AUPARSE_HEADER
+#define AUPARSE_HEADER
+
+#include "auparse-defs.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/* Library type definitions */
+
+/* opaque data type used for maintaining library state */
+typedef struct opaque auparse_state_t;
+
+typedef void (*user_destroy)(void *user_data);
+typedef void (*auparse_callback_ptr)(auparse_state_t *au,
+ auparse_cb_event_t cb_event_type, void *user_data);
+
+/* General functions that affect operation of the library */
+auparse_state_t *auparse_init(ausource_t source, const void *b);
+int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);
+int auparse_flush_feed(auparse_state_t *au);
+int auparse_feed_has_data(const auparse_state_t *au);
+void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
+ void *user_data, user_destroy user_destroy_func);
+void auparse_set_escape_mode(auparse_esc_t mode);
+int auparse_reset(auparse_state_t *au);
+void auparse_destroy(auparse_state_t *au);
+
+/* Functions that are part of the search interface */
+int ausearch_add_expression(auparse_state_t *au, const char *expression,
+ char **error, ausearch_rule_t how);
+int ausearch_add_item(auparse_state_t *au, const char *field, const char *op,
+ const char *value, ausearch_rule_t how);
+int ausearch_add_interpreted_item(auparse_state_t *au, const char *field,
+ const char *op, const char *value, ausearch_rule_t how);
+int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec,
+ unsigned milli, ausearch_rule_t how);
+int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op,
+ time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how);
+int ausearch_add_regex(auparse_state_t *au, const char *expr);
+int ausearch_set_stop(auparse_state_t *au, austop_t where);
+void ausearch_clear(auparse_state_t *au);
+
+/* Functions that traverse events */
+int ausearch_next_event(auparse_state_t *au);
+int auparse_next_event(auparse_state_t *au);
+
+/* Accessors to event data */
+const au_event_t *auparse_get_timestamp(auparse_state_t *au);
+time_t auparse_get_time(auparse_state_t *au);
+unsigned int auparse_get_milli(auparse_state_t *au);
+unsigned long auparse_get_serial(auparse_state_t *au);
+const char *auparse_get_node(auparse_state_t *au);
+int auparse_node_compare(au_event_t *e1, au_event_t *e2);
+int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2);
+unsigned int auparse_get_num_records(auparse_state_t *au);
+
+/* Functions that traverse records in the same event */
+int auparse_first_record(auparse_state_t *au);
+int auparse_next_record(auparse_state_t *au);
+int auparse_goto_record_num(auparse_state_t *au, unsigned int num);
+
+/* Accessors to record data */
+int auparse_get_type(auparse_state_t *au);
+const char *auparse_get_type_name(auparse_state_t *au);
+unsigned int auparse_get_line_number(auparse_state_t *au);
+const char *auparse_get_filename(auparse_state_t *au);
+int auparse_first_field(auparse_state_t *au);
+int auparse_next_field(auparse_state_t *au);
+unsigned int auparse_get_num_fields(auparse_state_t *au);
+const char *auparse_get_record_text(auparse_state_t *au);
+const char *auparse_find_field(auparse_state_t *au, const char *name);
+const char *auparse_find_field_next(auparse_state_t *au);
+
+/* Accessors to field data */
+const char *auparse_get_field_name(auparse_state_t *au);
+const char *auparse_get_field_str(auparse_state_t *au);
+int auparse_get_field_type(auparse_state_t *au);
+int auparse_get_field_int(auparse_state_t *au);
+const char *auparse_interpret_field(auparse_state_t *au);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/framework/src/audit/auparse/auparse.pc.in b/framework/src/audit/auparse/auparse.pc.in
new file mode 100644
index 00000000..581287e8
--- /dev/null
+++ b/framework/src/audit/auparse/auparse.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: libauparse
+Description: Library for apps that want to parse and interpret audit logs
+Version: @VERSION@
+Libs: -L${libdir} -lauparse
+Libs.private: -laudit
+Cflags: -I${includedir}
diff --git a/framework/src/audit/auparse/captab.h b/framework/src/audit/auparse/captab.h
new file mode 100644
index 00000000..409fdb4e
--- /dev/null
+++ b/framework/src/audit/auparse/captab.h
@@ -0,0 +1,62 @@
+/* captab.h --
+ * Copyright 2007,2008,2012-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/capability.h
+ */
+
+
+_S(0, "chown" )
+_S(1, "dac_override" )
+_S(2, "dac_read_search" )
+_S(3, "fowner" )
+_S(4, "fsetid" )
+_S(5, "kill" )
+_S(6, "setgid" )
+_S(7, "setuid" )
+_S(8, "setpcap" )
+_S(9, "linux_immutable" )
+_S(10, "net_bind_service" )
+_S(11, "net_broadcast" )
+_S(12, "net_admin" )
+_S(13, "net_raw" )
+_S(14, "ipc_lock" )
+_S(15, "ipc_owner" )
+_S(16, "sys_module" )
+_S(17, "sys_rawio" )
+_S(18, "sys_chroot" )
+_S(19, "sys_ptrace" )
+_S(20, "sys_pacct" )
+_S(21, "sys_admin" )
+_S(22, "sys_boot" )
+_S(23, "sys_nice" )
+_S(24, "sys_resource" )
+_S(25, "sys_time" )
+_S(26, "sys_tty_config" )
+_S(27, "mknod" )
+_S(28, "lease" )
+_S(29, "audit_write" )
+_S(30, "audit_control" )
+_S(31, "setfcap" )
+_S(32, "mac_override" )
+_S(33, "mac_admin" )
+_S(34, "syslog" )
+_S(35, "wake_alarm" )
+_S(36, "block_suspend" )
+_S(37, "audit_read" )
diff --git a/framework/src/audit/auparse/clocktab.h b/framework/src/audit/auparse/clocktab.h
new file mode 100644
index 00000000..bcb396fe
--- /dev/null
+++ b/framework/src/audit/auparse/clocktab.h
@@ -0,0 +1,36 @@
+/* clocktab.h --
+ * Copyright 2012,2014 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/time.h
+ */
+
+_S(0, "CLOCK_REALTIME" )
+_S(1, "CLOCK_MONOTONIC" )
+_S(2, "CLOCK_PROCESS_CPUTIME_ID" )
+_S(3, "CLOCK_THREAD_CPUTIME_ID" )
+_S(4, "CLOCK_MONOTONIC_RAW" )
+_S(5, "CLOCK_REALTIME_COARSE" )
+_S(6, "CLOCK_MONOTONIC_COARSE" )
+_S(7, "CLOCK_BOOTTIME" )
+_S(8, "CLOCK_REALTIME_ALARM" )
+_S(9, "CLOCK_BOOTTIME_ALARM" )
+_S(10, "CLOCK_SGI_CYCLE" )
+_S(11, "CLOCK_TAI" )
+
diff --git a/framework/src/audit/auparse/clone-flagtab.h b/framework/src/audit/auparse/clone-flagtab.h
new file mode 100644
index 00000000..503e84bc
--- /dev/null
+++ b/framework/src/audit/auparse/clone-flagtab.h
@@ -0,0 +1,47 @@
+/* clone-flagtab.h --
+ * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/sched.h
+ */
+
+_S(0x00000100, "CLONE_VM" )
+_S(0x00000200, "CLONE_FS" )
+_S(0x00000400, "CLONE_FILES" )
+_S(0x00000800, "CLONE_SIGHAND" )
+_S(0x00002000, "CLONE_PTRACE" )
+_S(0x00004000, "CLONE_VFORK" )
+_S(0x00008000, "CLONE_PARENT" )
+_S(0x00010000, "CLONE_THREAD" )
+_S(0x00020000, "CLONE_NEWNS" )
+_S(0x00040000, "CLONE_SYSVSEM" )
+_S(0x00080000, "CLONE_SETTLS" )
+_S(0x00100000, "CLONE_PARENT_SETTID" )
+_S(0x00200000, "CLONE_CHILD_CLEARTID" )
+_S(0x00400000, "CLONE_DETACHED" )
+_S(0x00800000, "CLONE_UNTRACED" )
+_S(0x01000000, "CLONE_CHILD_SETTID" )
+_S(0x02000000, "CLONE_STOPPED" )
+_S(0x04000000, "CLONE_NEWUTS" )
+_S(0x08000000, "CLONE_NEWIPC" )
+_S(0x10000000, "CLONE_NEWUSER" )
+_S(0x20000000, "CLONE_NEWPID" )
+_S(0x40000000, "CLONE_NEWNET" )
+_S(0x80000000, "CLONE_IO" )
+
diff --git a/framework/src/audit/auparse/data_buf.c b/framework/src/audit/auparse/data_buf.c
new file mode 100644
index 00000000..43b5999e
--- /dev/null
+++ b/framework/src/audit/auparse/data_buf.c
@@ -0,0 +1,394 @@
+/* data_buf.c --
+ * Copyright 2007,2011 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * John Dennis <jdennis@redhat.com>
+ */
+
+/*
+ * gcc -DTEST -g data_buf.c -o data_buf
+ * gcc -DTEST -g data_buf.c -o data_buf && valgrind --leak-check=yes ./data_buf
+ */
+
+/*****************************************************************************/
+/******************************** Documentation ******************************/
+/*****************************************************************************/
+
+/*****************************************************************************/
+/******************************* Include Files *******************************/
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <errno.h>
+#include "data_buf.h"
+
+/*****************************************************************************/
+/****************************** Internal Defines *****************************/
+/*****************************************************************************/
+
+#ifndef MIN
+#define MIN(a,b) (((a)<=(b))?(a):(b))
+#endif
+
+#ifndef MAX
+#define MAX(a,b) (((a)>=(b))?(a):(b))
+#endif
+
+//#define DEBUG 1
+
+#ifdef DEBUG
+#define DATABUF_VALIDATE(db) \
+{ \
+ if (db->alloc_ptr == NULL || db->alloc_size == 0) { \
+ assert(db->alloc_ptr == NULL); \
+ assert(db->alloc_size == 0); \
+ assert(db->len == 0); \
+ } else { \
+ assert(db->offset <= db->alloc_size); \
+ assert(db->len <= db->alloc_size); \
+ assert(db->offset+db->len <= db->alloc_size); \
+ } \
+}
+#else
+#define DATABUF_VALIDATE(db)
+#endif
+
+/*****************************************************************************/
+/************************** Internal Type Definitions ************************/
+/*****************************************************************************/
+
+/*****************************************************************************/
+/********************** External Function Declarations *********************/
+/*****************************************************************************/
+
+/*****************************************************************************/
+/********************** Internal Function Declarations *********************/
+/*****************************************************************************/
+
+static int databuf_shift_data_to_beginning(DataBuf *db);
+static int databuf_strcat(DataBuf *db, const char *str);
+
+/*****************************************************************************/
+/************************* External Global Variables ***********************/
+/*****************************************************************************/
+
+/*****************************************************************************/
+/************************* Internal Global Variables ***********************/
+/*****************************************************************************/
+
+#ifdef DEBUG
+static int debug = 0;
+#endif
+
+/*****************************************************************************/
+/**************************** Inline Functions *****************************/
+/*****************************************************************************/
+static inline char *databuf_end(DataBuf *db)
+{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset+db->len;}
+
+static inline char *databuf_alloc_end(DataBuf *db)
+{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->alloc_size;}
+
+static inline int databuf_tail_size(DataBuf *db)
+{return db->alloc_size - (db->offset+db->len);}
+
+static inline int databuf_tail_available(DataBuf *db, size_t append_len)
+{return append_len <= databuf_tail_size(db);}
+
+static inline size_t databuf_free_size(DataBuf *db)
+{return db->alloc_size-db->len;}
+
+/*****************************************************************************/
+/*************************** Internal Functions ****************************/
+/*****************************************************************************/
+
+static int databuf_shift_data_to_beginning(DataBuf *db)
+{
+ DATABUF_VALIDATE(db);
+ if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) return -1;
+ if (databuf_beg(db) == NULL) return 1;
+ if (db->offset) {
+ memmove(db->alloc_ptr, databuf_beg(db), db->len);
+ db->offset = 0;
+ }
+ DATABUF_VALIDATE(db);
+ return 1;
+}
+
+/*****************************************************************************/
+/**************************** Exported Functions ***************************/
+/*****************************************************************************/
+
+void databuf_print(DataBuf *db, int print_data, char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ if (fmt) {
+ vprintf(fmt, ap);
+ }
+ printf("%salloc_size=%zu alloc_ptr=%p offset=%zu beg=%p len=%zu max_len=%zu flags=[",
+ fmt?" ":"", db->alloc_size, db->alloc_ptr, db->offset, databuf_beg(db), db->len, db->max_len);
+
+ if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) printf("PRESERVE_HEAD ");
+ if (db->flags & DATABUF_FLAG_STRING) printf("STRING ");
+ printf("]");
+
+ if (print_data) {
+ printf(" [");
+ fwrite(databuf_beg(db), 1, db->len, stdout);
+ printf("]");
+ }
+ printf("\n");
+ va_end(ap);
+}
+
+int databuf_init(DataBuf *db, size_t size, unsigned flags)
+{
+ db->alloc_ptr = NULL;
+ db->alloc_size = 0;
+ db->offset = 0;
+ db->len = 0;
+ db->max_len = 0;
+ db->flags = flags;
+
+ if (size) {
+ if ((db->alloc_ptr = malloc(size))) {
+ db->alloc_size = size;
+ return 1;
+ } else {
+ return -1;
+ }
+ }
+
+ // For strings intialize with initial NULL terminator
+ if (flags & DATABUF_FLAG_STRING) databuf_strcat(db, "");
+
+ return 1;
+}
+
+void databuf_free(DataBuf *db)
+{
+ DATABUF_VALIDATE(db);
+
+ if (db->alloc_ptr != NULL) {
+ free(db->alloc_ptr);
+ }
+
+ db->alloc_ptr = NULL;
+ db->alloc_size = 0;
+ db->offset = 0;
+ db->len = 0;
+ db->max_len = 0;
+
+ DATABUF_VALIDATE(db);
+}
+
+int databuf_append(DataBuf *db, const char *src, size_t src_size)
+{
+ size_t new_size;
+
+ DATABUF_VALIDATE(db);
+
+ if (src == NULL || src_size == 0) return 0;
+
+ new_size = db->len+src_size;
+
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_append() size=%zd", src_size);
+#endif
+ if ((new_size > db->alloc_size) ||
+ ((db->flags & DATABUF_FLAG_PRESERVE_HEAD) && !databuf_tail_available(db, src_size))) {
+ /* not enough room, we must realloc */
+ void *new_alloc;
+
+ databuf_shift_data_to_beginning(db);
+ if ((new_alloc = realloc(db->alloc_ptr, new_size))) {
+ db->alloc_ptr = new_alloc;
+ db->alloc_size = new_size;
+ } else {
+ return -1; /* realloc failed */
+ }
+ } else {
+ /* we can fit within current allocation, but can we append? */
+ if (!databuf_tail_available(db, src_size)) {
+ /* we can't append in place, must create room at tail by shifting
+ data forward to the beginning of the allocation block */
+ databuf_shift_data_to_beginning(db);
+ }
+ }
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_append() about to memmove()");
+#endif
+ /* pointers all set up and room availble, move the data and update */
+ memmove(databuf_end(db), src, src_size);
+ db->len = new_size;
+ db->max_len = MAX(db->max_len, new_size);
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_append() conclusion");
+#endif
+ DATABUF_VALIDATE(db);
+ return 1;
+}
+
+static int databuf_strcat(DataBuf *db, const char *str)
+{
+ size_t str_len;
+
+ DATABUF_VALIDATE(db);
+
+ if (str == NULL) return 0;
+
+ // +1 so the data append also copies the NULL terminator
+ str_len = strlen(str) + 1;
+
+ // If there is a NULL terminator exclude it so the subsequent
+ // data append produces a proper string concatenation
+ if (db->len > 0) {
+ char *last_char = databuf_end(db) - 1;
+ if (*last_char == 0) {
+ db->len--; // backup over NULL terminator
+ }
+ }
+
+ // Copy string and NULL terminator
+ databuf_append(db, str, str_len);
+
+ DATABUF_VALIDATE(db);
+ return 1;
+}
+
+int databuf_advance(DataBuf *db, size_t advance)
+{
+ size_t actual_advance;
+ DATABUF_VALIDATE(db);
+
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_advance() enter, advance=%zd", advance);
+#endif
+ actual_advance = MIN(advance, db->len);
+ db->offset += actual_advance;
+ db->len -= actual_advance;
+
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_advance() leave, actual_advance=%zd", actual_advance);
+#endif
+ DATABUF_VALIDATE(db);
+ if (advance == actual_advance) {
+ return 1;
+ } else {
+ errno = ESPIPE; // Illegal seek
+ return -1;
+ }
+}
+
+int databuf_reset(DataBuf *db)
+{
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_reset() entry");
+#endif
+ if (!(db->flags & DATABUF_FLAG_PRESERVE_HEAD)) return -1;
+ db->offset = 0;
+ db->len = MIN(db->alloc_size, db->max_len);
+#ifdef DEBUG
+ if (debug) databuf_print(db, 1, "databuf_reset() exit");
+#endif
+ return 1;
+}
+
+/*****************************************************************************/
+/******************************* Test Program ******************************/
+/*****************************************************************************/
+
+#ifdef TEST
+static char *make_data(size_t size, const char *fill) {
+ int n=0;
+ char *data = malloc(size);
+
+ if (data == NULL) {
+ fprintf(stderr, "ERROR: make_data malloc failed\n");
+ exit(1);
+ }
+
+ n += snprintf(data, size, "%d", size);
+ while (n < size) {
+ n += snprintf(data+n, size-n, "%s", fill);
+ }
+ return data;
+}
+
+int main(int argc, char **argv)
+{
+ size_t size = 0;
+ DataBuf buf;
+ char *data;
+
+ assert(databuf_init(&buf, size, DATABUF_FLAG_STRING));
+ databuf_print(&buf, 1, "after init size=%d", size);
+
+#if 1
+ data = "a";
+ assert(databuf_strcat(&buf, data));
+ databuf_print(&buf, 1, "after strcat(%s)", data);
+
+ data = "bb";
+ assert(databuf_strcat(&buf, data));
+ databuf_print(&buf, 1, "after strcat(%s)", data);
+
+ data = "ccc";
+ assert(databuf_strcat(&buf, data));
+ databuf_print(&buf, 1, "after strcat(%s)", data);
+
+#endif
+
+ databuf_free(&buf);
+
+#if 0
+ assert(databuf_init(&buf, size, 0));
+ databuf_print(&buf, 1, "after init size=%d", size);
+
+ size = 8;
+ data = make_data(size, "a");
+ assert(databuf_append(&buf, data, size));
+ databuf_print(&buf, 1, "after append size=%d", size);
+ assert(databuf_append(&buf, data, size));
+ free(data);
+ databuf_print(&buf, 1, "after append size=%d", size);
+
+ assert(databuf_advance(&buf, 4));
+ databuf_print(&buf, 1, "after databuf_advance(%d", 4);
+
+ size = 5;
+ data = make_data(size, "b");
+ assert(databuf_append(&buf, data, size));
+ free(data);
+ databuf_print(&buf, 1, "after append size=%d", size);
+ size = 7;
+ data = make_data(size, "c");
+ assert(databuf_append(&buf, data, size));
+ free(data);
+ databuf_print(&buf, 1, "after append size=%d", size);
+
+ databuf_free(&buf);
+#endif
+ exit(0);
+}
+#endif
diff --git a/framework/src/audit/auparse/data_buf.h b/framework/src/audit/auparse/data_buf.h
new file mode 100644
index 00000000..66323fb7
--- /dev/null
+++ b/framework/src/audit/auparse/data_buf.h
@@ -0,0 +1,80 @@
+/* data_buf.h --
+ * Copyright 2007 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * John Dennis <jdennis@redhat.com>
+ */
+
+#ifndef DATA_BUF_HEADER
+#define DATA_BUF_HEADER
+
+/*****************************************************************************/
+/******************************* Include Files *******************************/
+/*****************************************************************************/
+#include "config.h"
+#include "private.h"
+
+/*****************************************************************************/
+/*********************************** Defines *********************************/
+/*****************************************************************************/
+
+#define DATABUF_FLAG_PRESERVE_HEAD (1 << 0)
+#define DATABUF_FLAG_STRING (2 << 0)
+
+
+/*****************************************************************************/
+/******************************* Type Definitions ****************************/
+/*****************************************************************************/
+
+typedef struct Databuf {
+ unsigned flags;
+ size_t alloc_size;
+ char *alloc_ptr;
+ size_t offset;
+ size_t len;
+ size_t max_len;
+} DataBuf;
+
+/*****************************************************************************/
+/************************* External Global Variables ***********************/
+/*****************************************************************************/
+
+/*****************************************************************************/
+/***************************** Inline Functions ****************************/
+/*****************************************************************************/
+
+static inline char *databuf_beg(DataBuf *db)
+{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset;}
+
+/*****************************************************************************/
+/**************************** Exported Functions ***************************/
+/*****************************************************************************/
+
+void databuf_print(DataBuf *db, int print_data, char *fmt, ...) hidden
+#ifdef __GNUC__
+ __attribute__ ((format (printf, 3, 4)));
+#else
+ ;
+#endif
+int databuf_init(DataBuf *db, size_t size, unsigned flags) hidden;
+void databuf_free(DataBuf *db) hidden;
+int databuf_append(DataBuf *db, const char *src, size_t src_size) hidden;
+int databuf_advance(DataBuf *db, size_t advance) hidden;
+int databuf_reset(DataBuf *db) hidden;
+
+#endif
diff --git a/framework/src/audit/auparse/ellist.c b/framework/src/audit/auparse/ellist.c
new file mode 100644
index 00000000..e5b60264
--- /dev/null
+++ b/framework/src/audit/auparse/ellist.c
@@ -0,0 +1,428 @@
+/*
+* ellist.c - Minimal linked list library
+* Copyright (c) 2006-08,2014 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <libaudit.h>
+#include "ellist.h"
+#include "interpret.h"
+
+static const char key_sep[2] = { AUDIT_KEY_SEPARATOR, 0 };
+
+void aup_list_create(event_list_t *l)
+{
+ l->head = NULL;
+ l->cur = NULL;
+ l->cnt = 0;
+ l->e.milli = 0L;
+ l->e.sec = 0L;
+ l->e.serial = 0L;
+ l->e.host = NULL;
+}
+
+static void aup_list_last(event_list_t *l)
+{
+ register rnode* window;
+
+ if (l->head == NULL)
+ return;
+
+ window = l->head;
+ while (window->next)
+ window = window->next;
+ l->cur = window;
+}
+
+rnode *aup_list_next(event_list_t *l)
+{
+ if (l->cur)
+ l->cur = l->cur->next;
+ return l->cur;
+}
+
+/*
+ * * This function does encoding of "untrusted" names just like the kernel
+ * */
+static char *_audit_c2x(char *final, const char *buf, unsigned int size)
+{
+ unsigned int i;
+ char *ptr = final;
+ const char *hex = "0123456789ABCDEF";
+
+ for (i=0; i<size; i++) {
+ *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
+ *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */
+ }
+ *ptr = 0;
+ return final;
+}
+
+static char *escape(const char *tmp)
+{
+ char *name;
+ const unsigned char *p = (unsigned char *)tmp;
+ while (*p) {
+ if (*p == '"' || *p < 0x21 || *p > 0x7e) {
+ int len = strlen(tmp);
+ name = malloc((2*len)+1);
+ return _audit_c2x(name, tmp, len);
+ }
+ p++;
+ }
+ if (asprintf(&name, "\"%s\"", tmp) < 0)
+ name = NULL;
+ return name;
+}
+
+/* This funtion does the heavy duty work of splitting a record into
+ * its little tiny pieces */
+static int parse_up_record(rnode* r)
+{
+ char *ptr, *buf, *saved=NULL;
+ int offset = 0;
+
+ buf = strdup(r->record);
+ ptr = audit_strsplit_r(buf, &saved);
+ if (ptr == NULL) {
+ free(buf);
+ return -1;
+ }
+
+ do { // If there's an '=' sign, its a keeper
+ nvnode n;
+ char *val = strchr(ptr, '=');
+ if (val) {
+ int len;
+
+ // If name is 'msg=audit' throw it away
+ if (*ptr == 'm' && strncmp(ptr, "msg=", 4) == 0) {
+ if (ptr[4] == 'a')
+ continue;
+
+ // If name is 'msg='' chop off and see
+ // if there is still a = in the string.
+ else if (ptr[4] == '\'') {
+ ptr += 5;
+ val = strchr(ptr, '=');
+ if (val == NULL)
+ continue;
+ }
+ }
+
+ // Split the string
+ *val = 0;
+ val++;
+
+ // Remove beginning cruft of name
+ if (*ptr == '(')
+ ptr++;
+ n.name = strdup(ptr);
+ n.val = strdup(val);
+ // Remove trailing punctuation
+ len = strlen(n.val);
+ if (len && n.val[len-1] == ':') {
+ n.val[len-1] = 0;
+ len--;
+ }
+ if (len && n.val[len-1] == ',') {
+ n.val[len-1] = 0;
+ len--;
+ }
+ if (len && n.val[len-1] == '\'') {
+ n.val[len-1] = 0;
+ len--;
+ }
+ if (len && n.val[len-1] == ')') {
+ if (strcmp(n.val, "(none)") &&
+ strcmp(n.val, "(null)")) {
+ n.val[len-1] = 0;
+ len--;
+ }
+ }
+ // Make virtual keys or just store it
+ if (strcmp(n.name, "key") == 0 && *n.val != '(') {
+ if (*n.val == '"')
+ nvlist_append(&r->nv, &n);
+ else {
+ char *key, *ptr, *saved2;
+
+ key = (char *)au_unescape(n.val);
+ if (key == NULL) {
+ // Malformed key - save as is
+ nvlist_append(&r->nv, &n);
+ continue;
+ }
+ ptr = strtok_r(key, key_sep, &saved2);
+ free(n.name);
+ free(n.val);
+ while (ptr) {
+ n.name = strdup("key");
+ n.val = escape(ptr);
+ nvlist_append(&r->nv, &n);
+ ptr = strtok_r(NULL,
+ key_sep, &saved2);
+ }
+ free(key);
+ }
+ continue;
+ } else
+ nvlist_append(&r->nv, &n);
+
+ // Do some info gathering for use later
+ if (r->nv.cnt == 1 && strcmp(n.name, "node") == 0)
+ offset = 1; // if node, some positions changes
+ else if (r->nv.cnt == (1 + offset) &&
+ strcmp(n.name, "type") == 0) {
+ r->type = audit_name_to_msg_type(n.val);
+ } else if (r->nv.cnt == (2 + offset) &&
+ strcmp(n.name, "arch")== 0){
+ unsigned int ival;
+ errno = 0;
+ ival = strtoul(n.val, NULL, 16);
+ if (errno)
+ r->machine = -2;
+ else
+ r->machine = audit_elf_to_machine(ival);
+ } else if (r->nv.cnt == (3 + offset) &&
+ strcmp(n.name, "syscall") == 0){
+ errno = 0;
+ r->syscall = strtoul(n.val, NULL, 10);
+ if (errno)
+ r->syscall = -1;
+ } else if (r->nv.cnt == (6 + offset) &&
+ strcmp(n.name, "a0") == 0){
+ errno = 0;
+ r->a0 = strtoull(n.val, NULL, 16);
+ if (errno)
+ r->a0 = -1LL;
+ } else if (r->nv.cnt == (7 + offset) &&
+ strcmp(n.name, "a1") == 0){
+ errno = 0;
+ r->a1 = strtoull(n.val, NULL, 16);
+ if (errno)
+ r->a1 = -1LL;
+ }
+ } else if (r->type == AUDIT_AVC || r->type == AUDIT_USER_AVC) {
+ // We special case these 2 fields because selinux
+ // avc messages do not label these fields.
+ n.name = NULL;
+ if (nvlist_get_cnt(&r->nv) == (1 + offset)) {
+ // skip over 'avc:'
+ if (strncmp(ptr, "avc", 3) == 0)
+ continue;
+ n.name = strdup("seresult");
+ } else if (nvlist_get_cnt(&r->nv) == (2 + offset)) {
+ // skip over open brace
+ if (*ptr == '{') {
+ int total = 0, len;
+ char tmpctx[256], *to;
+ tmpctx[0] = 0;
+ to = tmpctx;
+ ptr = audit_strsplit_r(NULL, &saved);
+ while (ptr && *ptr != '}') {
+ len = strlen(ptr);
+ if ((len+1) >= (256-total)) {
+ free(buf);
+ return -1;
+ }
+ if (tmpctx[0]) {
+ to = stpcpy(to, ",");
+ total++;
+ }
+ to = stpcpy(to, ptr);
+ total += len;
+ ptr = audit_strsplit_r(NULL,
+ &saved);
+ }
+ n.name = strdup("seperms");
+ n.val = strdup(tmpctx);
+ nvlist_append(&r->nv, &n);
+ continue;
+ }
+ } else
+ continue;
+ n.val = strdup(ptr);
+ nvlist_append(&r->nv, &n);
+ }
+ // FIXME: There should be an else here to catch ancillary data
+ } while((ptr = audit_strsplit_r(NULL, &saved)));
+
+ free(buf);
+ r->nv.cur = r->nv.head; // reset to beginning
+ return 0;
+}
+
+int aup_list_append(event_list_t *l, char *record, int list_idx,
+ unsigned int line_number)
+{
+ rnode* r;
+
+ if (record == NULL)
+ return -1;
+
+ // First step is build rnode
+ r = malloc(sizeof(rnode));
+ if (r == NULL)
+ return -1;
+
+ r->record = record;
+ r->type = 0;
+ r->a0 = 0LL;
+ r->a1 = 0LL;
+ r->machine = -1;
+ r->syscall = -1;
+ r->item = l->cnt;
+ r->list_idx = list_idx;
+ r->line_number = line_number;
+ r->next = NULL;
+ nvlist_create(&r->nv);
+
+ // if we are at top, fix this up
+ if (l->head == NULL)
+ l->head = r;
+ else { // Otherwise add pointer to newnode
+ aup_list_last(l);
+ l->cur->next = r;
+ }
+
+ // make newnode current
+ l->cur = r;
+ l->cnt++;
+
+ // Then parse the record up into nvlist
+ return parse_up_record(r);
+}
+
+void aup_list_clear(event_list_t* l)
+{
+ rnode* nextnode;
+ register rnode* current;
+
+ if (l == NULL)
+ return;
+
+ current = l->head;
+ while (current) {
+ nextnode=current->next;
+ nvlist_clear(&current->nv);
+ free(current->record);
+ free(current);
+ current=nextnode;
+ }
+ l->head = NULL;
+ l->cur = NULL;
+ l->cnt = 0;
+ l->e.milli = 0L;
+ l->e.sec = 0L;
+ l->e.serial = 0L;
+ free((char *)l->e.host);
+ l->e.host = NULL;
+}
+
+/*int aup_list_get_event(event_list_t* l, au_event_t *e)
+{
+ if (l == NULL || e == NULL)
+ return 0;
+
+ e->sec = l->e.sec;
+ e->milli = l->e.milli;
+ e->serial = l->e.serial;
+ if (l->e.host)
+ e->host = strdup(l->e.host);
+ else
+ e->host = NULL;
+ return 1;
+} */
+
+int aup_list_set_event(event_list_t* l, au_event_t *e)
+{
+ if (l == NULL || e == NULL)
+ return 0;
+
+ l->e.sec = e->sec;
+ l->e.milli = e->milli;
+ l->e.serial = e->serial;
+ l->e.host = e->host; // Take custody of the memory
+ e->host = NULL;
+ return 1;
+}
+
+rnode *aup_list_find_rec(event_list_t *l, int i)
+{
+ register rnode* window;
+
+ window = l->head; /* start at the beginning */
+ while (window) {
+ if (window->type == i) {
+ l->cur = window;
+ return window;
+ } else
+ window = window->next;
+ }
+ return NULL;
+}
+
+rnode *aup_list_goto_rec(event_list_t *l, int i)
+{
+ register rnode* window;
+
+ window = l->head; /* start at the beginning */
+ while (window) {
+ if (window->item == i) {
+ l->cur = window;
+ return window;
+ } else
+ window = window->next;
+ }
+ return NULL;
+}
+
+rnode *aup_list_find_rec_range(event_list_t *l, int low, int high)
+{
+ register rnode* window;
+
+ if (high <= low)
+ return NULL;
+
+ window = l->head; /* Start at the beginning */
+ while (window) {
+ if (window->type >= low && window->type <= high) {
+ l->cur = window;
+ return window;
+ } else
+ window = window->next;
+ }
+ return NULL;
+}
+
+int aup_list_first_field(event_list_t *l)
+{
+ if (l->cur) {
+ nvlist_first(&l->cur->nv);
+ return 1;
+ } else
+ return 0;
+}
+
diff --git a/framework/src/audit/auparse/ellist.h b/framework/src/audit/auparse/ellist.h
new file mode 100644
index 00000000..2b43a68d
--- /dev/null
+++ b/framework/src/audit/auparse/ellist.h
@@ -0,0 +1,66 @@
+/*
+* ellist.h - Header file for ellist.c
+* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#ifndef ELLIST_HEADER
+#define ELLIST_HEADER
+
+#include "config.h"
+#include "private.h"
+#include "auparse-defs.h"
+#include <sys/types.h>
+#include "nvlist.h"
+
+/* This is the linked list head. Only data elements that are 1 per
+ * event goes here. */
+typedef struct {
+ rnode *head; // List head
+ rnode *cur; // Pointer to current node
+ unsigned int cnt; // How many items in this list
+
+ // Data we add as 1 per event
+ au_event_t e; // event - time & serial number
+} event_list_t;
+
+void aup_list_create(event_list_t *l) hidden;
+void aup_list_clear(event_list_t* l) hidden;
+static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l->cnt; }
+static inline void aup_list_first(event_list_t *l) { l->cur = l->head; }
+static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; }
+rnode *aup_list_next(event_list_t *l) hidden;
+int aup_list_append(event_list_t *l, char *record, int list_idx, unsigned int line_number) hidden;
+//int aup_list_get_event(event_list_t* l, au_event_t *e) hidden;
+int aup_list_set_event(event_list_t* l, au_event_t *e) hidden;
+
+/* Given a message type, find the matching node */
+rnode *aup_list_find_rec(event_list_t *l, int i) hidden;
+
+/* Seek to a specific record number */
+rnode *aup_list_goto_rec(event_list_t *l, int i) hidden;
+
+/* Given two message types, find the first matching node */
+rnode *aup_list_find_rec_range(event_list_t *l, int low, int high) hidden;
+
+int aup_list_first_field(event_list_t *l) hidden;
+
+#endif
+
diff --git a/framework/src/audit/auparse/epoll_ctl.h b/framework/src/audit/auparse/epoll_ctl.h
new file mode 100644
index 00000000..3d58a2bf
--- /dev/null
+++ b/framework/src/audit/auparse/epoll_ctl.h
@@ -0,0 +1,27 @@
+/* epoll_ctl.h --
+ * Copyright 2008,2012,2014 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/eventpoll.h
+ */
+
+_S(1, "EPOLL_CTL_ADD" )
+_S(2, "EPOLL_CTL_DEL" )
+_S(3, "EPOLL_CTL_MOD" )
+
diff --git a/framework/src/audit/auparse/expression.c b/framework/src/audit/auparse/expression.c
new file mode 100644
index 00000000..6bed45ba
--- /dev/null
+++ b/framework/src/audit/auparse/expression.c
@@ -0,0 +1,1111 @@
+/*
+* expression.c - Expression parsing and handling
+* Copyright (C) 2008,2014 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Miloslav Trmač <mitr@redhat.com>
+* Steve Grubb <sgrubb@redhat.com> extended timestamp
+*/
+
+#include <assert.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "expression.h"
+
+ /* Utilities */
+
+/* Free EXPR and all its subexpressions. */
+void
+expr_free(struct expr *expr)
+{
+ switch (expr->op) {
+ case EO_NOT:
+ expr_free(expr->v.sub[0]);
+ break;
+
+ case EO_AND: case EO_OR:
+ expr_free(expr->v.sub[0]);
+ expr_free(expr->v.sub[1]);
+ break;
+
+ case EO_RAW_EQ: case EO_RAW_NE: case EO_INTERPRETED_EQ:
+ case EO_INTERPRETED_NE: case EO_VALUE_EQ: case EO_VALUE_NE:
+ case EO_VALUE_LT: case EO_VALUE_LE: case EO_VALUE_GT: case EO_VALUE_GE:
+ if (expr->virtual_field == 0)
+ free(expr->v.p.field.name);
+ if (expr->precomputed_value == 0)
+ free(expr->v.p.value.string);
+ break;
+
+ case EO_FIELD_EXISTS:
+ assert(expr->virtual_field == 0);
+ free(expr->v.p.field.name);
+ break;
+
+ case EO_REGEXP_MATCHES:
+ regfree(expr->v.regexp);
+ free(expr->v.regexp);
+ break;
+
+ default:
+ abort();
+ }
+ free(expr);
+}
+
+ /* Expression parsing. */
+
+/* The formal grammar:
+
+ start: or-expression
+
+ or-expression: and-expression
+ or-expression: or-expression || and-expression
+
+ and-expression: primary-expression
+ and-expression: and-expression && primary-expression
+
+ primary-expression: ! primary-expression
+ primary-expression: ( or-expression )
+ primary-expression: comparison-expression
+
+ comparison-expression: field op value
+ comparison-expression: field-escape "regexp" regexp-value
+ field: string
+ field: field-escape string
+ value: string
+ regexp-value: string
+ regexp-value: regexp */
+
+/* Token types */
+enum token_type {
+ /* EO_* */
+ T_LEFT_PAREN = NUM_EO_VALUES, T_RIGHT_PAREN, T_STRING, T_REGEXP,
+ T_FIELD_ESCAPE, T_UNKNOWN, T_EOF
+};
+
+/* Expression parsing status */
+struct parsing {
+ char **error; /* Error message destination. */
+ enum token_type token;
+ const char *token_start; /* Original "src" value */
+ int token_len; /* int because it must be usable in %.*s */
+ char *token_value; /* Non-NULL only for T_STRING, until used */
+ const char *src; /* Expression source, after the current token */
+};
+
+static struct expr *parse_or(struct parsing *p);
+
+/* Allocate SIZE bytes.
+ On error, return NULL and try to set *P->ERROR. */
+static void *
+parser_malloc(struct parsing *p, size_t size)
+{
+ void *res;
+
+ res = malloc(size);
+ if (res != NULL || size == 0)
+ return res;
+ *p->error = strdup("Out of memory");
+ return NULL;
+}
+
+/* Reallocate PTR to SIZE bytes.
+ On error, free(PTR), return NULL and try to set *P->ERROR.
+ NOTE: realloc() does not free(PTR), this function does. */
+static void *
+parser_realloc(struct parsing *p, void *ptr, size_t size)
+{
+ void *res;
+
+ res = realloc(ptr, size);
+ if (res != NULL || size == 0)
+ return res;
+ free(ptr);
+ *p->error = strdup("Out of memory");
+ return NULL;
+}
+
+/* Discard P->token_value, if any, and parse the next token in P->src.
+ On success, return 0.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ -1. */
+static int
+lex(struct parsing *p)
+{
+ free(p->token_value);
+ p->token_value = NULL;
+ while (*p->src == ' ' || *p->src == '\t' || *p->src == '\n')
+ p->src++;
+ p->token_start = p->src;
+ switch (*p->src) {
+ case '\0':
+ p->token = T_EOF;
+ break;
+
+ case '!':
+ p->src++;
+ if (*p->src == '=' && p->src[1] == '=') {
+ p->src += 2;
+ p->token = EO_VALUE_NE;
+ break;
+ }
+ p->token = EO_NOT;
+ break;
+
+ case '"': case '/': {
+ char *buf, delimiter;
+ size_t dest, buf_size;
+
+ delimiter = *p->src;
+ buf_size = 8;
+ buf = parser_malloc(p, buf_size);
+ if (buf == NULL)
+ return -1;
+ p->src++;
+ dest = 0;
+ while (*p->src != delimiter) {
+ if (*p->src == '\0') {
+ *p->error = strdup("Terminating delimiter "
+ "missing");
+ free(buf);
+ return -1;
+ }
+ if (*p->src == '\\') {
+ p->src++;
+ if (*p->src != '\\' && *p->src != delimiter) {
+ if (asprintf(p->error, "Unknown escape "
+ "sequence ``\\%c''",
+ *p->src) < 0)
+ *p->error = NULL;
+ free(buf);
+ return -1;
+ }
+ }
+ /* +1: make sure there is space for the terminating
+ NUL. */
+ if (dest + 1 >= buf_size) {
+ if (buf_size > SIZE_MAX / 2) {
+ *p->error = strdup("Delimited string "
+ "too long");
+ free(buf);
+ return -1;
+ }
+ buf_size *= 2;
+ buf = parser_realloc(p, buf, buf_size);
+ if (buf == NULL) {
+ *p->error = strdup("Out of memory");
+ return -1;
+ }
+ }
+ buf[dest] = *p->src;
+ dest++;
+ p->src++;
+ }
+ p->src++;
+ buf[dest] = '\0';
+ p->token_value = parser_realloc(p, buf, dest + 1);
+ if (p->token_value == NULL)
+ return -1;
+ p->token = delimiter == '/' ? T_REGEXP : T_STRING;
+ break;
+ }
+
+ case '&':
+ p->src++;
+ if (*p->src == '&') {
+ p->src++;
+ p->token = EO_AND;
+ break;
+ }
+ p->token = T_UNKNOWN;
+ break;
+
+ case '(':
+ p->src++;
+ p->token = T_LEFT_PAREN;
+ break;
+
+ case ')':
+ p->src++;
+ p->token = T_RIGHT_PAREN;
+ break;
+
+ case '<':
+ p->src++;
+ if (*p->src == '=') {
+ p->src++;
+ p->token = EO_VALUE_LE;
+ break;
+ }
+ p->token = EO_VALUE_LT;
+ break;
+
+ case '=':
+ p->src++;
+ if (*p->src == '=') {
+ p->src++;
+ p->token = EO_VALUE_EQ;
+ break;
+ }
+ p->token = T_UNKNOWN;
+ break;
+
+ case '>':
+ p->src++;
+ if (*p->src == '=') {
+ p->src++;
+ p->token = EO_VALUE_GE;
+ break;
+ }
+ p->token = EO_VALUE_GT;
+ break;
+
+ case '\\':
+ p->src++;
+ p->token = T_FIELD_ESCAPE;
+ break;
+
+ case '|':
+ p->src++;
+ if (*p->src == '|') {
+ p->src++;
+ p->token = EO_OR;
+ break;
+ }
+ p->token = T_UNKNOWN;
+ break;
+
+ case 'i':
+ if (p->src[1] == '=') {
+ p->src += 2;
+ p->token = EO_INTERPRETED_EQ;
+ break;
+ } else if (p->src[1] == '!' && p->src[2] == '=') {
+ p->src += 3;
+ p->token = EO_INTERPRETED_NE;
+ break;
+ }
+ goto unquoted_string;
+
+ case 'r':
+ if (p->src[1] == '=') {
+ p->src += 2;
+ p->token = EO_RAW_EQ;
+ break;
+ } else if (p->src[1] == '!' && p->src[2] == '=') {
+ p->src += 3;
+ p->token = EO_RAW_NE;
+ break;
+ }
+ goto unquoted_string;
+
+ default:
+ /* This assumes ASCII */
+ assert ('Z' == 'A' + 25 && 'z' == 'a' + 25);
+#define IS_UNQUOTED_STRING_CHAR(C) \
+ (((C) >= 'a' && (C) <= 'z') \
+ || ((C) >= 'A' && (C) <= 'Z') \
+ || ((C) >= '0' && (C) <= '9') \
+ || (C) == '_')
+ if (IS_UNQUOTED_STRING_CHAR(*p->src)) {
+ size_t len;
+
+ unquoted_string:
+ do
+ p->src++;
+ while (IS_UNQUOTED_STRING_CHAR(*p->src));
+ len = p->src - p->token_start;
+ p->token_value = parser_malloc(p, len + 1);
+ if (p->token_value == NULL)
+ return -1;
+ memcpy(p->token_value, p->token_start, len);
+ p->token_value[len] = '\0';
+ p->token = T_STRING;
+ break;
+ }
+ p->src++;
+ p->token = T_UNKNOWN;
+ break;
+ }
+ if (p->src - p->token_start > INT_MAX) {
+ *p->error = strdup("Token too long");
+ return -1;
+ }
+ p->token_len = p->src - p->token_start;
+ return 0;
+}
+
+/* Parse an escaped field NAME to DEST.
+ Return 0 on success, -1 if NAME is unknown. */
+static int
+parse_escaped_field_name(enum field_id *dest, const char *name)
+{
+ if (strcmp(name, "timestamp") == 0)
+ *dest = EF_TIMESTAMP;
+ else if (strcmp(name, "record_type") == 0)
+ *dest = EF_RECORD_TYPE;
+ else if (strcmp(name, "timestamp_ex") == 0)
+ *dest = EF_TIMESTAMP_EX;
+ else
+ return -1;
+ return 0;
+}
+
+/* Parse a \timestamp field value in P->token_value to DEST.
+ On success, return 0.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ -1. */
+static int
+parse_timestamp_value(struct expr *dest, struct parsing *p)
+{
+ intmax_t sec;
+
+ assert(p->token == T_STRING);
+ /* FIXME: other formats? */
+ if (sscanf(p->token_value, "ts:%jd.%u:%u", &sec,
+ &dest->v.p.value.timestamp_ex.milli,
+ &dest->v.p.value.timestamp_ex.serial) != 3) {
+ if (sscanf(p->token_value, "ts:%jd.%u", &sec,
+ &dest->v.p.value.timestamp.milli) != 2) {
+ if (asprintf(p->error, "Invalid timestamp value `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ return -1;
+ }
+ }
+ /* FIXME: validate milli */
+ dest->v.p.value.timestamp.sec = sec;
+ if (dest->v.p.value.timestamp.sec != sec) {
+ if (asprintf(p->error, "Timestamp overflow in `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ return -1;
+ }
+ dest->precomputed_value = 1;
+ return 0;
+}
+
+/* Parse a \record_type field value in P->token_value to DEST.
+ On success, return 0.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ -1. */
+static int
+parse_record_type_value(struct expr *dest, struct parsing *p)
+{
+ int type;
+
+ assert(p->token == T_STRING);
+ type = audit_name_to_msg_type(p->token_value);
+ if (type < 0) {
+ if (asprintf(p->error, "Invalid record type `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ return -1;
+ }
+ dest->v.p.value.int_value = type;
+ dest->precomputed_value = 1;
+ return 0;
+}
+
+/* Parse a virtual field value in P->token_value to DEST.
+ On success, return 0.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ NULL. */
+static int
+parse_virtual_field_value(struct expr *dest, struct parsing *p)
+{
+ switch (dest->v.p.field.id) {
+ case EF_TIMESTAMP:
+ return parse_timestamp_value(dest, p);
+
+ case EF_RECORD_TYPE:
+ return parse_record_type_value(dest, p);
+
+ case EF_TIMESTAMP_EX:
+ return parse_timestamp_value(dest, p);
+
+ default:
+ abort();
+ }
+}
+
+/* Parse a \regexp comparison-expression string in *P, with \regexp parsed.
+ Use or free EXPR.
+ On success, return the parsed comparison-expression.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ NULL. */
+static struct expr *
+parse_comparison_regexp(struct parsing *p, struct expr *res)
+{
+ int err;
+
+ if (lex(p) != 0)
+ goto err_res;
+ if (p->token != T_STRING && p->token != T_REGEXP) {
+ if (asprintf(p->error, "Regexp expected, got `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ goto err_res;
+ }
+ res->v.regexp = parser_malloc(p, sizeof(*res->v.regexp));
+ if (res->v.regexp == NULL)
+ goto err_res;
+ err = regcomp(res->v.regexp, p->token_value, REG_EXTENDED | REG_NOSUB);
+ if (err != 0) {
+ size_t err_size;
+ char *err_msg;
+
+ err_size = regerror(err, res->v.regexp, NULL, 0);
+ err_msg = parser_malloc(p, err_size);
+ if (err_msg == NULL)
+ goto err_res_regexp;
+ regerror(err, res->v.regexp, err_msg, err_size);
+ if (asprintf(p->error, "Invalid regexp: %s", err_msg) < 0)
+ *p->error = NULL;
+ free(err_msg);
+ goto err_res_regexp;
+ }
+ res->op = EO_REGEXP_MATCHES;
+ if (lex(p) != 0) {
+ expr_free(res);
+ return NULL;
+ }
+ return res;
+
+err_res_regexp:
+ free(res->v.regexp);
+err_res:
+ free(res);
+ return NULL;
+}
+
+/* Parse a comparison-expression string in *P.
+ On success, return the parsed comparison-expression.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ NULL. */
+static struct expr *
+parse_comparison(struct parsing *p)
+{
+ struct expr *res;
+
+ res = parser_malloc(p, sizeof(*res));
+ if (res == NULL)
+ return NULL;
+ if (p->token == T_FIELD_ESCAPE) {
+ if (lex(p) != 0)
+ goto err_res;
+ if (p->token != T_STRING) {
+ *p->error = strdup("Field name expected after field "
+ "escape");
+ goto err_res;
+ }
+ if (strcmp(p->token_value, "regexp") == 0)
+ return parse_comparison_regexp(p, res);
+ res->virtual_field = 1;
+ if (parse_escaped_field_name(&res->v.p.field.id, p->token_value)
+ != 0) {
+ if (asprintf(p->error,
+ "Unknown escaped field name `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ goto err_res;
+ }
+ } else {
+ assert(p->token == T_STRING);
+ res->virtual_field = 0;
+ res->v.p.field.name = p->token_value;
+ p->token_value = NULL;
+ }
+ if (lex(p) != 0)
+ goto err_field;
+ switch (p->token) {
+ case EO_RAW_EQ: case EO_RAW_NE: case EO_INTERPRETED_EQ:
+ case EO_INTERPRETED_NE:
+ res->op = p->token;
+ if (lex(p) != 0)
+ goto err_field;
+ if (p->token != T_STRING) {
+ if (asprintf(p->error, "Value expected, got `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ goto err_field;
+ }
+ res->precomputed_value = 0;
+ res->v.p.value.string = p->token_value;
+ p->token_value = NULL;
+ if (lex(p) != 0) {
+ expr_free(res);
+ return NULL;
+ }
+ break;
+
+ case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE:
+ case EO_VALUE_GT: case EO_VALUE_GE:
+ res->op = p->token;
+ if (lex(p) != 0)
+ goto err_field;
+ if (p->token != T_STRING) {
+ if (asprintf(p->error, "Value expected, got `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ goto err_field;
+ }
+ if (res->virtual_field == 0) {
+ if (asprintf(p->error, "Field `%s' does not support "
+ "value comparison",
+ res->v.p.field.name) < 0)
+ *p->error = NULL;
+ goto err_field;
+ } else {
+ if (parse_virtual_field_value(res, p) != 0)
+ goto err_field;
+ }
+ if (lex(p) != 0) {
+ expr_free(res);
+ return NULL;
+ }
+ break;
+
+ default:
+ if (asprintf(p->error, "Operator expected, got `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ goto err_field;
+ }
+ return res;
+
+err_field:
+ if (res->virtual_field == 0)
+ free(res->v.p.field.name);
+err_res:
+ free(res);
+ return NULL;
+}
+
+/* Parse a primary-expression string in *P.
+ On success, return the parsed primary-expression.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ NULL. */
+static struct expr *
+parse_primary(struct parsing *p)
+{
+ struct expr *e;
+
+ switch (p->token) {
+ case EO_NOT: {
+ struct expr *res;
+
+ if (lex(p) != 0)
+ return NULL;
+ e = parse_primary(p);
+ if (e == NULL)
+ return NULL;
+ res = parser_malloc(p, sizeof(*res));
+ if (res == NULL)
+ goto err_e;
+ res->op = EO_NOT;
+ res->v.sub[0] = e;
+ return res;
+ }
+
+ case T_LEFT_PAREN: {
+ if (lex(p) != 0)
+ return NULL;
+ e = parse_or(p);
+ if (e == NULL)
+ return NULL;
+ if (p->token != T_RIGHT_PAREN) {
+ if (asprintf(p->error,
+ "Right paren expected, got `%.*s'",
+ p->token_len, p->token_start) < 0)
+ *p->error = NULL;
+ goto err_e;
+ }
+ if (lex(p) != 0)
+ goto err_e;
+ return e;
+ }
+
+ case T_FIELD_ESCAPE: case T_STRING:
+ return parse_comparison(p);
+
+ default:
+ if (asprintf(p->error, "Unexpected token `%.*s'", p->token_len,
+ p->token_start) < 0)
+ *p->error = NULL;
+ return NULL;
+ }
+err_e:
+ expr_free(e);
+ return NULL;
+}
+
+/* Parse an and-expression string in *P.
+ On success, return the parsed and-expression.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ NULL. */
+static struct expr *
+parse_and(struct parsing *p)
+{
+ struct expr *res;
+
+ res = parse_primary(p);
+ if (res == NULL)
+ return NULL;
+ while (p->token == EO_AND) {
+ struct expr *e2, *e;
+
+ if (lex(p) != 0)
+ goto err_res;
+ e2 = parse_primary(p);
+ if (e2 == NULL)
+ goto err_res;
+ e = parser_malloc(p, sizeof(*e));
+ if (e == NULL) {
+ expr_free(e2);
+ goto err_res;
+ }
+ e->op = EO_AND;
+ e->v.sub[0] = res;
+ e->v.sub[1] = e2;
+ res = e;
+ }
+ return res;
+
+err_res:
+ expr_free(res);
+ return NULL;
+}
+
+/* Parse an or-expression string in *P.
+ On success, return the parsed or-expression.
+ On error, set *P->ERROR to an error string (for free()) or NULL, and return
+ NULL. */
+static struct expr *
+parse_or(struct parsing *p)
+{
+ struct expr *res;
+
+ res = parse_and(p);
+ if (res == NULL)
+ return NULL;
+ while (p->token == EO_OR) {
+ struct expr *e2, *e;
+
+ if (lex(p) != 0)
+ goto err_res;
+ e2 = parse_and(p);
+ if (e2 == NULL)
+ goto err_res;
+ e = parser_malloc(p, sizeof(*e));
+ if (e == NULL) {
+ expr_free(e2);
+ goto err_res;
+ }
+ e->op = EO_OR;
+ e->v.sub[0] = res;
+ e->v.sub[1] = e2;
+ res = e;
+ }
+ return res;
+
+err_res:
+ expr_free(res);
+ return NULL;
+}
+
+/* Parse STRING.
+ On success, return the parsed expression tree.
+ On error, set *ERROR to an error string (for free()) or NULL, and return
+ NULL. (*ERROR == NULL is allowed to handle out-of-memory errors) */
+struct expr *
+expr_parse(const char *string, char **error)
+{
+ struct parsing p;
+ struct expr *res;
+
+ p.error = error;
+ p.token_value = NULL;
+ p.src = string;
+ if (lex(&p) != 0)
+ goto err;
+ if (p.token == T_EOF) {
+ *error = strdup("Empty expression");
+ goto err;
+ }
+ res = parse_or(&p);
+ if (res != NULL && p.token != T_EOF) {
+ expr_free(res);
+ if (asprintf(error, "Unexpected trailing token `%.*s'",
+ p.token_len, p.token_start) < 0)
+ *error = NULL;
+ goto err;
+ }
+ free(p.token_value);
+ return res;
+
+err:
+ free(p.token_value);
+ return NULL;
+}
+
+ /* Manual expression creation */
+
+/* Create a comparison-expression for FIELD, OP and VALUE.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *
+expr_create_comparison(const char *field, unsigned op, const char *value)
+{
+ struct expr *res;
+
+ res = malloc(sizeof(*res));
+ if (res == NULL)
+ goto err;
+ assert(op == EO_RAW_EQ || op == EO_RAW_NE || op == EO_INTERPRETED_EQ
+ || op == EO_INTERPRETED_NE);
+ res->op = op;
+ res->virtual_field = 0;
+ res->precomputed_value = 0;
+ res->v.p.field.name = strdup(field);
+ if (res->v.p.field.name == NULL)
+ goto err_res;
+ res->v.p.value.string = strdup(value);
+ if (res->v.p.value.string == NULL)
+ goto err_field;
+ return res;
+
+err_field:
+ free(res->v.p.field.name);
+err_res:
+ free(res);
+err:
+ return NULL;
+}
+
+/* Create an extended timestamp comparison-expression for with OP, SEC,
+ MILLI, and SERIAL.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *
+expr_create_timestamp_comparison_ex(unsigned op, time_t sec, unsigned milli,
+ unsigned serial)
+{
+ struct expr *res;
+
+ res = malloc(sizeof(*res));
+ if (res == NULL)
+ return NULL;
+ assert(op == EO_VALUE_EQ || op == EO_VALUE_NE || op == EO_VALUE_LT
+ || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE);
+ res->op = op;
+ res->virtual_field = 1;
+ res->v.p.field.id = EF_TIMESTAMP_EX;
+ res->precomputed_value = 1;
+ res->v.p.value.timestamp_ex.sec = sec;
+ assert(milli < 1000);
+ res->v.p.value.timestamp_ex.milli = milli;
+ res->v.p.value.timestamp_ex.serial = serial;
+ return res;
+}
+
+/* Create a timestamp comparison-expression for with OP, SEC, MILLI.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *
+expr_create_timestamp_comparison(unsigned op, time_t sec, unsigned milli)
+{
+ return expr_create_timestamp_comparison_ex(op, sec, milli, 0);
+}
+
+/* Create an EO_FIELD_EXISTS-expression for FIELD.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *
+expr_create_field_exists(const char *field)
+{
+ struct expr *res;
+
+ res = malloc(sizeof(*res));
+ if (res == NULL)
+ goto err;
+ res->op = EO_FIELD_EXISTS;
+ res->virtual_field = 0;
+ res->v.p.field.name = strdup(field);
+ if (res->v.p.field.name == NULL)
+ goto err_res;
+ return res;
+
+err_res:
+ free(res);
+err:
+ return NULL;
+}
+
+/* Create a \regexp expression for regexp comparison.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *
+expr_create_regexp_expression(const char *regexp)
+{
+ struct expr *res;
+
+ res = malloc(sizeof(*res));
+ if (res == NULL)
+ goto err;
+ res->v.regexp = malloc(sizeof(*res->v.regexp));
+ if (res->v.regexp == NULL)
+ goto err_res;
+ if (regcomp(res->v.regexp, regexp, REG_EXTENDED | REG_NOSUB) != 0) {
+ errno = EINVAL;
+ goto err_res_regexp;
+ }
+ res->op = EO_REGEXP_MATCHES;
+ return res;
+
+err_res_regexp:
+ free(res->v.regexp);
+err_res:
+ free(res);
+err:
+ return NULL;
+}
+
+/* Create a binary expresion for OP and subexpressions E1 and E2.
+ On success, return the created expresion.
+ On error, set errno and return NULL. */
+struct expr *
+expr_create_binary(unsigned op, struct expr *e1, struct expr *e2)
+{
+ struct expr *res;
+
+ res = malloc(sizeof(*res));
+ if (res == NULL)
+ return NULL;
+ assert(op == EO_AND || op ==EO_OR);
+ res->op = op;
+ res->v.sub[0] = e1;
+ res->v.sub[1] = e2;
+ return res;
+}
+
+ /* Expression evaluation */
+
+/* Return the "raw" value of the field in EXPR for RECORD in AU->le. Set
+ *FREE_IT to 1 if the return value should free()'d.
+ Return NULL on error. */
+static char *
+eval_raw_value(auparse_state_t *au, rnode *record, const struct expr *expr,
+ int *free_it)
+{
+ if (expr->virtual_field == 0) {
+ nvlist_first(&record->nv);
+ if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0)
+ return NULL;
+ *free_it = 0;
+ return (char *)nvlist_get_cur_val(&record->nv);
+ }
+ switch (expr->v.p.field.id) {
+ case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX:
+ return NULL;
+
+ default:
+ abort();
+ }
+}
+
+/* Return the "interpreted" value of the field in EXPR for RECORD in AU->le.
+ Set *FREE_IT to 1 if the return value should free()'d.
+ Return NULL on *error. */
+static char *
+eval_interpreted_value(auparse_state_t *au, rnode *record,
+ const struct expr *expr, int *free_it)
+{
+ if (expr->virtual_field == 0) {
+ const char *res;
+
+ nvlist_first(&record->nv);
+ if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0)
+ return NULL;
+ *free_it = 0;
+ res = nvlist_interp_cur_val(record);
+ if (res == NULL)
+ res = nvlist_get_cur_val(&record->nv);
+ return (char *)res;
+ }
+ switch (expr->v.p.field.id) {
+ case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX:
+ return NULL;
+
+ default:
+ abort();
+ }
+}
+
+/* Return -1, 0, 1 depending on comparing the field in EXPR with RECORD in AU.
+ Set *ERROR to 0 if OK, non-zero otherwise. */
+static int
+compare_values(auparse_state_t *au, rnode *record, const struct expr *expr,
+ int *error)
+{
+ int res;
+ if (expr->virtual_field == 0) {
+ *error = 1;
+ return 0;
+ }
+ switch (expr->v.p.field.id) {
+ case EF_TIMESTAMP:
+ if (au->le.e.sec < expr->v.p.value.timestamp.sec)
+ res = -1;
+ else if (au->le.e.sec > expr->v.p.value.timestamp.sec)
+ res = 1;
+ else if (au->le.e.milli < expr->v.p.value.timestamp.milli)
+ res = -1;
+ else if (au->le.e.milli > expr->v.p.value.timestamp.milli)
+ res = 1;
+ else
+ res = 0;
+ break;
+
+ case EF_RECORD_TYPE:
+ if (record->type < expr->v.p.value.int_value)
+ res = -1;
+ else if (record->type > expr->v.p.value.int_value)
+ res = 1;
+ else
+ res = 0;
+ break;
+
+ case EF_TIMESTAMP_EX:
+ if (au->le.e.sec < expr->v.p.value.timestamp.sec)
+ res = -1;
+ else if (au->le.e.sec > expr->v.p.value.timestamp.sec)
+ res = 1;
+ else if (au->le.e.milli < expr->v.p.value.timestamp.milli)
+ res = -1;
+ else if (au->le.e.milli > expr->v.p.value.timestamp.milli)
+ res = 1;
+ else if (au->le.e.serial < expr->v.p.value.timestamp_ex.serial)
+ res = -1;
+ else if (au->le.e.serial > expr->v.p.value.timestamp_ex.serial)
+ res = 1;
+ else
+ res = 0;
+ break;
+
+ default:
+ abort();
+ }
+ *error = 0;
+ return res;
+}
+
+/* Evaluate EXPR on RECORD in AU->le.
+ Return 1 if EXPR is true, 0 if it false or if it fails.
+ (No error reporting facility is provided; an invalid term is considered to
+ be false; e.g. !invalid is true.) */
+int
+expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr)
+{
+ switch (expr->op) {
+ case EO_NOT:
+ return !expr_eval(au, record, expr->v.sub[0]);
+
+ case EO_AND:
+ return (expr_eval(au, record, expr->v.sub[0])
+ && expr_eval(au, record, expr->v.sub[1]));
+
+ case EO_OR:
+ return (expr_eval(au, record, expr->v.sub[0])
+ || expr_eval(au, record, expr->v.sub[1]));
+
+ case EO_RAW_EQ: case EO_RAW_NE: {
+ int free_it, ne;
+ char *value;
+
+ value = eval_raw_value(au, record, expr, &free_it);
+ if (value == NULL)
+ return 0;
+ assert(expr->precomputed_value == 0);
+ ne = strcmp(expr->v.p.value.string, value);
+ if (free_it != 0)
+ free(value);
+ return expr->op == EO_RAW_EQ ? ne == 0 : ne != 0;
+ }
+
+ case EO_INTERPRETED_EQ: case EO_INTERPRETED_NE: {
+ int free_it, ne;
+ char *value;
+
+ value = eval_interpreted_value(au, record, expr, &free_it);
+ if (value == NULL)
+ return 0;
+ assert(expr->precomputed_value == 0);
+ ne = strcmp(expr->v.p.value.string, value);
+ if (free_it != 0)
+ free(value);
+ return expr->op == EO_INTERPRETED_EQ ? ne == 0 : ne != 0;
+ }
+
+ case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE:
+ case EO_VALUE_GT: case EO_VALUE_GE: {
+ int err, cmp;
+
+ cmp = compare_values(au, record, expr, &err);
+ if (err != 0)
+ return 0;
+ switch (expr->op) {
+ case EO_VALUE_EQ:
+ return cmp == 0;
+
+ case EO_VALUE_NE:
+ return cmp != 0;
+
+ case EO_VALUE_LT:
+ return cmp < 0;
+
+ case EO_VALUE_LE:
+ return cmp <= 0;
+
+ case EO_VALUE_GT:
+ return cmp > 0;
+
+ case EO_VALUE_GE:
+ return cmp >= 0;
+
+ default:
+ abort();
+ }
+ }
+
+ case EO_FIELD_EXISTS:
+ assert(expr->virtual_field == 0);
+ nvlist_first(&record->nv);
+ return nvlist_find_name(&record->nv, expr->v.p.field.name) != 0;
+
+ case EO_REGEXP_MATCHES:
+ return regexec(expr->v.regexp, record->record, 0, NULL, 0) == 0;
+
+ default:
+ abort();
+ }
+}
diff --git a/framework/src/audit/auparse/expression.h b/framework/src/audit/auparse/expression.h
new file mode 100644
index 00000000..b4af66f0
--- /dev/null
+++ b/framework/src/audit/auparse/expression.h
@@ -0,0 +1,133 @@
+/*
+* expression.h - Expression parsing and handling
+* Copyright (C) 2008,2014 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Miloslav Trmač <mitr@redhat.com>
+* Steve Grubb <sgrubb@redhat.com> extended timestamp
+*/
+
+#ifndef EXPRESSION_H__
+#define EXPRESSION_H__
+
+#include <regex.h>
+#include <sys/types.h>
+
+#include "internal.h"
+
+enum {
+ EO_NOT, /* Uses v.sub[0] */
+ EO_AND, EO_OR, /* Uses v.sub[0] and v.sub[1] */
+ /* All of the following use v.p */
+ EO_RAW_EQ, EO_RAW_NE, EO_INTERPRETED_EQ, EO_INTERPRETED_NE,
+ EO_VALUE_EQ, EO_VALUE_NE, EO_VALUE_LT, EO_VALUE_LE, EO_VALUE_GT,
+ EO_VALUE_GE,
+ /* Uses v.p.field. Cannot be specified by an expression. */
+ EO_FIELD_EXISTS,
+ EO_REGEXP_MATCHES, /* Uses v.regexp */
+ NUM_EO_VALUES,
+};
+
+enum field_id {
+ EF_TIMESTAMP, EF_RECORD_TYPE, EF_TIMESTAMP_EX
+};
+
+struct expr {
+ unsigned op : 8; /* EO_* */
+ unsigned virtual_field : 1;
+ /* Can be non-zero only if virtual_field != 0 */
+ unsigned precomputed_value : 1;
+ union {
+ struct expr *sub[2];
+ struct {
+ union {
+ char *name;
+ enum field_id id; /* If virtual_field != 0 */
+ } field;
+ union {
+ char *string;
+ /* A member from the following is selected
+ implicitly by field.id. */
+ struct {
+ time_t sec;
+ unsigned int milli;
+ } timestamp; /* EF_TIMESTAMP */
+ struct {
+ time_t sec;
+ unsigned milli;
+ unsigned serial;
+ } timestamp_ex; /* EF_TIMESTAMP_EX */
+ int int_value; /* EF_RECORD_TYPE */
+ } value;
+ } p;
+ regex_t *regexp;
+ } v;
+};
+
+/* Free EXPR and all its subexpressions. */
+void expr_free(struct expr *expr) hidden;
+
+/* Parse STRING.
+ On success, return the parsed expression tree.
+ On error, set *ERROR to an error string (for free()) or NULL, and return
+ NULL. (*ERROR == NULL is allowed to handle out-of-memory errors) */
+struct expr *expr_parse(const char *string, char **error) hidden;
+
+/* Create a comparison-expression for FIELD, OP and VALUE.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *expr_create_comparison(const char *field, unsigned op,
+ const char *value) hidden;
+
+/* Create a timestamp comparison-expression for with OP, SEC, MILLI.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *expr_create_timestamp_comparison(unsigned op, time_t sec,
+ unsigned milli) hidden;
+
+/* Create an extended timestamp comparison-expression for with OP, SEC,
+ MILLI, and SERIAL.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *expr_create_timestamp_comparison_ex(unsigned op, time_t sec,
+ unsigned milli, unsigned serial) hidden;
+
+/* Create an EO_FIELD_EXISTS-expression for FIELD.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *expr_create_field_exists(const char *field) hidden;
+
+/* Create a \regexp expression for regexp comparison.
+ On success, return the created expression.
+ On error, set errno and return NULL. */
+struct expr *expr_create_regexp_expression(const char *regexp) hidden;
+
+/* Create a binary expresion for OP and subexpressions E1 and E2.
+ On success, return the created expresion.
+ On error, set errno and return NULL. */
+struct expr *expr_create_binary(unsigned op, struct expr *e1, struct expr *e2)
+ hidden;
+
+/* Evaluate EXPR on RECORD in AU->le.
+ Return 1 if EXPR is true, 0 if it false or if it fails.
+ (No error reporting facility is provided; an invalid term is considered to
+ be false; e.g. !invalid is true.) */
+int expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr)
+ hidden;
+
+#endif
diff --git a/framework/src/audit/auparse/famtab.h b/framework/src/audit/auparse/famtab.h
new file mode 100644
index 00000000..31d63079
--- /dev/null
+++ b/framework/src/audit/auparse/famtab.h
@@ -0,0 +1,62 @@
+/* famtab.h --
+ * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/linux/socket.h
+ */
+
+_S(AF_LOCAL, "local" )
+_S(AF_INET, "inet" )
+_S(AF_AX25, "ax25" )
+_S(AF_IPX, "ipx" )
+_S(AF_APPLETALK, "appletalk" )
+_S(AF_NETROM, "netrom" )
+_S(AF_BRIDGE, "bridge" )
+_S(AF_ATMPVC, "atmpvc" )
+_S(AF_X25, "x25" )
+_S(AF_INET6, "inet6" )
+_S(AF_ROSE, "rose" )
+_S(AF_DECnet, "decnet" )
+_S(AF_NETBEUI, "netbeui" )
+_S(AF_SECURITY, "security" )
+_S(AF_KEY, "key" )
+_S(AF_NETLINK, "netlink" )
+_S(AF_PACKET, "packet" )
+_S(AF_ASH, "ash" )
+_S(AF_ECONET, "econet" )
+_S(AF_ATMSVC, "atmsvc" )
+_S(AF_RDS, "rds" )
+_S(AF_SNA, "sna" )
+_S(AF_IRDA, "irda" )
+_S(AF_PPPOX, "pppox" )
+_S(AF_WANPIPE, "wanpipe" )
+_S(AF_LLC, "llc" )
+_S(AF_CAN, "can" )
+_S(AF_TIPC, "tipc" )
+_S(AF_BLUETOOTH, "bluetooth" )
+_S(AF_IUCV, "iucv" )
+_S(AF_RXRPC, "rxrpc" )
+_S(AF_ISDN, "isdn" )
+_S(AF_PHONET, "phonet" )
+_S(AF_IEEE802154, "ieee802154" )
+_S(37, "caif" )
+_S(38, "alg" )
+_S(39, "nfc" )
+_S(40, "vsock" )
+
diff --git a/framework/src/audit/auparse/fcntl-cmdtab.h b/framework/src/audit/auparse/fcntl-cmdtab.h
new file mode 100644
index 00000000..7e20f92b
--- /dev/null
+++ b/framework/src/audit/auparse/fcntl-cmdtab.h
@@ -0,0 +1,52 @@
+/* fcntl-cmdtab.h --
+ * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/asm-generic/fcntl.h <17
+ * include/uapi/linux/fcntl.h >= 1024
+ */
+
+_S(0, "F_DUPFD" )
+_S(1, "F_GETFD" )
+_S(2, "F_SETFD" )
+_S(3, "F_GETFL" )
+_S(4, "F_SETFL" )
+_S(5, "F_GETLK" )
+_S(6, "F_SETLK" )
+_S(7, "F_SETLKW" )
+_S(8, "F_SETOWN" )
+_S(9, "F_GETOWN" )
+_S(10, "F_SETSIG" )
+_S(11, "F_GETSIG" )
+_S(12, "F_GETLK64" )
+_S(13, "F_SETLK64" )
+_S(14, "F_SETLKW64" )
+_S(15, "F_SETOWN_EX" )
+_S(16, "F_GETOWN_EX" )
+_S(17, "F_GETOWNER_UIDS" )
+_S(1024, "F_SETLEASE" )
+_S(1025, "F_GETLEASE" )
+_S(1026, "F_NOTIFY" )
+_S(1029, "F_CANCELLK" )
+_S(1030, "F_DUPFD_CLOEXEC" )
+_S(1031, "F_SETPIPE_SZ" )
+_S(1032, "F_GETPIPE_SZ" )
+_S(1033, "F_ADD_SEALS" )
+_S(1034, "F_GET_SEALS" )
+
diff --git a/framework/src/audit/auparse/flagtab.h b/framework/src/audit/auparse/flagtab.h
new file mode 100644
index 00000000..7e1146d6
--- /dev/null
+++ b/framework/src/audit/auparse/flagtab.h
@@ -0,0 +1,33 @@
+/* flagtab.h --
+ * Copyright 2007,2012 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: these are only for the RHEL4 kernel
+ */
+
+_S(0x0001, "follow" )
+_S(0x0002, "directory" )
+_S(0x0004, "continue" )
+_S(0x0010, "parent" )
+_S(0x0020, "noalt" )
+_S(0x0040, "atomic" )
+_S(0x0100, "open" )
+_S(0x0200, "create" )
+_S(0x0400, "access" )
+
diff --git a/framework/src/audit/auparse/icmptypetab.h b/framework/src/audit/auparse/icmptypetab.h
new file mode 100644
index 00000000..a9ee3eef
--- /dev/null
+++ b/framework/src/audit/auparse/icmptypetab.h
@@ -0,0 +1,37 @@
+/* icmptypetab.h --
+ * Copyright 2011-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/icmp.h
+ */
+
+_S(0, "echo-reply" )
+_S(3, "destination-unreachable" )
+_S(4, "source-quench" )
+_S(5, "redirect" )
+_S(8, "echo" )
+_S(11, "time-exceeded" )
+_S(12, "parameter-problem" )
+_S(13, "timestamp-request" )
+_S(14, "timestamp-reply" )
+_S(15, "info-request" )
+_S(16, "info-reply" )
+_S(17, "address-mask-request" )
+_S(18, "address-mask-reply" )
+
diff --git a/framework/src/audit/auparse/internal.h b/framework/src/audit/auparse/internal.h
new file mode 100644
index 00000000..56c0bf9f
--- /dev/null
+++ b/framework/src/audit/auparse/internal.h
@@ -0,0 +1,86 @@
+/* internal.h --
+ * Copyright 2006-07,2013-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+#ifndef AUPARSE_INTERNAL_HEADER
+#define AUPARSE_INTERNAL_HEADER
+
+#include "auparse-defs.h"
+#include "ellist.h"
+#include "auditd-config.h"
+#include "data_buf.h"
+#include "dso.h"
+#include <stdio.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* This is what state the parser is in */
+typedef enum { EVENT_EMPTY, EVENT_ACCUMULATING, EVENT_EMITTED } auparser_state_t;
+
+/* This is the name/value pair used by search tables */
+struct nv_pair {
+ int value;
+ const char *name;
+};
+
+struct opaque
+{
+ ausource_t source; // Source type
+ char **source_list; // Array of buffers, or array of
+ // file names
+ int list_idx; // The index into the source list
+ FILE *in; // If source is file, this is the fd
+ unsigned int line_number; // line number of current file, zero
+ // if invalid
+ char *next_buf; // The current buffer being broken down
+ unsigned int off; // The current offset into next_buf
+ char *cur_buf; // The current buffer being parsed
+ int line_pushed; // True if retrieve_next_line()
+ // returns same input
+ event_list_t le; // Linked list of record in same event
+ struct expr *expr; // Search expression or NULL
+ char *find_field; // Used to store field name when
+ // searching
+ austop_t search_where; // Where to put the cursors on a match
+ auparser_state_t parse_state; // parsing state
+ DataBuf databuf; // input data
+
+ // function to call to notify user of parsing changes
+ void (*callback)(struct opaque *au, auparse_cb_event_t cb_event_type, void *user_data);
+
+ void *callback_user_data; // user data supplied to callback
+
+ // function to call when user_data is destroyed
+ void (*callback_user_data_destroy)(void *user_data);
+};
+
+// auditd-config.c
+void clear_config(struct daemon_conf *config) hidden;
+int load_config(struct daemon_conf *config, log_test_t lt) hidden;
+void free_config(struct daemon_conf *config) hidden;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/framework/src/audit/auparse/interpret.c b/framework/src/audit/auparse/interpret.c
new file mode 100644
index 00000000..e8f82f92
--- /dev/null
+++ b/framework/src/audit/auparse/interpret.c
@@ -0,0 +1,2651 @@
+/*
+* interpret.c - Lookup values to something more readable
+* Copyright (c) 2007-09,2011-15 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#include "config.h"
+#include "nvlist.h"
+#include "nvpair.h"
+#include "libaudit.h"
+#include "internal.h"
+#include "interpret.h"
+#include "auparse-idata.h"
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <errno.h>
+#include <string.h>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/stat.h>
+#include <linux/net.h>
+#include <netdb.h>
+#include <sys/un.h>
+#include <linux/ax25.h>
+#include <linux/atm.h>
+#include <linux/x25.h>
+#include <linux/if.h> // FIXME: remove when ipx.h is fixed
+#include <linux/ipx.h>
+#include <linux/capability.h>
+#include <sys/personality.h>
+#include <sys/prctl.h>
+#include <sched.h>
+#include "auparse-defs.h"
+#include "gen_tables.h"
+
+#if !HAVE_DECL_ADDR_NO_RANDOMIZE
+# define ADDR_NO_RANDOMIZE 0x0040000
+#endif
+
+/* This is from asm/ipc.h. Copying it for now as some platforms
+ * have broken headers. */
+#define SEMOP 1
+#define SEMGET 2
+#define SEMCTL 3
+#define SEMTIMEDOP 4
+#define MSGSND 11
+#define MSGRCV 12
+#define MSGGET 13
+#define MSGCTL 14
+#define SHMAT 21
+#define SHMDT 22
+#define SHMGET 23
+#define SHMCTL 24
+#define DIPC 25
+
+#include "captabs.h"
+#include "clone-flagtabs.h"
+#include "epoll_ctls.h"
+#include "famtabs.h"
+#include "fcntl-cmdtabs.h"
+#include "flagtabs.h"
+#include "ipctabs.h"
+#include "ipccmdtabs.h"
+#include "mmaptabs.h"
+#include "mounttabs.h"
+#include "open-flagtabs.h"
+#include "persontabs.h"
+#include "prottabs.h"
+#include "ptracetabs.h"
+#include "recvtabs.h"
+#include "rlimittabs.h"
+#include "seektabs.h"
+#include "socktabs.h"
+#include "socktypetabs.h"
+#include "signaltabs.h"
+#include "clocktabs.h"
+#include "typetabs.h"
+#include "nfprototabs.h"
+#include "icmptypetabs.h"
+#include "seccomptabs.h"
+#include "accesstabs.h"
+#include "prctl_opttabs.h"
+#include "schedtabs.h"
+#include "shm_modetabs.h"
+#include "sockoptnametabs.h"
+#include "sockleveltabs.h"
+#include "ipoptnametabs.h"
+#include "ip6optnametabs.h"
+#include "tcpoptnametabs.h"
+#include "pktoptnametabs.h"
+#include "umounttabs.h"
+#include "ioctlreqtabs.h"
+
+typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t;
+typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t;
+
+static const char *print_signals(const char *val, unsigned int base);
+static auparse_esc_t escape_mode = AUPARSE_ESC_TTY;
+
+/*
+ * This function will take a pointer to a 2 byte Ascii character buffer and
+ * return the actual hex value.
+ */
+static unsigned char x2c(const unsigned char *buf)
+{
+ static const char AsciiArray[17] = "0123456789ABCDEF";
+ char *ptr;
+ unsigned char total=0;
+
+ ptr = strchr(AsciiArray, (char)toupper(buf[0]));
+ if (ptr)
+ total = (unsigned char)(((ptr-AsciiArray) & 0x0F)<<4);
+ ptr = strchr(AsciiArray, (char)toupper(buf[1]));
+ if (ptr)
+ total += (unsigned char)((ptr-AsciiArray) & 0x0F);
+
+ return total;
+}
+
+// Check if any characters need tty escaping. Returns how many found.
+static unsigned int need_tty_escape(const unsigned char *s, unsigned int len)
+{
+ unsigned int i = 0, cnt = 0;
+ while (i < len) {
+ if (s[i] < 32)
+ cnt++;
+ i++;
+ }
+ return cnt;
+}
+
+// TTY escaping s string into dest.
+static void tty_escape(const char *s, char *dest, unsigned int len)
+{
+ unsigned int i = 0, j = 0;
+ while (i < len) {
+ if ((unsigned char)s[i] < 32) {
+ dest[j++] = ('\\');
+ dest[j++] = ('0' + ((s[i] & 0300) >> 6));
+ dest[j++] = ('0' + ((s[i] & 0070) >> 3));
+ dest[j++] = ('0' + (s[i] & 0007));
+ } else
+ dest[j++] = s[i];
+ i++;
+ }
+}
+
+static const char sh_set[] = "\"'`$\\";
+static unsigned int need_shell_escape(const char *s, unsigned int len)
+{
+ unsigned int i = 0, cnt = 0;
+ while (i < len) {
+ if (s[i] < 32)
+ cnt++;
+ else if (strchr(sh_set, s[i]))
+ cnt++;
+ i++;
+ }
+ return cnt;
+}
+
+static void shell_escape(const char *s, char *dest, unsigned int len)
+{
+ unsigned int i = 0, j = 0;
+ while (i < len) {
+ if ((unsigned char)s[i] < 32) {
+ dest[j++] = ('\\');
+ dest[j++] = ('0' + ((s[i] & 0300) >> 6));
+ dest[j++] = ('0' + ((s[i] & 0070) >> 3));
+ dest[j++] = ('0' + (s[i] & 0007));
+ } else if (strchr(sh_set, s[i])) {
+ dest[j++] = ('\\');
+ dest[j++] = s[i];
+ } else
+ dest[j++] = s[i];
+ i++;
+ }
+}
+
+static const char quote_set[] = ";'\"`#$&*?[]<>{}\\";
+static unsigned int need_shell_quote_escape(const unsigned char *s, unsigned int len)
+{
+ unsigned int i = 0, cnt = 0;
+ while (i < len) {
+ if (s[i] < 32)
+ cnt++;
+ else if (strchr(quote_set, s[i]))
+ cnt++;
+ i++;
+ }
+ return cnt;
+}
+
+static void shell_quote_escape(const char *s, char *dest, unsigned int len)
+{
+ unsigned int i = 0, j = 0;
+ while (i < len) {
+ if ((unsigned char)s[i] < 32) {
+ dest[j++] = ('\\');
+ dest[j++] = ('0' + ((s[i] & 0300) >> 6));
+ dest[j++] = ('0' + ((s[i] & 0070) >> 3));
+ dest[j++] = ('0' + (s[i] & 0007));
+ } else if (strchr(quote_set, s[i])) {
+ dest[j++] = ('\\');
+ dest[j++] = s[i];
+ } else
+ dest[j++] = s[i];
+ i++;
+ }
+}
+
+/* This should return the count of what needs escaping */
+static unsigned int need_escaping(const char *s, unsigned int len)
+{
+ switch (escape_mode)
+ {
+ case AUPARSE_ESC_RAW:
+ break;
+ case AUPARSE_ESC_TTY:
+ return need_tty_escape(s, len);
+ case AUPARSE_ESC_SHELL:
+ return need_shell_escape(s, len);
+ case AUPARSE_ESC_SHELL_QUOTE:
+ return need_shell_quote_escape(s, len);;
+ }
+ return 0;
+}
+
+static void escape(const char *s, char *dest, unsigned int len)
+{
+ switch (escape_mode)
+ {
+ case AUPARSE_ESC_RAW:
+ return;
+ case AUPARSE_ESC_TTY:
+ return tty_escape(s, dest, len);
+ case AUPARSE_ESC_SHELL:
+ return shell_escape(s, dest, len);
+ case AUPARSE_ESC_SHELL_QUOTE:
+ return shell_quote_escape(s, dest, len);
+ }
+}
+
+int set_escape_mode(auparse_esc_t mode)
+{
+ if (mode < 0 || mode > AUPARSE_ESC_SHELL_QUOTE)
+ return 1;
+ escape_mode = mode;
+ return 0;
+}
+hidden_def(set_escape_mode)
+
+static int is_hex_string(const char *str)
+{
+ while (*str) {
+ if (!isxdigit(*str))
+ return 0;
+ str++;
+ }
+ return 1;
+}
+
+/* returns a freshly malloc'ed and converted buffer */
+char *au_unescape(char *buf)
+{
+ int len, i;
+ char saved, *str, *ptr = buf;
+
+ /* Find the end of the name */
+ if (*ptr == '(') {
+ ptr = strchr(ptr, ')');
+ if (ptr == NULL)
+ return NULL;
+ else
+ ptr++;
+ } else {
+ while (isxdigit(*ptr))
+ ptr++;
+ }
+ saved = *ptr;
+ *ptr = 0;
+ str = strdup(buf);
+ *ptr = saved;
+
+ /* See if its '(null)' from the kernel */
+ if (*buf == '(')
+ return str;
+
+ /* We can get away with this since the buffer is 2 times
+ * bigger than what we are putting there.
+ */
+ len = strlen(str);
+ if (len < 2) {
+ free(str);
+ return NULL;
+ }
+ ptr = str;
+ for (i=0; i<len; i+=2) {
+ *ptr = x2c((unsigned char *)&str[i]);
+ ptr++;
+ }
+ *ptr = 0;
+ return str;
+}
+
+static const char *success[3]= { "unset", "no", "yes" };
+static const char *aulookup_success(int s)
+{
+ switch (s)
+ {
+ default:
+ return success[0];
+ break;
+ case S_FAILED:
+ return success[1];
+ break;
+ case S_SUCCESS:
+ return success[2];
+ break;
+ }
+}
+
+static nvpair uid_nvl;
+static int uid_list_created=0;
+static const char *aulookup_uid(uid_t uid, char *buf, size_t size)
+{
+ char *name = NULL;
+ int rc;
+
+ if (uid == -1) {
+ snprintf(buf, size, "unset");
+ return buf;
+ }
+
+ // Check the cache first
+ if (uid_list_created == 0) {
+ nvpair_create(&uid_nvl);
+ nvpair_clear(&uid_nvl);
+ uid_list_created = 1;
+ }
+ rc = nvpair_find_val(&uid_nvl, uid);
+ if (rc) {
+ name = uid_nvl.cur->name;
+ } else {
+ // Add it to cache
+ struct passwd *pw;
+ pw = getpwuid(uid);
+ if (pw) {
+ nvpnode nv;
+ nv.name = strdup(pw->pw_name);
+ nv.val = uid;
+ nvpair_append(&uid_nvl, &nv);
+ name = uid_nvl.cur->name;
+ }
+ }
+ if (name != NULL)
+ snprintf(buf, size, "%s", name);
+ else
+ snprintf(buf, size, "unknown(%d)", uid);
+ return buf;
+}
+
+void aulookup_destroy_uid_list(void)
+{
+ if (uid_list_created == 0)
+ return;
+
+ nvpair_clear(&uid_nvl);
+ uid_list_created = 0;
+}
+
+static nvpair gid_nvl;
+static int gid_list_created=0;
+static const char *aulookup_gid(gid_t gid, char *buf, size_t size)
+{
+ char *name = NULL;
+ int rc;
+
+ if (gid == -1) {
+ snprintf(buf, size, "unset");
+ return buf;
+ }
+
+ // Check the cache first
+ if (gid_list_created == 0) {
+ nvpair_create(&gid_nvl);
+ nvpair_clear(&gid_nvl);
+ gid_list_created = 1;
+ }
+ rc = nvpair_find_val(&gid_nvl, gid);
+ if (rc) {
+ name = gid_nvl.cur->name;
+ } else {
+ // Add it to cache
+ struct group *gr;
+ gr = getgrgid(gid);
+ if (gr) {
+ nvpnode nv;
+ nv.name = strdup(gr->gr_name);
+ nv.val = gid;
+ nvpair_append(&gid_nvl, &nv);
+ name = gid_nvl.cur->name;
+ }
+ }
+ if (name != NULL)
+ snprintf(buf, size, "%s", name);
+ else
+ snprintf(buf, size, "unknown(%d)", gid);
+ return buf;
+}
+
+void aulookup_destroy_gid_list(void)
+{
+ if (gid_list_created == 0)
+ return;
+
+ nvpair_clear(&gid_nvl);
+ gid_list_created = 0;
+}
+
+static const char *print_uid(const char *val, unsigned int base)
+{
+ int uid;
+ char name[64];
+
+ errno = 0;
+ uid = strtoul(val, NULL, base);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ return strdup(aulookup_uid(uid, name, sizeof(name)));
+}
+
+static const char *print_gid(const char *val, unsigned int base)
+{
+ int gid;
+ char name[64];
+
+ errno = 0;
+ gid = strtoul(val, NULL, base);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ return strdup(aulookup_gid(gid, name, sizeof(name)));
+}
+
+static const char *print_arch(const char *val, unsigned int machine)
+{
+ const char *ptr;
+ char *out;
+
+ if (machine > MACH_AARCH64) {
+ unsigned int ival;
+
+ errno = 0;
+ ival = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s) ", val) < 0)
+ out = NULL;
+ return out;
+ }
+ machine = audit_elf_to_machine(ival);
+ }
+ if ((int)machine < 0) {
+ if (asprintf(&out, "unknown elf type(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ ptr = audit_machine_to_name(machine);
+ if (ptr)
+ return strdup(ptr);
+ else {
+ if (asprintf(&out, "unknown machine type(%d)", machine) < 0)
+ out = NULL;
+ return out;
+ }
+}
+
+static const char *print_ipccall(const char *val, unsigned int base)
+{
+ int a0;
+ char *out;
+ const char *func = NULL;
+
+ errno = 0;
+ a0 = strtol(val, NULL, base);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ func = ipc_i2s(a0);
+ if (func)
+ return strdup(func);
+ else {
+ if (asprintf(&out, "unknown ipccall(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+}
+
+static const char *print_socketcall(const char *val, unsigned int base)
+{
+ int a0;
+ char *out;
+ const char *func = NULL;
+
+ errno = 0;
+ a0 = strtol(val, NULL, base);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ func = sock_i2s(a0);
+ if (func)
+ return strdup(func);
+ else {
+ if (asprintf(&out, "unknown socketcall(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+}
+
+static const char *print_syscall(const idata *id)
+{
+ const char *sys;
+ char *out;
+ int machine = id->machine, syscall = id->syscall;
+ unsigned long long a0 = id->a0;
+
+ if (machine < 0)
+ machine = audit_detect_machine();
+ if (machine < 0) {
+ out = strdup(id->val);
+ return out;
+ }
+ sys = audit_syscall_to_name(syscall, machine);
+ if (sys) {
+ const char *func = NULL;
+ if (strcmp(sys, "socketcall") == 0) {
+ if ((int)a0 == a0)
+ func = sock_i2s(a0);
+ } else if (strcmp(sys, "ipc") == 0)
+ if ((int)a0 == a0)
+ func = ipc_i2s(a0);
+ if (func) {
+ if (asprintf(&out, "%s(%s)", sys, func) < 0)
+ out = NULL;
+ } else
+ return strdup(sys);
+ } else {
+ if (asprintf(&out, "unknown syscall(%d)", syscall) < 0)
+ out = NULL;
+ }
+
+ return out;
+}
+
+static const char *print_exit(const char *val)
+{
+ long long ival;
+ char *out;
+
+ errno = 0;
+ ival = strtoll(val, NULL, 10);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ if (ival < 0) {
+ if (asprintf(&out, "%lld(%s)", ival, strerror(-ival)) < 0)
+ out = NULL;
+ return out;
+ }
+ return strdup(val);
+}
+
+static const char *print_escaped(const char *val)
+{
+ const char *out;
+
+ if (*val == '"') {
+ char *term;
+ val++;
+ term = strchr(val, '"');
+ if (term == NULL)
+ return strdup(" ");
+ *term = 0;
+ out = strdup(val);
+ *term = '"';
+ return out;
+// FIXME: working here...was trying to detect (null) and handle that
+// differently. The other 2 should have " around the file names.
+/* } else if (*val == '(') {
+ char *term;
+ val++;
+ term = strchr(val, ' ');
+ if (term == NULL)
+ return;
+ *term = 0;
+ printf("%s ", val); */
+ } else if (val[0] == '0' && val[1] == '0')
+ out = au_unescape((char *)&val[2]); // Abstract name af_unix
+ else
+ out = au_unescape((char *)val);
+ if (out)
+ return out;
+ return strdup(val); // Something is wrong with string, just send as is
+}
+
+static const char *print_proctitle(const char *val)
+{
+ char *out = (char *)print_escaped(val);
+ if (*val != '"') {
+ size_t len = strlen(val) / 2;
+ const char *end = out + len;
+ char *ptr = out;
+ while ((ptr = rawmemchr(ptr, '\0'))) {
+ if (ptr >= end)
+ break;
+ *ptr = ' ';
+ ptr++;
+ }
+ }
+ return out;
+}
+
+static const char *print_perm(const char *val)
+{
+ int ival, printed=0;
+ char buf[32];
+
+ errno = 0;
+ ival = strtol(val, NULL, 10);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ buf[0] = 0;
+
+ /* The kernel treats nothing (0x00) as everything (0x0F) */
+ if (ival == 0)
+ ival = 0x0F;
+ if (ival & AUDIT_PERM_READ) {
+ strcat(buf, "read");
+ printed = 1;
+ }
+ if (ival & AUDIT_PERM_WRITE) {
+ if (printed)
+ strcat(buf, ",write");
+ else
+ strcat(buf, "write");
+ printed = 1;
+ }
+ if (ival & AUDIT_PERM_EXEC) {
+ if (printed)
+ strcat(buf, ",exec");
+ else
+ strcat(buf, "exec");
+ printed = 1;
+ }
+ if (ival & AUDIT_PERM_ATTR) {
+ if (printed)
+ strcat(buf, ",attr");
+ else
+ strcat(buf, "attr");
+ }
+ return strdup(buf);
+}
+
+static const char *print_mode(const char *val, unsigned int base)
+{
+ unsigned int ival;
+ char *out, buf[48];
+ const char *name;
+
+ errno = 0;
+ ival = strtoul(val, NULL, base);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ // detect the file type
+ name = audit_ftype_to_name(ival & S_IFMT);
+ if (name != NULL)
+ strcpy(buf, name);
+ else {
+ unsigned first_ifmt_bit;
+
+ // The lowest-valued "1" bit in S_IFMT
+ first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
+ sprintf(buf, "%03o", (ival & S_IFMT) / first_ifmt_bit);
+ }
+
+ // check on special bits
+ if (S_ISUID & ival)
+ strcat(buf, ",suid");
+ if (S_ISGID & ival)
+ strcat(buf, ",sgid");
+ if (S_ISVTX & ival)
+ strcat(buf, ",sticky");
+
+ // and the read, write, execute flags in octal
+ if (asprintf(&out, "%s,%03o", buf,
+ (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_mode_short_int(unsigned int ival)
+{
+ char *out, buf[48];
+
+ // check on special bits
+ buf[0] = 0;
+ if (S_ISUID & ival)
+ strcat(buf, "suid");
+ if (S_ISGID & ival) {
+ if (buf[0])
+ strcat(buf, ",");
+ strcat(buf, "sgid");
+ }
+ if (S_ISVTX & ival) {
+ if (buf[0])
+ strcat(buf, ",");
+ strcat(buf, "sticky");
+ }
+
+ // and the read, write, execute flags in octal
+ if (buf[0] == 0) {
+ if (asprintf(&out, "0%03o",
+ (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
+ out = NULL;
+ } else
+ if (asprintf(&out, "%s,0%03o", buf,
+ (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_mode_short(const char *val, int base)
+{
+ unsigned int ival;
+ char *out;
+
+ errno = 0;
+ ival = strtoul(val, NULL, base);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ return print_mode_short_int(ival);
+}
+
+static const char *print_socket_domain(const char *val)
+{
+ int i;
+ char *out;
+ const char *str;
+
+ errno = 0;
+ i = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ str = fam_i2s(i);
+ if (str == NULL) {
+ if (asprintf(&out, "unknown family(0x%s)", val) < 0)
+ out = NULL;
+ return out;
+ } else
+ return strdup(str);
+}
+
+static const char *print_socket_type(const char *val)
+{
+ unsigned int type;
+ char *out;
+ const char *str;
+
+ errno = 0;
+ type = 0xFF & strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ str = sock_type_i2s(type);
+ if (str == NULL) {
+ if (asprintf(&out, "unknown type(%s)", val) < 0)
+ out = NULL;
+ return out;
+ } else
+ return strdup(str);
+}
+
+static const char *print_socket_proto(const char *val)
+{
+ unsigned int proto;
+ char *out;
+ struct protoent *p;
+
+ errno = 0;
+ proto = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ p = getprotobynumber(proto);
+ if (p == NULL) {
+ if (asprintf(&out, "unknown proto(%s)", val) < 0)
+ out = NULL;
+ return out;
+ } else
+ return strdup(p->p_name);
+}
+
+static const char *print_sockaddr(const char *val)
+{
+ int slen, rc = 0;
+ const struct sockaddr *saddr;
+ char name[NI_MAXHOST], serv[NI_MAXSERV];
+ const char *host;
+ char *out = NULL;
+ const char *str;
+
+ slen = strlen(val)/2;
+ host = au_unescape((char *)val);
+ if (host == NULL) {
+ if (asprintf(&out, "malformed host(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ saddr = (struct sockaddr *)host;
+
+
+ str = fam_i2s(saddr->sa_family);
+ if (str == NULL) {
+ if (asprintf(&out, "unknown family(%d)", saddr->sa_family) < 0)
+ out = NULL;
+ free((char *)host);
+ return out;
+ }
+
+ // Now print address for some families
+ switch (saddr->sa_family) {
+ case AF_LOCAL:
+ {
+ const struct sockaddr_un *un =
+ (struct sockaddr_un *)saddr;
+ if (un->sun_path[0])
+ rc = asprintf(&out, "%s %s", str,
+ un->sun_path);
+ else // abstract name
+ rc = asprintf(&out, "%s %.108s", str,
+ &un->sun_path[1]);
+ }
+ break;
+ case AF_INET:
+ if (slen < sizeof(struct sockaddr_in)) {
+ rc = asprintf(&out, "%s sockaddr len too short",
+ str);
+ break;
+ }
+ slen = sizeof(struct sockaddr_in);
+ if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv,
+ NI_MAXSERV, NI_NUMERICHOST |
+ NI_NUMERICSERV) == 0 ) {
+ rc = asprintf(&out, "%s host:%s serv:%s", str,
+ name, serv);
+ } else
+ rc = asprintf(&out, "%s (error resolving addr)",
+ str);
+ break;
+ case AF_AX25:
+ {
+ const struct sockaddr_ax25 *x =
+ (struct sockaddr_ax25 *)saddr;
+ rc = asprintf(&out, "%s call:%c%c%c%c%c%c%c",
+ str,
+ x->sax25_call.ax25_call[0],
+ x->sax25_call.ax25_call[1],
+ x->sax25_call.ax25_call[2],
+ x->sax25_call.ax25_call[3],
+ x->sax25_call.ax25_call[4],
+ x->sax25_call.ax25_call[5],
+ x->sax25_call.ax25_call[6]);
+ }
+ break;
+ case AF_IPX:
+ {
+ const struct sockaddr_ipx *ip =
+ (struct sockaddr_ipx *)saddr;
+ rc = asprintf(&out, "%s port:%d net:%u", str,
+ ip->sipx_port, ip->sipx_network);
+ }
+ break;
+ case AF_ATMPVC:
+ {
+ const struct sockaddr_atmpvc* at =
+ (struct sockaddr_atmpvc *)saddr;
+ rc = asprintf(&out, "%s int:%d", str,
+ at->sap_addr.itf);
+ }
+ break;
+ case AF_X25:
+ {
+ const struct sockaddr_x25* x =
+ (struct sockaddr_x25 *)saddr;
+ rc = asprintf(&out, "%s addr:%.15s", str,
+ x->sx25_addr.x25_addr);
+ }
+ break;
+ case AF_INET6:
+ if (slen < sizeof(struct sockaddr_in6)) {
+ rc = asprintf(&out,
+ "%s sockaddr6 len too short",
+ str);
+ break;
+ }
+ slen = sizeof(struct sockaddr_in6);
+ if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv,
+ NI_MAXSERV, NI_NUMERICHOST |
+ NI_NUMERICSERV) == 0 ) {
+ rc = asprintf(&out, "%s host:%s serv:%s", str,
+ name, serv);
+ } else
+ rc = asprintf(&out, "%s (error resolving addr)",
+ str);
+ break;
+ case AF_NETLINK:
+ {
+ const struct sockaddr_nl *n =
+ (struct sockaddr_nl *)saddr;
+ rc = asprintf(&out, "%s pid:%u", str,
+ n->nl_pid);
+ }
+ break;
+ }
+ if (rc < 0)
+ out = NULL;
+ free((char *)host);
+ return out;
+}
+
+/* This is only used in the RHEL4 kernel */
+static const char *print_flags(const char *val)
+{
+ int flags, cnt = 0;
+ size_t i;
+ char *out, buf[80];
+
+ errno = 0;
+ flags = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ if (flags == 0) {
+ if (asprintf(&out, "none") < 0)
+ out = NULL;
+ return out;
+ }
+ buf[0] = 0;
+ for (i=0; i<FLAG_NUM_ENTRIES; i++) {
+ if (flag_table[i].value & flags) {
+ if (!cnt) {
+ strcat(buf,
+ flag_strings + flag_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, ",");
+ strcat(buf,
+ flag_strings + flag_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_promiscuous(const char *val)
+{
+ int ival;
+
+ errno = 0;
+ ival = strtol(val, NULL, 10);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ if (ival == 0)
+ return strdup("no");
+ else
+ return strdup("yes");
+}
+
+static const char *print_capabilities(const char *val, int base)
+{
+ int cap;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ cap = strtoul(val, NULL, base);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = cap_i2s(cap);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown capability(%s%s)",
+ base == 16 ? "0x" : "", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_cap_bitmap(const char *val)
+{
+#define MASK(x) (1U << (x))
+ unsigned long long temp;
+ __u32 caps[2];
+ int i, found=0;
+ char *p, buf[600]; // 17 per cap * 33
+
+ errno = 0;
+ temp = strtoull(val, NULL, 16);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ caps[0] = temp & 0x00000000FFFFFFFFLL;
+ caps[1] = (temp & 0xFFFFFFFF00000000LL) >> 32;
+ p = buf;
+ for (i=0; i <= CAP_LAST_CAP; i++) {
+ if (MASK(i%32) & caps[i/32]) {
+ const char *s;
+ if (found)
+ p = stpcpy(p, ",");
+ s = cap_i2s(i);
+ if (s != NULL)
+ p = stpcpy(p, s);
+ found = 1;
+ }
+ }
+ if (found == 0)
+ return strdup("none");
+ return strdup(buf);
+}
+
+static const char *print_success(const char *val)
+{
+ int res;
+
+ if (isdigit(*val)) {
+ errno = 0;
+ res = strtoul(val, NULL, 10);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ return strdup(aulookup_success(res));
+ } else
+ return strdup(val);
+}
+
+static const char *print_open_flags(const char *val)
+{
+ size_t i;
+ unsigned int flags;
+ int cnt = 0;
+ char *out, buf[178];
+
+ errno = 0;
+ flags = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ buf[0] = 0;
+ if ((flags & O_ACCMODE) == 0) {
+ // Handle O_RDONLY specially
+ strcat(buf, "O_RDONLY");
+ cnt++;
+ }
+ for (i=0; i<OPEN_FLAG_NUM_ENTRIES; i++) {
+ if (open_flag_table[i].value & flags) {
+ if (!cnt) {
+ strcat(buf,
+ open_flag_strings + open_flag_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ open_flag_strings + open_flag_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_clone_flags(const char *val)
+{
+ unsigned int flags, i, clone_sig;
+ int cnt = 0;
+ char *out, buf[362]; // added 10 for signal name
+
+ errno = 0;
+ flags = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ buf[0] = 0;
+ for (i=0; i<CLONE_FLAG_NUM_ENTRIES; i++) {
+ if (clone_flag_table[i].value & flags) {
+ if (!cnt) {
+ strcat(buf,
+ clone_flag_strings + clone_flag_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ clone_flag_strings + clone_flag_table[i].offset);
+ }
+ }
+ }
+ clone_sig = flags & 0xFF;
+ if (clone_sig && (clone_sig < 32)) {
+ const char *s = signal_i2s(clone_sig);
+ if (s != NULL) {
+ if (buf[0] != 0)
+ strcat(buf, "|");
+ strcat(buf, s);
+ }
+ }
+
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%x", flags);
+ return strdup(buf);
+}
+
+static const char *print_fcntl_cmd(const char *val)
+{
+ char *out;
+ const char *s;
+ int cmd;
+
+ errno = 0;
+ cmd = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = fcntl_i2s(cmd);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown fcntl command(%d)", cmd) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_epoll_ctl(const char *val)
+{
+ char *out;
+ const char *s;
+ int cmd;
+
+ errno = 0;
+ cmd = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = epoll_ctl_i2s(cmd);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown epoll_ctl operation (%d)", cmd) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_clock_id(const char *val)
+{
+ int i;
+ char *out;
+
+ errno = 0;
+ i = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ else if (i < 7) {
+ const char *s = clock_i2s(i);
+ if (s != NULL)
+ return strdup(s);
+ }
+ if (asprintf(&out, "unknown clk_id (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_prot(const char *val, unsigned int is_mmap)
+{
+ unsigned int prot, i;
+ int cnt = 0, limit;
+ char buf[144];
+ char *out;
+
+ errno = 0;
+ prot = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ buf[0] = 0;
+ if ((prot & 0x07) == 0) {
+ // Handle PROT_NONE specially
+ strcat(buf, "PROT_NONE");
+ return strdup(buf);
+ }
+ if (is_mmap)
+ limit = 4;
+ else
+ limit = 3;
+ for (i=0; i<limit; i++) {
+ if (prot_table[i].value & prot) {
+ if (!cnt) {
+ strcat(buf,
+ prot_strings + prot_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ prot_strings + prot_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_mmap(const char *val)
+{
+ unsigned int maps, i;
+ int cnt = 0;
+ char buf[176];
+ char *out;
+
+ errno = 0;
+ maps = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ buf[0] = 0;
+ if ((maps & 0x0F) == 0) {
+ // Handle MAP_FILE specially
+ strcat(buf, "MAP_FILE");
+ cnt++;
+ }
+ for (i=0; i<MMAP_NUM_ENTRIES; i++) {
+ if (mmap_table[i].value & maps) {
+ if (!cnt) {
+ strcat(buf,
+ mmap_strings + mmap_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ mmap_strings + mmap_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_personality(const char *val)
+{
+ int pers, pers2;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ pers = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ pers2 = pers & ~ADDR_NO_RANDOMIZE;
+ s = person_i2s(pers2);
+ if (s != NULL) {
+ if (pers & ADDR_NO_RANDOMIZE) {
+ if (asprintf(&out, "%s|~ADDR_NO_RANDOMIZE", s) < 0)
+ out = NULL;
+ return out;
+ } else
+ return strdup(s);
+ }
+ if (asprintf(&out, "unknown personality (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_ptrace(const char *val)
+{
+ int trace;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ trace = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = ptrace_i2s(trace);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown ptrace (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_prctl_opt(const char *val)
+{
+ int opt;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = prctl_opt_i2s(opt);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown prctl option (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_mount(const char *val)
+{
+ unsigned int mounts, i;
+ int cnt = 0;
+ char buf[334];
+ char *out;
+
+ errno = 0;
+ mounts = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ buf[0] = 0;
+ for (i=0; i<MOUNT_NUM_ENTRIES; i++) {
+ if (mount_table[i].value & mounts) {
+ if (!cnt) {
+ strcat(buf,
+ mount_strings + mount_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ mount_strings + mount_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_rlimit(const char *val)
+{
+ int i;
+ char *out;
+
+ errno = 0;
+ i = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ else if (i < 17) {
+ const char *s = rlimit_i2s(i);
+ if (s != NULL)
+ return strdup(s);
+ }
+ if (asprintf(&out, "unknown rlimit (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_recv(const char *val)
+{
+ unsigned int rec, i;
+ int cnt = 0;
+ char buf[234];
+ char *out;
+
+ errno = 0;
+ rec = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ buf[0] = 0;
+ for (i=0; i<RECV_NUM_ENTRIES; i++) {
+ if (recv_table[i].value & rec) {
+ if (!cnt) {
+ strcat(buf,
+ recv_strings + recv_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ recv_strings + recv_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_access(const char *val)
+{
+ unsigned long mode;
+ char buf[16];
+ unsigned int i, cnt = 0;
+
+ errno = 0;
+ mode = strtoul(val, NULL, 16);
+ if (errno) {
+ char *out;
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ if ((mode & 0xF) == 0)
+ return strdup("F_OK");
+ buf[0] = 0;
+ for (i=0; i<3; i++) {
+ if (access_table[i].value & mode) {
+ if (!cnt) {
+ strcat(buf,
+ access_strings + access_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ access_strings + access_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static char *print_dirfd(const char *val)
+{
+ char *out;
+
+ if (strcmp(val, "-100") == 0) {
+ if (asprintf(&out, "AT_FDCWD") < 0)
+ out = NULL;
+ } else {
+ if (asprintf(&out, "0x%s", val) < 0)
+ out = NULL;
+ }
+ return out;
+}
+
+#ifndef SCHED_RESET_ON_FORK
+#define SCHED_RESET_ON_FORK 0x40000000
+#endif
+static const char *print_sched(const char *val)
+{
+ unsigned int pol;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ pol = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = sched_i2s(pol & 0x0F);
+ if (s != NULL) {
+ char buf[48];
+
+ strcpy(buf, s);
+ if (pol & SCHED_RESET_ON_FORK )
+ strcat(buf, "|SCHED_RESET_ON_FORK");
+ return strdup(buf);
+ }
+ if (asprintf(&out, "unknown scheduler policy (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_sock_opt_level(const char *val)
+{
+ int lvl;
+ char *out;
+
+ errno = 0;
+ lvl = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ if (lvl == SOL_SOCKET)
+ return strdup("SOL_SOCKET");
+ else {
+ struct protoent *p = getprotobynumber(lvl);
+ if (p == NULL) {
+ const char *s = socklevel_i2s(lvl);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown sockopt level (0x%s)", val) < 0)
+ out = NULL;
+ } else
+ return strdup(p->p_name);
+ }
+
+ return out;
+}
+
+static const char *print_sock_opt_name(const char *val, int machine)
+{
+ int opt;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ // PPC's tables are different
+ if ((machine == MACH_PPC64 || machine == MACH_PPC) &&
+ opt >= 16 && opt <= 21)
+ opt+=100;
+
+ s = sockoptname_i2s(opt);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown sockopt name (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_ip_opt_name(const char *val)
+{
+ int opt;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = ipoptname_i2s(opt);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown ipopt name (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_ip6_opt_name(const char *val)
+{
+ int opt;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = ip6optname_i2s(opt);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown ip6opt name (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_tcp_opt_name(const char *val)
+{
+ int opt;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = tcpoptname_i2s(opt);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown tcpopt name (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_udp_opt_name(const char *val)
+{
+ int opt;
+ char *out;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ if (opt == 1)
+ out = strdup("UDP_CORK");
+ else if (opt == 100)
+ out = strdup("UDP_ENCAP");
+ else if (asprintf(&out, "unknown udpopt name (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_pkt_opt_name(const char *val)
+{
+ int opt;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ opt = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = pktoptname_i2s(opt);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown pktopt name (0x%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_shmflags(const char *val)
+{
+ unsigned int flags, partial, i;
+ int cnt = 0;
+ char *out, buf[32];
+
+ errno = 0;
+ flags = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ partial = flags & 00003000;
+ buf[0] = 0;
+ for (i=0; i<IPCCMD_NUM_ENTRIES; i++) {
+ if (ipccmd_table[i].value & partial) {
+ if (!cnt) {
+ strcat(buf,
+ ipccmd_strings + ipccmd_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ ipccmd_strings + ipccmd_table[i].offset);
+ }
+ }
+ }
+
+ partial = flags & 00014000;
+ for (i=0; i<SHM_MODE_NUM_ENTRIES; i++) {
+ if (shm_mode_table[i].value & partial) {
+ if (!cnt) {
+ strcat(buf,
+ shm_mode_strings + shm_mode_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ shm_mode_strings + shm_mode_table[i].offset);
+ }
+ }
+ }
+
+ partial = flags & 000777;
+ const char *tmode = print_mode_short_int(partial);
+ if (tmode) {
+ if (buf[0] != 0)
+ strcat(buf, "|");
+ strcat(buf, tmode);
+ free((void *)tmode);
+ }
+
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%x", flags);
+ return strdup(buf);
+}
+
+static const char *print_seek(const char *val)
+{
+ unsigned int whence;
+ char *out;
+ const char *str;
+
+ errno = 0;
+ whence = 0xFF & strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ str = seek_i2s(whence);
+ if (str == NULL) {
+ if (asprintf(&out, "unknown whence(%s)", val) < 0)
+ out = NULL;
+ return out;
+ } else
+ return strdup(str);
+}
+
+static const char *print_umount(const char *val)
+{
+ unsigned int flags, i;
+ int cnt = 0;
+ char buf[64];
+ char *out;
+
+ errno = 0;
+ flags = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ buf[0] = 0;
+ for (i=0; i<UMOUNT_NUM_ENTRIES; i++) {
+ if (umount_table[i].value & flags) {
+ if (!cnt) {
+ strcat(buf,
+ umount_strings + umount_table[i].offset);
+ cnt++;
+ } else {
+ strcat(buf, "|");
+ strcat(buf,
+ umount_strings + umount_table[i].offset);
+ }
+ }
+ }
+ if (buf[0] == 0)
+ snprintf(buf, sizeof(buf), "0x%s", val);
+ return strdup(buf);
+}
+
+static const char *print_ioctl_req(const char *val)
+{
+ int req;
+ char *out;
+ const char *r;
+
+ errno = 0;
+ req = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ r = ioctlreq_i2s(req);
+ if (r != NULL)
+ return strdup(r);
+ if (asprintf(&out, "0x%s", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_a0(const char *val, const idata *id)
+{
+ char *out;
+ int machine = id->machine, syscall = id->syscall;
+ const char *sys = audit_syscall_to_name(syscall, machine);
+ if (sys) {
+ if (*sys == 'r') {
+ if (strcmp(sys, "rt_sigaction") == 0)
+ return print_signals(val, 16);
+ else if (strcmp(sys, "renameat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "readlinkat") == 0)
+ return print_dirfd(val);
+ } else if (*sys == 'c') {
+ if (strcmp(sys, "clone") == 0)
+ return print_clone_flags(val);
+ else if (strcmp(sys, "clock_settime") == 0)
+ return print_clock_id(val);
+ } else if (*sys == 'p') {
+ if (strcmp(sys, "personality") == 0)
+ return print_personality(val);
+ else if (strcmp(sys, "ptrace") == 0)
+ return print_ptrace(val);
+ else if (strcmp(sys, "prctl") == 0)
+ return print_prctl_opt(val);
+ } else if (*sys == 'm') {
+ if (strcmp(sys, "mkdirat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "mknodat") == 0)
+ return print_dirfd(val);
+ } else if (*sys == 'f') {
+ if (strcmp(sys, "fchownat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "futimesat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "fchmodat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "faccessat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "futimensat") == 0)
+ return print_dirfd(val);
+ } else if (*sys == 'u') {
+ if (strcmp(sys, "unshare") == 0)
+ return print_clone_flags(val);
+ else if (strcmp(sys, "unlinkat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "utimensat") == 0)
+ return print_dirfd(val);
+ } else if (strcmp(sys+1, "etrlimit") == 0)
+ return print_rlimit(val);
+ else if (*sys == 's') {
+ if (strcmp(sys, "setuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setreuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setresuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setfsuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setgid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "setregid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "setresgid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "socket") == 0)
+ return print_socket_domain(val);
+ else if (strcmp(sys, "setfsgid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "socketcall") == 0)
+ return print_socketcall(val, 16);
+ }
+ else if (strcmp(sys, "linkat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "newfstatat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "openat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "ipccall") == 0)
+ return print_ipccall(val, 16);
+ }
+ if (asprintf(&out, "0x%s", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_a1(const char *val, const idata *id)
+{
+ char *out;
+ int machine = id->machine, syscall = id->syscall;
+ const char *sys = audit_syscall_to_name(syscall, machine);
+ if (sys) {
+ if (*sys == 'f') {
+ if (strcmp(sys, "fchmod") == 0)
+ return print_mode_short(val, 16);
+ else if (strncmp(sys, "fcntl", 5) == 0)
+ return print_fcntl_cmd(val);
+ } else if (*sys == 'c') {
+ if (strcmp(sys, "chmod") == 0)
+ return print_mode_short(val, 16);
+ else if (strstr(sys, "chown"))
+ return print_uid(val, 16);
+ else if (strcmp(sys, "creat") == 0)
+ return print_mode_short(val, 16);
+ }
+ if (strcmp(sys+1, "etsockopt") == 0)
+ return print_sock_opt_level(val);
+ else if (*sys == 's') {
+ if (strcmp(sys, "setreuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setresuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setregid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "setresgid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "socket") == 0)
+ return print_socket_type(val);
+ else if (strcmp(sys, "setns") == 0)
+ return print_clone_flags(val);
+ else if (strcmp(sys, "sched_setscheduler") == 0)
+ return print_sched(val);
+ } else if (*sys == 'm') {
+ if (strcmp(sys, "mkdir") == 0)
+ return print_mode_short(val, 16);
+ else if (strcmp(sys, "mknod") == 0)
+ return print_mode(val, 16);
+ else if (strcmp(sys, "mq_open") == 0)
+ return print_open_flags(val);
+ }
+ else if (strcmp(sys, "open") == 0)
+ return print_open_flags(val);
+ else if (strcmp(sys, "access") == 0)
+ return print_access(val);
+ else if (strcmp(sys, "epoll_ctl") == 0)
+ return print_epoll_ctl(val);
+ else if (strcmp(sys, "kill") == 0)
+ return print_signals(val, 16);
+ else if (strcmp(sys, "prctl") == 0) {
+ if (id->a0 == PR_CAPBSET_READ ||
+ id->a0 == PR_CAPBSET_DROP)
+ return print_capabilities(val, 16);
+ else if (id->a0 == PR_SET_PDEATHSIG)
+ return print_signals(val, 16);
+ }
+ else if (strcmp(sys, "tkill") == 0)
+ return print_signals(val, 16);
+ else if (strcmp(sys, "umount2") == 0)
+ return print_umount(val);
+ else if (strcmp(sys, "ioctl") == 0)
+ return print_ioctl_req(val);
+ }
+ if (asprintf(&out, "0x%s", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_a2(const char *val, const idata *id)
+{
+ char *out;
+ int machine = id->machine, syscall = id->syscall;
+ const char *sys = audit_syscall_to_name(syscall, machine);
+ if (sys) {
+ if (strncmp(sys, "fcntl", 5) == 0) {
+ int ival;
+
+ errno = 0;
+ ival = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)",
+ val) < 0)
+ out = NULL;
+ return out;
+ }
+ switch (id->a1)
+ {
+ case F_SETOWN:
+ return print_uid(val, 16);
+ case F_SETFD:
+ if (ival == FD_CLOEXEC)
+ return strdup("FD_CLOEXEC");
+ /* Fall thru okay. */
+ case F_SETFL:
+ case F_SETLEASE:
+ case F_GETLEASE:
+ case F_NOTIFY:
+ break;
+ }
+ } else if (strcmp(sys+1, "etsockopt") == 0) {
+ if (id->a1 == IPPROTO_IP)
+ return print_ip_opt_name(val);
+ else if (id->a1 == SOL_SOCKET)
+ return print_sock_opt_name(val, machine);
+ else if (id->a1 == IPPROTO_TCP)
+ return print_tcp_opt_name(val);
+ else if (id->a1 == IPPROTO_UDP)
+ return print_udp_opt_name(val);
+ else if (id->a1 == IPPROTO_IPV6)
+ return print_ip6_opt_name(val);
+ else if (id->a1 == SOL_PACKET)
+ return print_pkt_opt_name(val);
+ else
+ goto normal;
+ } else if (*sys == 'o') {
+ if (strcmp(sys, "openat") == 0)
+ return print_open_flags(val);
+ if ((strcmp(sys, "open") == 0) && (id->a1 & O_CREAT))
+ return print_mode_short(val, 16);
+ } else if (*sys == 'f') {
+ if (strcmp(sys, "fchmodat") == 0)
+ return print_mode_short(val, 16);
+ else if (strcmp(sys, "faccessat") == 0)
+ return print_access(val);
+ } else if (*sys == 's') {
+ if (strcmp(sys, "setresuid") == 0)
+ return print_uid(val, 16);
+ else if (strcmp(sys, "setresgid") == 0)
+ return print_gid(val, 16);
+ else if (strcmp(sys, "socket") == 0)
+ return print_socket_proto(val);
+ else if (strcmp(sys, "sendmsg") == 0)
+ return print_recv(val);
+ else if (strcmp(sys, "shmget") == 0)
+ return print_shmflags(val);
+ } else if (*sys == 'm') {
+ if (strcmp(sys, "mmap") == 0)
+ return print_prot(val, 1);
+ else if (strcmp(sys, "mkdirat") == 0)
+ return print_mode_short(val, 16);
+ else if (strcmp(sys, "mknodat") == 0)
+ return print_mode_short(val, 16);
+ else if (strcmp(sys, "mprotect") == 0)
+ return print_prot(val, 0);
+ else if ((strcmp(sys, "mq_open") == 0) &&
+ (id->a1 & O_CREAT))
+ return print_mode_short(val, 16);
+ } else if (*sys == 'r') {
+ if (strcmp(sys, "recvmsg") == 0)
+ return print_recv(val);
+ else if (strcmp(sys, "readlinkat") == 0)
+ return print_dirfd(val);
+ } else if (*sys == 'l') {
+ if (strcmp(sys, "linkat") == 0)
+ return print_dirfd(val);
+ else if (strcmp(sys, "lseek") == 0)
+ return print_seek(val);
+ }
+ else if (strstr(sys, "chown"))
+ return print_gid(val, 16);
+ else if (strcmp(sys, "tgkill") == 0)
+ return print_signals(val, 16);
+ }
+normal:
+ if (asprintf(&out, "0x%s", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_a3(const char *val, const idata *id)
+{
+ char *out;
+ int machine = id->machine, syscall = id->syscall;
+ const char *sys = audit_syscall_to_name(syscall, machine);
+ if (sys) {
+ if (*sys == 'm') {
+ if (strcmp(sys, "mmap") == 0)
+ return print_mmap(val);
+ else if (strcmp(sys, "mount") == 0)
+ return print_mount(val);
+ } else if (*sys == 'r') {
+ if (strcmp(sys, "recv") == 0)
+ return print_recv(val);
+ else if (strcmp(sys, "recvfrom") == 0)
+ return print_recv(val);
+ else if (strcmp(sys, "recvmmsg") == 0)
+ return print_recv(val);
+ } else if (*sys == 's') {
+ if (strcmp(sys, "send") == 0)
+ return print_recv(val);
+ else if (strcmp(sys, "sendto") == 0)
+ return print_recv(val);
+ else if (strcmp(sys, "sendmmsg") == 0)
+ return print_recv(val);
+ }
+ }
+ if (asprintf(&out, "0x%s", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_signals(const char *val, unsigned int base)
+{
+ int i;
+ char *out;
+
+ errno = 0;
+ i = strtoul(val, NULL, base);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ else if (i < 32) {
+ const char *s = signal_i2s(i);
+ if (s != NULL)
+ return strdup(s);
+ }
+ if (asprintf(&out, "unknown signal (%s%s)",
+ base == 16 ? "0x" : "", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_nfproto(const char *val)
+{
+ int proto;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ proto = strtoul(val, NULL, 10);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = nfproto_i2s(proto);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown netfilter protocol (%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_icmptype(const char *val)
+{
+ int icmptype;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ icmptype = strtoul(val, NULL, 10);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+
+ s = icmptype_i2s(icmptype);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown icmp type (%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+static const char *print_protocol(const char *val)
+{
+ int i;
+ char *out;
+
+ errno = 0;
+ i = strtoul(val, NULL, 10);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ } else {
+ struct protoent *p = getprotobynumber(i);
+ if (p)
+ out = strdup(p->p_name);
+ else
+ out = strdup("undefined protocol");
+ }
+ return out;
+}
+
+static const char *print_addr(const char *val)
+{
+ char *out = strdup(val);
+ return out;
+}
+
+static const char *print_list(const char *val)
+{
+ int i;
+ char *out;
+
+ errno = 0;
+ i = strtoul(val, NULL, 10);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ } else
+ out = strdup(audit_flag_to_name(i));
+ return out;
+}
+
+struct string_buf {
+ char *buf; /* NULL if was ever out of memory */
+ size_t allocated;
+ size_t pos;
+};
+
+/* Append c to buf. */
+static void append_char(struct string_buf *buf, char c)
+{
+ if (buf->buf == NULL)
+ return;
+ if (buf->pos == buf->allocated) {
+ char *p;
+
+ buf->allocated *= 2;
+ p = realloc(buf->buf, buf->allocated);
+ if (p == NULL) {
+ free(buf->buf);
+ buf->buf = NULL;
+ return;
+ }
+ buf->buf = p;
+ }
+ buf->buf[buf->pos] = c;
+ buf->pos++;
+}
+
+/* Represent c as a character within a quoted string, and append it to buf. */
+static void tty_append_printable_char(struct string_buf *buf, unsigned char c)
+{
+ if (c < 0x20 || c > 0x7E) {
+ append_char(buf, '\\');
+ append_char(buf, '0' + ((c >> 6) & 07));
+ append_char(buf, '0' + ((c >> 3) & 07));
+ append_char(buf, '0' + (c & 07));
+ } else {
+ if (c == '\\' || c == '"')
+ append_char(buf, '\\');
+ append_char(buf, c);
+ }
+}
+
+/* Search for a name of a sequence of TTY bytes.
+ If found, return the name and advance *INPUT. Return NULL otherwise. */
+static const char *tty_find_named_key(unsigned char **input, size_t input_len)
+{
+ /* NUL-terminated list of (sequence, NUL, name, NUL) entries.
+ First match wins, even if a longer match were possible later */
+ static const unsigned char named_keys[] =
+#define E(SEQ, NAME) SEQ "\0" NAME "\0"
+#include "tty_named_keys.h"
+#undef E
+ "\0";
+
+ unsigned char *src;
+ const unsigned char *nk;
+
+ src = *input;
+ if (*src >= ' ' && (*src < 0x7F || *src >= 0xA0))
+ return NULL; /* Fast path */
+ nk = named_keys;
+ do {
+ const unsigned char *p;
+ size_t nk_len;
+
+ p = strchr(nk, '\0');
+ nk_len = p - nk;
+ if (nk_len <= input_len && memcmp(src, nk, nk_len) == 0) {
+ *input += nk_len;
+ return p + 1;
+ }
+ nk = strchr(p + 1, '\0') + 1;
+ } while (*nk != '\0');
+ return NULL;
+}
+
+static const char *print_tty_data(const char *raw_data)
+{
+ struct string_buf buf;
+ int in_printable;
+ unsigned char *data, *data_pos, *data_end;
+
+ if (!is_hex_string(raw_data))
+ return strdup(raw_data);
+ data = au_unescape((char *)raw_data);
+ if (data == NULL)
+ return NULL;
+ data_end = data + strlen(raw_data) / 2;
+
+ buf.allocated = 10;
+ buf.buf = malloc(buf.allocated); /* NULL handled in append_char() */
+ buf.pos = 0;
+ in_printable = 0;
+ data_pos = data;
+ while (data_pos < data_end) {
+ /* FIXME: Unicode */
+ const char *desc;
+
+ desc = tty_find_named_key(&data_pos, data_end - data_pos);
+ if (desc != NULL) {
+ if (in_printable != 0) {
+ append_char(&buf, '"');
+ in_printable = 0;
+ }
+ if (buf.pos != 0)
+ append_char(&buf, ',');
+ append_char(&buf, '<');
+ while (*desc != '\0') {
+ append_char(&buf, *desc);
+ desc++;
+ }
+ append_char(&buf, '>');
+ } else {
+ if (in_printable == 0) {
+ if (buf.pos != 0)
+ append_char(&buf, ',');
+ append_char(&buf, '"');
+ in_printable = 1;
+ }
+ tty_append_printable_char(&buf, *data_pos);
+ data_pos++;
+ }
+ }
+ if (in_printable != 0)
+ append_char(&buf, '"');
+ append_char(&buf, '\0');
+ free(data);
+ return buf.buf;
+}
+
+static const char *print_session(const char *val)
+{
+ if (strcmp(val, "4294967295") == 0)
+ return strdup("unset");
+ else
+ return strdup(val);
+}
+
+#define SECCOMP_RET_ACTION 0x7fff0000U
+static const char *print_seccomp_code(const char *val)
+{
+ unsigned long code;
+ char *out;
+ const char *s;
+
+ errno = 0;
+ code = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ }
+ s = seccomp_i2s(code & SECCOMP_RET_ACTION);
+ if (s != NULL)
+ return strdup(s);
+ if (asprintf(&out, "unknown seccomp code (%s)", val) < 0)
+ out = NULL;
+ return out;
+}
+
+int lookup_type(const char *name)
+{
+ int i;
+
+ if (type_s2i(name, &i) != 0)
+ return i;
+ return AUPARSE_TYPE_UNCLASSIFIED;
+}
+
+const char *interpret(const rnode *r)
+{
+ const nvlist *nv = &r->nv;
+ int type;
+ idata id;
+ nvnode *n;
+ const char *out;
+
+ id.machine = r->machine;
+ id.syscall = r->syscall;
+ id.a0 = r->a0;
+ id.a1 = r->a1;
+ id.name = nvlist_get_cur_name(nv);
+ id.val = nvlist_get_cur_val(nv);
+ type = auparse_interp_adjust_type(r->type, id.name, id.val);
+
+ out = auparse_do_interpretation(type, &id);
+ n = nvlist_get_cur(nv);
+ n->interp_val = (char *)out;
+
+ return out;
+}
+
+/*
+ * rtype: the record type
+ * name: the current field name
+ * value: the current field value
+ * Returns: field's internal type is returned
+ */
+int auparse_interp_adjust_type(int rtype, const char *name, const char *val)
+{
+ int type;
+
+ /* This set of statements overrides or corrects the detection.
+ * In almost all cases its a double use of a field. */
+ if (rtype == AUDIT_EXECVE && *name == 'a' && strcmp(name, "argc") &&
+ !strstr(name, "_len"))
+ type = AUPARSE_TYPE_ESCAPED;
+ else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0)
+ type = AUPARSE_TYPE_UNCLASSIFIED;
+ else if (rtype == AUDIT_USER_TTY && strcmp(name, "msg") == 0)
+ type = AUPARSE_TYPE_ESCAPED;
+ else if (rtype == AUDIT_NETFILTER_PKT && strcmp(name, "saddr") == 0)
+ type = AUPARSE_TYPE_ADDR;
+ else if (strcmp(name, "acct") == 0) {
+ if (val[0] == '"')
+ type = AUPARSE_TYPE_ESCAPED;
+ else if (is_hex_string(val))
+ type = AUPARSE_TYPE_ESCAPED;
+ else
+ type = AUPARSE_TYPE_UNCLASSIFIED;
+ } else if (rtype == AUDIT_PATH && *name =='f' &&
+ strcmp(name, "flags") == 0)
+ type = AUPARSE_TYPE_FLAGS;
+ else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0)
+ type = AUPARSE_TYPE_MODE_SHORT;
+ else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0)
+ type = AUPARSE_TYPE_UNCLASSIFIED;
+ else if ((strcmp(name, "id") == 0) &&
+ (rtype == AUDIT_ADD_GROUP || rtype == AUDIT_GRP_MGMT ||
+ rtype == AUDIT_DEL_GROUP))
+ type = AUPARSE_TYPE_GID;
+ else
+ type = lookup_type(name);
+
+ return type;
+}
+hidden_def(auparse_interp_adjust_type)
+
+const char *auparse_do_interpretation(int type, const idata *id)
+{
+ const char *out;
+ switch(type) {
+ case AUPARSE_TYPE_UID:
+ out = print_uid(id->val, 10);
+ break;
+ case AUPARSE_TYPE_GID:
+ out = print_gid(id->val, 10);
+ break;
+ case AUPARSE_TYPE_SYSCALL:
+ out = print_syscall(id);
+ break;
+ case AUPARSE_TYPE_ARCH:
+ out = print_arch(id->val, id->machine);
+ break;
+ case AUPARSE_TYPE_EXIT:
+ out = print_exit(id->val);
+ break;
+ case AUPARSE_TYPE_ESCAPED:
+ out = print_escaped(id->val);
+ break;
+ case AUPARSE_TYPE_PERM:
+ out = print_perm(id->val);
+ break;
+ case AUPARSE_TYPE_MODE:
+ out = print_mode(id->val,8);
+ break;
+ case AUPARSE_TYPE_MODE_SHORT:
+ out = print_mode_short(id->val,8);
+ break;
+ case AUPARSE_TYPE_SOCKADDR:
+ out = print_sockaddr(id->val);
+ break;
+ case AUPARSE_TYPE_FLAGS:
+ out = print_flags(id->val);
+ break;
+ case AUPARSE_TYPE_PROMISC:
+ out = print_promiscuous(id->val);
+ break;
+ case AUPARSE_TYPE_CAPABILITY:
+ out = print_capabilities(id->val, 10);
+ break;
+ case AUPARSE_TYPE_SUCCESS:
+ out = print_success(id->val);
+ break;
+ case AUPARSE_TYPE_A0:
+ out = print_a0(id->val, id);
+ break;
+ case AUPARSE_TYPE_A1:
+ out = print_a1(id->val, id);
+ break;
+ case AUPARSE_TYPE_A2:
+ out = print_a2(id->val, id);
+ break;
+ case AUPARSE_TYPE_A3:
+ out = print_a3(id->val, id);
+ break;
+ case AUPARSE_TYPE_SIGNAL:
+ out = print_signals(id->val, 10);
+ break;
+ case AUPARSE_TYPE_LIST:
+ out = print_list(id->val);
+ break;
+ case AUPARSE_TYPE_TTY_DATA:
+ out = print_tty_data(id->val);
+ break;
+ case AUPARSE_TYPE_SESSION:
+ out = print_session(id->val);
+ break;
+ case AUPARSE_TYPE_CAP_BITMAP:
+ out = print_cap_bitmap(id->val);
+ break;
+ case AUPARSE_TYPE_NFPROTO:
+ out = print_nfproto(id->val);
+ break;
+ case AUPARSE_TYPE_ICMPTYPE:
+ out = print_icmptype(id->val);
+ break;
+ case AUPARSE_TYPE_PROTOCOL:
+ out = print_protocol(id->val);
+ break;
+ case AUPARSE_TYPE_ADDR:
+ out = print_addr(id->val);
+ break;
+ case AUPARSE_TYPE_PERSONALITY:
+ out = print_personality(id->val);
+ break;
+ case AUPARSE_TYPE_SECCOMP:
+ out = print_seccomp_code(id->val);
+ break;
+ case AUPARSE_TYPE_OFLAG:
+ out = print_open_flags(id->val);
+ break;
+ case AUPARSE_TYPE_MMAP:
+ out = print_mmap(id->val);
+ break;
+ case AUPARSE_TYPE_PROCTITLE:
+ out = print_proctitle(id->val);
+ break;
+ case AUPARSE_TYPE_MAC_LABEL:
+ case AUPARSE_TYPE_UNCLASSIFIED:
+ default:
+ out = strdup(id->val);
+ break;
+ }
+
+ if (escape_mode != AUPARSE_ESC_RAW) {
+ unsigned int len = strlen(out);
+ unsigned int cnt = need_escaping(out, len);
+ if (cnt) {
+ char *dest = malloc(len + 1 + (3*cnt));
+ if (dest)
+ escape(out, dest, len);
+ free((void *)out);
+ out = dest;
+ }
+ }
+ return out;
+}
+hidden_def(auparse_do_interpretation)
+
diff --git a/framework/src/audit/auparse/interpret.h b/framework/src/audit/auparse/interpret.h
new file mode 100644
index 00000000..e546452e
--- /dev/null
+++ b/framework/src/audit/auparse/interpret.h
@@ -0,0 +1,54 @@
+/* interpret.h --
+ * Copyright 2007,08 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#ifndef INTERPRET_HEADER
+#define INTERPRET_HEADER
+
+#include "config.h"
+#include "private.h"
+#include "rnode.h"
+#include <time.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+int lookup_type(const char *name);
+const char *interpret(const rnode *r);
+void aulookup_destroy_uid_list(void);
+void aulookup_destroy_gid_list(void);
+char *au_unescape(char *buf);
+
+/* Make these hidden to prevent conflicts */
+hidden_proto(lookup_type);
+hidden_proto(interpret);
+hidden_proto(aulookup_destroy_uid_list);
+hidden_proto(aulookup_destroy_gid_list);
+hidden_proto(au_unescape);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/framework/src/audit/auparse/ioctlreqtab.h b/framework/src/audit/auparse/ioctlreqtab.h
new file mode 100644
index 00000000..a3301e3e
--- /dev/null
+++ b/framework/src/audit/auparse/ioctlreqtab.h
@@ -0,0 +1,54 @@
+/* ioctlreqtab.h --
+ * Copyright 2014 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+_S(0x4B3A, "KDSETMODE" )
+_S(0x4B3B, "KDGETMODE" )
+_S(0x5309, "CDROMEJECT" )
+_S(0x530F, "CDROMEJECT_SW" )
+_S(0x5311, "CDROM_GET_UPC" )
+_S(0x5316, "CDROMSEEK" )
+_S(0x5401, "TCGETS" )
+_S(0x5402, "TCSETS" )
+_S(0x5403, "TCSETSW" )
+_S(0x5404, "TCSETSF" )
+_S(0x5409, "TCSBRK" )
+_S(0x540B, "TCFLSH" )
+_S(0x540E, "TIOCSCTTY" )
+_S(0x540F, "TIOCGPGRP" )
+_S(0x5410, "TIOCSPGRP" )
+_S(0x5413, "TIOCGWINSZ" )
+_S(0x5414, "TIOCSWINSZ" )
+_S(0x541B, "TIOCINQ" )
+_S(0x5421, "FIONBIO" )
+_S(0x8901, "FIOSETOWN" )
+_S(0x8903, "FIOGETOWN" )
+_S(0x8910, "SIOCGIFNAME" )
+_S(0x8927, "SIOCGIFHWADDR" )
+_S(0x8933, "SIOCGIFINDEX" )
+_S(0x89a2, "SIOCBRADDIF" )
+_S(0x40045431, "TIOCSPTLCK" ) // Need a better fix for these
+_S(0x80045430, "TIOCGPTN" )
+_S(0x80045431, "TIOCSPTLCK" )
+_S(0xC01C64A3, "DRM_IOCTL_MODE_CURSOR" )
+_S(0xC01864B0, "DRM_IOCTL_MODE_PAGE_FLIP" )
+_S(0xC01864B1, "DRM_IOCTL_MODE_DIRTYFB" )
+
diff --git a/framework/src/audit/auparse/ip6optnametab.h b/framework/src/audit/auparse/ip6optnametab.h
new file mode 100644
index 00000000..16452af0
--- /dev/null
+++ b/framework/src/audit/auparse/ip6optnametab.h
@@ -0,0 +1,87 @@
+/* ip6optnametab.h --
+ * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/in6.h
+ * include/uapi/linux/netfilter_ipv6/ip6_tables.h
+ */
+
+_S(1, "IPV6_ADDRFORM")
+_S(2, "IPV6_2292PKTINFO")
+_S(3, "IPV6_2292HOPOPTS")
+_S(4, "IPV6_2292DSTOPTS")
+_S(5, "IPV6_2292RTHDR")
+_S(6, "IPV6_2292PKTOPTIONS")
+_S(7, "IPV6_CHECKSUM")
+_S(8, "IPV6_2292HOPLIMIT")
+_S(9, "IPV6_NEXTHOP")
+_S(10, "IPV6_AUTHHDR")
+_S(11, "IPV6_FLOWINFO")
+_S(16, "IPV6_UNICAST_HOPS")
+_S(17, "IPV6_MULTICAST_IF")
+_S(18, "IPV6_MULTICAST_HOPS")
+_S(19, "IPV6_MULTICAST_LOOP")
+_S(20, "IPV6_ADD_MEMBERSHIP")
+_S(21, "IPV6_DROP_MEMBERSHIP")
+_S(22, "IPV6_ROUTER_ALERT")
+_S(23, "IPV6_MTU_DISCOVER")
+_S(24, "IPV6_MTU")
+_S(25, "IPV6_RECVERR")
+_S(26, "IPV6_V6ONLY")
+_S(27, "IPV6_JOIN_ANYCAST")
+_S(28, "IPV6_LEAVE_ANYCAST")
+_S(32, "IPV6_FLOWLABEL_MGR")
+_S(33, "IPV6_FLOWINFO_SEND")
+_S(34, "IPV6_IPSEC_POLICY")
+_S(35, "IPV6_XFRM_POLICY")
+_S(42, "MCAST_JOIN_GROUP")
+_S(43, "MCAST_BLOCK_SOURCE")
+_S(44, "MCAST_UNBLOCK_SOURCE")
+_S(45, "MCAST_LEAVE_GROUP")
+_S(46, "MCAST_JOIN_SOURCE_GROUP")
+_S(47, "MCAST_LEAVE_SOURCE_GROUP")
+_S(48, "MCAST_MSFILTER")
+_S(49, "IPV6_RECVPKTINFO")
+_S(50, "IPV6_PKTINFO")
+_S(51, "IPV6_RECVHOPLIMIT")
+_S(52, "IPV6_HOPLIMIT")
+_S(53, "IPV6_RECVHOPOPTS")
+_S(54, "IPV6_HOPOPTS")
+_S(55, "IPV6_RTHDRDSTOPTS")
+_S(56, "IPV6_RECVRTHDR")
+_S(57, "IPV6_RTHDR")
+_S(58, "IPV6_RECVDSTOPTS")
+_S(59, "IPV6_DSTOPTS")
+_S(60, "IPV6_RECVPATHMTU")
+_S(61, "IPV6_PATHMTU")
+_S(62, "IPV6_DONTFRAG")
+_S(63, "IPV6_USE_MIN_MTU")
+_S(64, "IP6T_SO_SET_REPLACE")
+_S(65, "IP6T_SO_SET_ADD_COUNTERS")
+_S(66, "IPV6_RECVTCLASS")
+_S(67, "IPV6_TCLASS")
+_S(68, "IP6T_SO_GET_REVISION_MATCH")
+_S(69, "IP6T_SO_GET_REVISION_TARGET")
+_S(72, "IPV6_ADDR_PREFERENCES")
+_S(73, "IPV6_MINHOPCOUNT")
+_S(74, "IPV6_ORIGDSTADDR")
+_S(75, "IPV6_TRANSPARENT")
+_S(76, "IPV6_UNICAST_IF")
+_S(80, "IP6T_SO_ORIGINAL_DST")
+
diff --git a/framework/src/audit/auparse/ipccmdtab.h b/framework/src/audit/auparse/ipccmdtab.h
new file mode 100644
index 00000000..97c6bc30
--- /dev/null
+++ b/framework/src/audit/auparse/ipccmdtab.h
@@ -0,0 +1,28 @@
+/* ipccmdtab.h --
+ * Copyright 2013 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/ipc.h
+ */
+
+
+_S(00001000, "IPC_CREAT" )
+_S(00002000, "IPC_EXCL" )
+_S(00004000, "IPC_NOWAIT" )
+
diff --git a/framework/src/audit/auparse/ipctab.h b/framework/src/audit/auparse/ipctab.h
new file mode 100644
index 00000000..c30eb20c
--- /dev/null
+++ b/framework/src/audit/auparse/ipctab.h
@@ -0,0 +1,37 @@
+/* ipctab.h --
+ * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/ipc.h
+ */
+
+
+_S(SEMOP, "semop" )
+_S(SEMGET, "semget" )
+_S(SEMCTL, "semctl" )
+_S(4, "semtimedop" )
+_S(MSGSND, "msgsnd" )
+_S(MSGRCV, "msgrcv" )
+_S(MSGGET, "msgget" )
+_S(MSGCTL, "msgctl" )
+_S(SHMAT, "shmat" )
+_S(SHMDT, "shmdt" )
+_S(SHMGET, "shmget" )
+_S(SHMCTL, "shmctl" )
+
diff --git a/framework/src/audit/auparse/ipoptnametab.h b/framework/src/audit/auparse/ipoptnametab.h
new file mode 100644
index 00000000..38a9fb80
--- /dev/null
+++ b/framework/src/audit/auparse/ipoptnametab.h
@@ -0,0 +1,70 @@
+/* ipoptnametab.h --
+ * Copyright 2013,2015 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/in.h
+ * include/uapi/linux/netfilter_ipv4/ip_tables.h
+ */
+
+
+_S(1, "IP_TOS")
+_S(2, "IP_TTL")
+_S(3, "IP_HDRINCL")
+_S(4, "IP_OPTIONS")
+_S(5, "IP_ROUTER_ALERT")
+_S(6, "IP_RECVOPTS")
+_S(7, "IP_RETOPTS")
+_S(8, "IP_PKTINFO")
+_S(9, "IP_PKTOPTIONS")
+_S(10, "IP_MTU_DISCOVER")
+_S(11, "IP_RECVERR")
+_S(12, "IP_RECVTTL")
+_S(14, "IP_MTU")
+_S(15, "IP_FREEBIND")
+_S(16, "IP_IPSEC_POLICY")
+_S(17, "IP_XFRM_POLICY")
+_S(18, "IP_PASSSEC")
+_S(19, "IP_TRANSPARENT")
+_S(20, "IP_ORIGDSTADDR")
+_S(21, "IP_MINTTL")
+_S(22, "IP_NODEFRAG")
+_S(23, "IP_CHECKSUM")
+_S(32, "IP_MULTICAST_IF")
+_S(33, "IP_MULTICAST_TTL")
+_S(34, "IP_MULTICAST_LOOP")
+_S(35, "IP_ADD_MEMBERSHIP")
+_S(36, "IP_DROP_MEMBERSHIP")
+_S(37, "IP_UNBLOCK_SOURCE")
+_S(38, "IP_BLOCK_SOURCE")
+_S(39, "IP_ADD_SOURCE_MEMBERSHIP")
+_S(40, "IP_DROP_SOURCE_MEMBERSHIP")
+_S(41, "IP_MSFILTER")
+_S(42, "MCAST_JOIN_GROUP")
+_S(43, "MCAST_BLOCK_SOURCE")
+_S(44, "MCAST_UNBLOCK_SOURCE")
+_S(45, "MCAST_LEAVE_GROUP")
+_S(46, "MCAST_JOIN_SOURCE_GROUP")
+_S(47, "MCAST_LEAVE_SOURCE_GROUP")
+_S(48, "MCAST_MSFILTER")
+_S(49, "IP_MULTICAST_ALL")
+_S(50, "IP_UNICAST_IF")
+_S(64, "IPT_SO_SET_REPLACE")
+_S(65, "IPT_SO_SET_ADD_COUNTERS")
+_S(66, "IPT_SO_GET_REVISION_TARGET")
+
diff --git a/framework/src/audit/auparse/message.c b/framework/src/audit/auparse/message.c
new file mode 100644
index 00000000..45b33c0f
--- /dev/null
+++ b/framework/src/audit/auparse/message.c
@@ -0,0 +1,58 @@
+/* message.c --
+ * Copyright 2004, 2005 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <stdarg.h>
+#include "libaudit.h"
+#include "private.h"
+
+/* The message mode refers to where informational messages go
+ 0 - stderr, 1 - syslog, 2 - quiet. The default is quiet. */
+static message_t message_mode = MSG_QUIET;
+static debug_message_t debug_message = DBG_NO;
+
+void set_aumessage_mode(message_t mode, debug_message_t debug)
+{
+ message_mode = mode;
+ debug_message = debug;
+}
+
+void audit_msg(int priority, const char *fmt, ...)
+{
+ va_list ap;
+
+ if (message_mode == MSG_QUIET)
+ return;
+
+ if (priority == LOG_DEBUG && debug_message == DBG_NO)
+ return;
+
+ va_start(ap, fmt);
+ if (message_mode == MSG_SYSLOG)
+ vsyslog(priority, fmt, ap);
+ else {
+ vfprintf(stderr, fmt, ap);
+ fputc('\n', stderr);
+ }
+ va_end( ap );
+}
diff --git a/framework/src/audit/auparse/mmaptab.h b/framework/src/audit/auparse/mmaptab.h
new file mode 100644
index 00000000..9bd5ef5a
--- /dev/null
+++ b/framework/src/audit/auparse/mmaptab.h
@@ -0,0 +1,40 @@
+/* mmaptab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/asm-generic/mman.h >0x100
+ * include/uapi/asm-generic/mman-common.h < 0x100
+ * NOTE: If this is updated, also update interpret.c:print_mmap()
+ */
+
+_S(0x00001, "MAP_SHARED" )
+_S(0x00002, "MAP_PRIVATE" )
+_S(0x00010, "MAP_FIXED" )
+_S(0x00020, "MAP_ANONYMOUS" )
+_S(0x00040, "MAP_32BIT" )
+_S(0x00100, "MAP_GROWSDOWN" )
+_S(0x00800, "MAP_DENYWRITE" )
+_S(0x01000, "MAP_EXECUTABLE" )
+_S(0x02000, "MAP_LOCKED" )
+_S(0x04000, "MAP_NORESERVE" )
+_S(0x08000, "MAP_POPULATE" )
+_S(0x10000, "MAP_NONBLOCK" )
+_S(0x20000, "MAP_STACK" )
+_S(0x40000, "MAP_HUGETLB" )
+
diff --git a/framework/src/audit/auparse/mounttab.h b/framework/src/audit/auparse/mounttab.h
new file mode 100644
index 00000000..ce98a998
--- /dev/null
+++ b/framework/src/audit/auparse/mounttab.h
@@ -0,0 +1,53 @@
+/* mounttab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/fs.h
+ * NOTE: When updating this table, update interpret.c:print_mount()
+ */
+
+_S(MS_RDONLY, "MS_RDONLY")
+_S(MS_NOSUID, "MS_NOSUID")
+_S(MS_NODEV, "MS_NODEV" )
+_S(MS_NOEXEC, "MS_NOEXEC")
+_S(MS_SYNCHRONOUS, "MS_SYNCHRONOUS")
+_S(MS_REMOUNT, "MS_REMOUNT")
+_S(MS_MANDLOCK, "MS_MANDLOCK")
+_S(MS_DIRSYNC, "MS_DIRSYNC")
+_S(MS_NOATIME, "MS_NOATIME")
+_S(MS_NODIRATIME, "MS_NODIRATIME")
+_S(MS_BIND, "MS_BIND")
+_S(MS_MOVE, "MS_MOVE")
+_S(MS_REC, "MS_REC")
+_S(MS_SILENT, "MS_SILENT")
+_S(MS_POSIXACL, "MS_POSIXACL")
+_S(MS_UNBINDABLE, "MS_UNBINDABLE")
+_S(MS_PRIVATE, "MS_PRIVATE")
+_S(MS_SLAVE, "MS_SLAVE")
+_S(MS_SHARED, "MS_SHARED")
+_S(MS_RELATIME, "MS_RELATIME")
+_S(MS_KERNMOUNT, "MS_KERNMOUNT")
+_S(MS_I_VERSION, "MS_I_VERSION")
+_S((1<<24), "MS_STRICTATIME")
+_S((1<<27), "MS_SNAP_STABLE")
+_S((1<<28), "MS_NOSEC")
+_S((1<<29), "MS_BORN")
+_S(MS_ACTIVE, "MS_ACTIVE")
+_S(MS_NOUSER, "MS_NOUSER")
+
diff --git a/framework/src/audit/auparse/nfprototab.h b/framework/src/audit/auparse/nfprototab.h
new file mode 100644
index 00000000..eab43370
--- /dev/null
+++ b/framework/src/audit/auparse/nfprototab.h
@@ -0,0 +1,31 @@
+/* nfprototab.h --
+ * Copyright 2011-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/netfilter.h
+ */
+
+_S(0, "unspecified" )
+_S(1, "inet" )
+_S(2, "ipv4" )
+_S(3, "arp" )
+_S(7, "bridge" )
+_S(10, "ipv6" )
+_S(12, "decnet" )
+
diff --git a/framework/src/audit/auparse/nvlist.c b/framework/src/audit/auparse/nvlist.c
new file mode 100644
index 00000000..66e7ff8c
--- /dev/null
+++ b/framework/src/audit/auparse/nvlist.c
@@ -0,0 +1,137 @@
+/*
+* nvlist.c - Minimal linked list library for name-value pairs
+* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#include "config.h"
+#include <stdlib.h>
+#include <string.h>
+#include "nvlist.h"
+#include "interpret.h"
+#include "auparse-idata.h"
+
+
+void nvlist_create(nvlist *l)
+{
+ l->head = NULL;
+ l->cur = NULL;
+ l->cnt = 0;
+}
+
+static void nvlist_last(nvlist *l)
+{
+ register nvnode* window;
+
+ if (l->head == NULL)
+ return;
+
+ window = l->head;
+ while (window->next)
+ window = window->next;
+ l->cur = window;
+}
+
+nvnode *nvlist_next(nvlist *l)
+{
+ if (l->cur)
+ l->cur = l->cur->next;
+ return l->cur;
+}
+
+void nvlist_append(nvlist *l, nvnode *node)
+{
+ nvnode* newnode = malloc(sizeof(nvnode));
+
+ newnode->name = node->name;
+ newnode->val = node->val;
+ newnode->interp_val = NULL;
+ newnode->item = l->cnt;
+ newnode->next = NULL;
+
+ // if we are at top, fix this up
+ if (l->head == NULL)
+ l->head = newnode;
+ else { // Otherwise add pointer to newnode
+ if (l->cnt == (l->cur->item+1)) {
+ l->cur->next = newnode;
+ }
+ else {
+ nvlist_last(l);
+ l->cur->next = newnode;
+ }
+ }
+
+ // make newnode current
+ l->cur = newnode;
+ l->cnt++;
+}
+
+/*
+ * This function will start at current index and scan for a name
+ */
+int nvlist_find_name(nvlist *l, const char *name)
+{
+ register nvnode* window = l->cur;
+
+ while (window) {
+ if (strcmp(window->name, name) == 0) {
+ l->cur = window;
+ return 1;
+ }
+ else
+ window = window->next;
+ }
+ return 0;
+}
+
+extern int interp_adjust_type(int rtype, const char *name, const char *val);
+int nvlist_get_cur_type(const rnode *r)
+{
+ const nvlist *l = &r->nv;
+ return auparse_interp_adjust_type(r->type, l->cur->name, l->cur->val);
+}
+
+const char *nvlist_interp_cur_val(const rnode *r)
+{
+ const nvlist *l = &r->nv;
+ if (l->cur->interp_val)
+ return l->cur->interp_val;
+ return interpret(r);
+}
+
+void nvlist_clear(nvlist* l)
+{
+ nvnode* nextnode;
+ register nvnode* current;
+
+ current = l->head;
+ while (current) {
+ nextnode=current->next;
+ free(current->name);
+ free(current->val);
+ free(current->interp_val);
+ free(current);
+ current=nextnode;
+ }
+ l->head = NULL;
+ l->cur = NULL;
+ l->cnt = 0;
+}
diff --git a/framework/src/audit/auparse/nvlist.h b/framework/src/audit/auparse/nvlist.h
new file mode 100644
index 00000000..2924ddc6
--- /dev/null
+++ b/framework/src/audit/auparse/nvlist.h
@@ -0,0 +1,51 @@
+/*
+* nvlist.h - Header file for nvlist.c
+* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#ifndef NVLIST_HEADER
+#define NVLIST_HEADER
+
+#include "config.h"
+#include "private.h"
+#include <sys/types.h>
+#include "rnode.h"
+#include "ellist.h"
+
+
+void nvlist_create(nvlist *l) hidden;
+void nvlist_clear(nvlist* l) hidden;
+static inline unsigned int nvlist_get_cnt(nvlist *l) { return l->cnt; }
+static inline void nvlist_first(nvlist *l) { l->cur = l->head; }
+static inline nvnode *nvlist_get_cur(const nvlist *l) { return l->cur; }
+nvnode *nvlist_next(nvlist *l) hidden;
+static inline const char *nvlist_get_cur_name(const nvlist *l) {if (l->cur) return l->cur->name; else return NULL;}
+static inline const char *nvlist_get_cur_val(const nvlist *l) {if (l->cur) return l->cur->val; else return NULL;}
+static inline const char *nvlist_get_cur_val_interp(const nvlist *l) {if (l->cur) return l->cur->interp_val; else return NULL;}
+int nvlist_get_cur_type(const rnode *r) hidden;
+const char *nvlist_interp_cur_val(const rnode *r) hidden;
+void nvlist_append(nvlist *l, nvnode *node) hidden;
+
+/* Given a numeric index, find that record. */
+int nvlist_find_name(nvlist *l, const char *name) hidden;
+
+#endif
+
diff --git a/framework/src/audit/auparse/nvpair.c b/framework/src/audit/auparse/nvpair.c
new file mode 100644
index 00000000..467d1546
--- /dev/null
+++ b/framework/src/audit/auparse/nvpair.c
@@ -0,0 +1,89 @@
+/*
+* nvpair.c - Minimal linked list library for name-value pairs
+* Copyright (c) 2007-08 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#include "config.h"
+#include <stdlib.h>
+#include "nvpair.h"
+
+
+void nvpair_create(nvpair *l)
+{
+ l->head = NULL;
+ l->cur = NULL;
+ l->cnt = 0;
+}
+
+void nvpair_append(nvpair *l, nvpnode *node)
+{
+ nvpnode* newnode = malloc(sizeof(nvpnode));
+
+ newnode->name = node->name;
+ newnode->val = node->val;
+ newnode->next = NULL;
+
+ // if we are at top, fix this up
+ if (l->head == NULL)
+ l->head = newnode;
+ else { // Otherwise add pointer to newnode
+ while (l->cur->next)
+ l->cur = l->cur->next;
+ l->cur->next = newnode;
+ }
+
+ // make newnode current
+ l->cur = newnode;
+ l->cnt++;
+}
+
+int nvpair_find_val(nvpair *l, long val)
+{
+ register nvpnode* window = l->head;
+
+ while (window) {
+ if (window->val == val) {
+ l->cur = window;
+ return 1;
+ }
+ else
+ window = window->next;
+ }
+ return 0;
+}
+
+void nvpair_clear(nvpair *l)
+{
+ nvpnode* nextnode;
+ register nvpnode* current;
+
+ current = l->head;
+ while (current) {
+ nextnode=current->next;
+ free(current->name);
+ free(current);
+ current=nextnode;
+ }
+ l->head = NULL;
+ l->cur = NULL;
+ l->cnt = 0;
+}
+
diff --git a/framework/src/audit/auparse/nvpair.h b/framework/src/audit/auparse/nvpair.h
new file mode 100644
index 00000000..2ea7f635
--- /dev/null
+++ b/framework/src/audit/auparse/nvpair.h
@@ -0,0 +1,56 @@
+/*
+* nvpair.h - Header file for nvpair.c
+* Copyright (c) 2007-08 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*
+* Authors:
+* Steve Grubb <sgrubb@redhat.com>
+*/
+
+#ifndef NVPAIR_HEADER
+#define NVPAIR_HEADER
+
+#include "config.h"
+#include "private.h"
+#include <sys/types.h>
+
+/* This is the node of the linked list. Any data elements that are
+ * per item goes here. */
+typedef struct _nvpnode{
+ char *name; // The name string
+ long val; // The value field
+ struct _nvpnode* next; // Next nvpair node pointer
+} nvpnode;
+
+/* This is the linked list head. Only data elements that are 1 per
+ * event goes here. */
+typedef struct {
+ nvpnode *head; // List head
+ nvpnode *cur; // Pointer to current node
+ unsigned int cnt; // How many items in this list
+} nvpair;
+
+void nvpair_create(nvpair *l) hidden;
+static inline void nvpair_first(nvpair *l) { l->cur = l->head; }
+static inline nvpnode *nvpair_get_cur(nvpair *l) { return l->cur; }
+void nvpair_append(nvpair *l, nvpnode *node) hidden;
+void nvpair_clear(nvpair *l) hidden;
+int nvpair_find_val(nvpair *l, long val) hidden;
+
+
+#endif
+
diff --git a/framework/src/audit/auparse/open-flagtab.h b/framework/src/audit/auparse/open-flagtab.h
new file mode 100644
index 00000000..42bc9950
--- /dev/null
+++ b/framework/src/audit/auparse/open-flagtab.h
@@ -0,0 +1,44 @@
+/* open-flagtab.h --
+ * Copyright 2007,2012-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/asm-generic/fcntl.h
+ * NOTE: When updating this table, update interpret.c:print_open_flags()
+ */
+
+// Handled in the code: _S(00, "O_RDONLY" )
+_S(01, "O_WRONLY" )
+_S(02, "O_RDWR" )
+_S(0100, "O_CREAT")
+_S(0200, "O_EXCL" )
+_S(0400, "O_NOCTTY" )
+_S(01000, "O_TRUNC" )
+_S(02000, "O_APPEND" )
+_S(04000, "O_NONBLOCK" )
+_S(010000, "O_DSYNC" )
+_S(020000, "O_ASYNC" )
+_S(040000, "O_DIRECT" )
+_S(0200000, "O_DIRECTORY" )
+_S(0400000, "O_NOFOLLOW" )
+_S(01000000, "O_NOATIME" )
+_S(02000000, "O_CLOEXEC")
+_S(04000000, "__O_SYNC")
+_S(010000000, "O_PATH")
+_S(020000000, "__O_TMPFILE")
+
diff --git a/framework/src/audit/auparse/persontab.h b/framework/src/audit/auparse/persontab.h
new file mode 100644
index 00000000..a1957653
--- /dev/null
+++ b/framework/src/audit/auparse/persontab.h
@@ -0,0 +1,45 @@
+/* persontab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/personality.h
+ */
+
+_S(0x0000, "PER_LINUX")
+_S(0x0000 | ADDR_LIMIT_32BIT, "PER_LINUX_32BIT")
+_S(0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO, "PER_SVR4")
+_S(0x0002 | STICKY_TIMEOUTS | SHORT_INODE, "PER_SVR3")
+_S(0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS | SHORT_INODE, "PER_SCOSVR3")
+_S(0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS, "PER_OSR5")
+_S(0x0004 | STICKY_TIMEOUTS | SHORT_INODE, "PER_WYSEV386")
+_S(0x0005 | STICKY_TIMEOUTS, "PER_ISCR4")
+_S(0x0006, "PER_BSD")
+_S(0x0006 | STICKY_TIMEOUTS, "PER_SUNOS")
+_S(0x0007 | STICKY_TIMEOUTS | SHORT_INODE, "PER_XENIX")
+_S(0x0008, "PER_LINUX32")
+_S(0x0008 | ADDR_LIMIT_3GB, "PER_LINUX32_3GB")
+_S(0x0009 | STICKY_TIMEOUTS, "PER_IRIX32")
+_S(0x000a | STICKY_TIMEOUTS, "PER_IRIXN32")
+_S(0x000b | STICKY_TIMEOUTS, "PER_IRIX64")
+_S(0x000c, "PER_RISCOS")
+_S(0x000d | STICKY_TIMEOUTS, "PER_SOLARIS")
+_S(0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO, "PER_UW7")
+_S(0x000f, "PER_OSF4")
+_S(0x0010, "PER_HPUX")
+
diff --git a/framework/src/audit/auparse/pktoptnametab.h b/framework/src/audit/auparse/pktoptnametab.h
new file mode 100644
index 00000000..d532a59d
--- /dev/null
+++ b/framework/src/audit/auparse/pktoptnametab.h
@@ -0,0 +1,43 @@
+/* pktoptnametab.h --
+ * Copyright 2013-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/if_packet.h
+ */
+
+_S(1, "PACKET_ADD_MEMBERSHIP")
+_S(2, "PACKET_DROP_MEMBERSHIP")
+_S(3, "PACKET_RECV_OUTPUT")
+_S(5, "PACKET_RX_RING")
+_S(6, "PACKET_STATISTICS")
+_S(7, "PACKET_COPY_THRESH")
+_S(8, "PACKET_AUXDATA")
+_S(9, "PACKET_ORIGDEV")
+_S(10, "PACKET_VERSION")
+_S(11, "PACKET_HDRLEN")
+_S(12, "PACKET_RESERVE")
+_S(13, "PACKET_TX_RING")
+_S(14, "PACKET_LOSS")
+_S(15, "PACKET_VNET_HDR")
+_S(16, "PACKET_TX_TIMESTAMP")
+_S(17, "PACKET_TIMESTAMP")
+_S(18, "PACKET_FANOUT")
+_S(19, "PACKET_TX_HAS_OFF")
+_S(20, "PACKET_QDISC_BYPASS")
+
diff --git a/framework/src/audit/auparse/prctl-opt-tab.h b/framework/src/audit/auparse/prctl-opt-tab.h
new file mode 100644
index 00000000..0285a88d
--- /dev/null
+++ b/framework/src/audit/auparse/prctl-opt-tab.h
@@ -0,0 +1,68 @@
+/* prctl-opt-tab.h --
+ * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/prctl.h
+ */
+
+_S(1, "PR_SET_PDEATHSIG")
+_S(2, "PR_GET_PDEATHSIG")
+_S(3, "PR_GET_DUMPABLE")
+_S(4, "PR_SET_DUMPABLE")
+_S(5, "PR_GET_UNALIGN")
+_S(6, "PR_SET_UNALIGN")
+_S(7, "PR_GET_KEEPCAPS")
+_S(8, "PR_SET_KEEPCAPS")
+_S(9, "PR_GET_FPEMU")
+_S(10, "PR_SET_FPEMU")
+_S(11, "PR_GET_FPEXC")
+_S(12, "PR_SET_FPEXC")
+_S(13, "PR_GET_TIMING")
+_S(14, "PR_SET_TIMING")
+_S(15, "PR_SET_NAME")
+_S(16, "PR_GET_NAME")
+_S(19, "PR_GET_ENDIAN")
+_S(20, "PR_SET_ENDIAN")
+_S(21, "PR_GET_SECCOMP")
+_S(22, "PR_SET_SECCOMP")
+_S(23, "PR_CAPBSET_READ")
+_S(24, "PR_CAPBSET_DROP")
+_S(25, "PR_GET_TSC")
+_S(26, "PR_SET_TSC")
+_S(27, "PR_GET_SECUREBITS")
+_S(28, "PR_SET_SECUREBITS")
+_S(29, "PR_SET_TIMERSLACK")
+_S(30, "PR_GET_TIMERSLACK")
+_S(31, "PR_TASK_PERF_EVENTS_DISABLE")
+_S(32, "PR_TASK_PERF_EVENTS_ENABLE")
+_S(33, "PR_MCE_KILL")
+_S(34, "PR_MCE_KILL_GET")
+_S(35, "PR_SET_MM")
+_S(36, "PR_SET_CHILD_SUBREAPER")
+_S(37, "PR_GET_CHILD_SUBREAPER")
+_S(38, "PR_SET_NO_NEW_PRIVS")
+_S(39, "PR_GET_NO_NEW_PRIVS")
+_S(40, "PR_GET_TID_ADDRESS")
+_S(41, "PR_SET_THP_DISABLE")
+_S(42, "PR_GET_THP_DISABLE")
+_S(43, "PR_MPX_ENABLE_MANAGEMENT")
+_S(44, "PR_MPX_DISABLE_MANAGEMENT")
+_S(45, "PR_SET_FP_MODE")
+_S(46, "PR_GET_FP_MODE")
+
diff --git a/framework/src/audit/auparse/private.h b/framework/src/audit/auparse/private.h
new file mode 100644
index 00000000..c0a0da9c
--- /dev/null
+++ b/framework/src/audit/auparse/private.h
@@ -0,0 +1,54 @@
+/* private.h --
+ * Copyright 2007,2013 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+#ifndef _PRIVATE_H_
+#define _PRIVATE_H_
+
+#include "auparse.h"
+#include "libaudit.h"
+#include "dso.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Internal syslog messaging */
+#define audit_msg auparse_msg
+#define set_aumessage_mode set_aup_message_mode
+void auparse_msg(int priority, const char *fmt, ...) hidden
+#ifdef __GNUC__
+ __attribute__ ((format (printf, 2, 3)));
+#else
+ ;
+#endif
+void set_aumessage_mode(message_t mode, debug_message_t debug) hidden;
+
+char *audit_strsplit_r(char *s, char **savedpp);
+char *audit_strsplit(char *s);
+hidden_proto(audit_strsplit_r)
+hidden_proto(audit_strsplit)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/framework/src/audit/auparse/prottab.h b/framework/src/audit/auparse/prottab.h
new file mode 100644
index 00000000..e0edeb84
--- /dev/null
+++ b/framework/src/audit/auparse/prottab.h
@@ -0,0 +1,28 @@
+/* prottab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/asm-generic/mman-common.h
+ */
+
+_S(1, "PROT_READ" )
+_S(2, "PROT_WRITE" )
+_S(4, "PROT_EXEC" )
+_S(8, "PROT_SEM" )
+
diff --git a/framework/src/audit/auparse/ptracetab.h b/framework/src/audit/auparse/ptracetab.h
new file mode 100644
index 00000000..11698ab7
--- /dev/null
+++ b/framework/src/audit/auparse/ptracetab.h
@@ -0,0 +1,55 @@
+/* ptracetab.h --
+ * Copyright 2012-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/ptrace.h
+ */
+
+_S(0, "PTRACE_TRACEME" )
+_S(1, "PTRACE_PEEKTEXT" )
+_S(2, "PTRACE_PEEKDATA" )
+_S(3, "PTRACE_PEEKUSER" )
+_S(4, "PTRACE_POKETEXT" )
+_S(5, "PTRACE_POKEDATA" )
+_S(6, "PTRACE_POKEUSER" )
+_S(7, "PTRACE_CONT" )
+_S(8, "PTRACE_KILL" )
+_S(9, "PTRACE_SINGLESTEP" )
+_S(12, "PTRACE_GETREGS" )
+_S(13, "PTRACE_SETREGS" )
+_S(14, "PTRACE_GETFPREGS" )
+_S(15, "PTRACE_SETFPREGS" )
+_S(16, "PTRACE_ATTACH" )
+_S(17, "PTRACE_DETACH" )
+_S(18, "PTRACE_GETFPXREGS" )
+_S(19, "PTRACE_SETFPXREGS" )
+_S(24, "PTRACE_SYSCALL" )
+_S(0x4200, "PTRACE_SETOPTIONS" )
+_S(0x4201, "PTRACE_GETEVENTMSG" )
+_S(0x4202, "PTRACE_GETSIGINFO" )
+_S(0x4203, "PTRACE_SETSIGINFO" )
+_S(0x4204, "PTRACE_GETREGSET" )
+_S(0x4205, "PTRACE_SETREGSET" )
+_S(0x4206, "PTRACE_SEIZE" )
+_S(0x4207, "PTRACE_INTERRUPT" )
+_S(0x4208, "PTRACE_LISTEN" )
+_S(0x4209, "PTRACE_PEEKSIGINFO" )
+_S(0x420a, "PTRACE_GETSIGMASK" )
+_S(0x420b, "PTRACE_SETSIGMASK" )
+
diff --git a/framework/src/audit/auparse/recvtab.h b/framework/src/audit/auparse/recvtab.h
new file mode 100644
index 00000000..af201ab9
--- /dev/null
+++ b/framework/src/audit/auparse/recvtab.h
@@ -0,0 +1,46 @@
+/* recvtab.h --
+ * Copyright 2012-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/linux/socket.h
+ * NOTE: If any update are made, update buffer size in interpret.c:print_recv()
+ */
+
+_S(0x00000001, "MSG_OOB")
+_S(0x00000002, "MSG_PEEK")
+_S(0x00000004, "MSG_DONTROUTE")
+_S(0x00000008, "MSG_CTRUNC")
+_S(0x00000010, "MSG_PROXY")
+_S(0x00000020, "MSG_TRUNC")
+_S(0x00000040, "MSG_DONTWAIT")
+_S(0x00000080, "MSG_EOR")
+_S(0x00000100, "MSG_WAITALL")
+_S(0x00000200, "MSG_FIN")
+_S(0x00000400, "MSG_SYN")
+_S(0x00000800, "MSG_CONFIRM")
+_S(0x00001000, "MSG_RST")
+_S(0x00002000, "MSG_ERRQUEUE")
+_S(0x00004000, "MSG_NOSIGNAL")
+_S(0x00008000, "MSG_MORE")
+_S(0x00010000, "MSG_WAITFORONE")
+_S(0x00020000, "MSG_SENDPAGE_NOTLAST")
+_S(0x20000000, "MSG_FASTOPEN")
+_S(0x40000000, "MSG_CMSG_CLOEXEC")
+_S(0x80000000, "MSG_CMSG_COMPAT")
+
diff --git a/framework/src/audit/auparse/rlimittab.h b/framework/src/audit/auparse/rlimittab.h
new file mode 100644
index 00000000..3efd22f0
--- /dev/null
+++ b/framework/src/audit/auparse/rlimittab.h
@@ -0,0 +1,40 @@
+/* rlimittab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/asm-generic/resource.h
+ */
+
+ _S(0, "RLIMIT_CPU")
+ _S(1, "RLIMIT_FSIZE")
+ _S(2, "RLIMIT_DATA")
+ _S(3, "RLIMIT_STACK")
+ _S(4, "RLIMIT_CORE")
+ _S(5, "RLIMIT_RSS")
+ _S(6, "RLIMIT_NPROC")
+ _S(7, "RLIMIT_NOFILE")
+ _S(8, "RLIMIT_MEMLOCK")
+ _S(9, "RLIMIT_AS")
+ _S(10,"RLIMIT_LOCKS")
+ _S(11,"RLIMIT_SIGPENDING")
+ _S(12,"RLIMIT_MSGQUEUE")
+ _S(13,"RLIMIT_NICE")
+ _S(14,"RLIMIT_RTPRIO")
+ _S(15,"RLIMIT_RTTIME")
+
diff --git a/framework/src/audit/auparse/rnode.h b/framework/src/audit/auparse/rnode.h
new file mode 100644
index 00000000..2c871c95
--- /dev/null
+++ b/framework/src/audit/auparse/rnode.h
@@ -0,0 +1,63 @@
+
+/* rnode.h --
+ * Copyright 2007 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#ifndef RNODE_HEADER
+#define RNODE_HEADER
+
+/* This is the node of the linked list. Any data elements that are
+ * per item goes here. */
+typedef struct _nvnode{
+ char *name; // The name string
+ char *val; // The value field
+ char *interp_val; // The value field interpretted
+ unsigned int item; // Which item of the same event
+ struct _nvnode* next; // Next nvpair node pointer
+} nvnode;
+
+/* This is the linked list head. Only data elements that are 1 per
+ * event goes here. */
+typedef struct {
+ nvnode *head; // List head
+ nvnode *cur; // Pointer to current node
+ unsigned int cnt; // How many items in this list
+} nvlist;
+
+
+/* This is the node of the linked list. Any data elements that are per
+ * * item goes here. */
+typedef struct _rnode{
+ char *record; // The whole unparsed record
+ int type; // record type (KERNEL, USER, LOGIN, etc)
+ int machine; // The machine type for the event
+ int syscall; // The syscall for the event
+ unsigned long long a0; // arg 0 to the syscall
+ unsigned long long a1; // arg 1 to the syscall
+ nvlist nv; // name-value linked list of parsed elements
+ unsigned int item; // Which item of the same event
+ int list_idx; // The index into the source list, points to where record was found
+ unsigned int line_number; // The line number where record was found
+ struct _rnode* next; // Next record node pointer
+} rnode;
+
+#endif
+
diff --git a/framework/src/audit/auparse/schedtab.h b/framework/src/audit/auparse/schedtab.h
new file mode 100644
index 00000000..90e0e7d5
--- /dev/null
+++ b/framework/src/audit/auparse/schedtab.h
@@ -0,0 +1,31 @@
+/* schedtab.h --
+ * Copyright 2013-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/sched.h
+ */
+
+
+_S(0, "SCHED_OTHER" )
+_S(1, "SCHED_FIFO" )
+_S(2, "SCHED_RR" )
+_S(3, "SCHED_BATCH" )
+_S(5, "SCHED_IDLE" )
+_S(6, "SCHED_DEADLINE")
+
diff --git a/framework/src/audit/auparse/seccomptab.h b/framework/src/audit/auparse/seccomptab.h
new file mode 100644
index 00000000..3fd5aff9
--- /dev/null
+++ b/framework/src/audit/auparse/seccomptab.h
@@ -0,0 +1,30 @@
+/* seccomptab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/seccomp.h
+ */
+
+
+_S(0x00000000U, "kill" )
+_S(0x00030000U, "trap" )
+_S(0x00050000U, "errno" )
+_S(0x7ff00000U, "trace" )
+_S(0x7fff0000U, "allow" )
+
diff --git a/framework/src/audit/auparse/seektab.h b/framework/src/audit/auparse/seektab.h
new file mode 100644
index 00000000..118d5fc6
--- /dev/null
+++ b/framework/src/audit/auparse/seektab.h
@@ -0,0 +1,29 @@
+/* seektab.h --
+ * Copyright 2013 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/fs.h
+ */
+
+_S(0, "SEEK_SET")
+_S(1, "SEEK_CUR")
+_S(2, "SEEK_END")
+_S(3, "SEEK_DATA")
+_S(4, "SEEK_HOLE")
+
diff --git a/framework/src/audit/auparse/shm_modetab.h b/framework/src/audit/auparse/shm_modetab.h
new file mode 100644
index 00000000..10b5b108
--- /dev/null
+++ b/framework/src/audit/auparse/shm_modetab.h
@@ -0,0 +1,29 @@
+/* shm_mode.h --
+ * Copyright 2013 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/linux/shm.h
+ */
+
+
+_S(00001000, "SHM_DEST" )
+_S(00002000, "SHM_LOCKED" )
+_S(00004000, "SHM_HUGETLB" )
+_S(00010000, "SHM_NORESERVE" )
+
diff --git a/framework/src/audit/auparse/signaltab.h b/framework/src/audit/auparse/signaltab.h
new file mode 100644
index 00000000..173ad9f2
--- /dev/null
+++ b/framework/src/audit/auparse/signaltab.h
@@ -0,0 +1,56 @@
+/* signaltab.h --
+ * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/asm-generic/signal.h
+ */
+
+_S(0, "SIG0" )
+_S(1, "SIGHUP" )
+_S(2, "SIGINT" )
+_S(3, "SIGQUIT" )
+_S(4, "SIGILL" )
+_S(5, "SIGTRAP" )
+_S(6, "SIGABRT" )
+_S(7, "SIGBUS" )
+_S(8, "SIGFPE" )
+_S(9, "SIGKILL" )
+_S(10, "SIGUSR1" )
+_S(11, "SIGSEGV" )
+_S(12, "SIGUSR2" )
+_S(13, "SIGPIPE" )
+_S(14, "SIGALRM" )
+_S(15, "SIGTERM" )
+_S(16, "SIGSTKFLT" )
+_S(17, "SIGCHLD" )
+_S(18, "SIGCONT" )
+_S(19, "SIGSTOP" )
+_S(20, "SIGTSTP" )
+_S(21, "SIGTTIN" )
+_S(22, "SIGTTOU" )
+_S(23, "SIGURG" )
+_S(24, "SIGXCPU" )
+_S(25, "SIGXFSZ" )
+_S(26, "SIGVTALRM" )
+_S(27, "SIGPROF" )
+_S(28, "SIGWINCH" )
+_S(29, "SIGIO" )
+_S(30, "IGPWR" )
+_S(31, "SIGSYS" )
+
diff --git a/framework/src/audit/auparse/sockleveltab.h b/framework/src/audit/auparse/sockleveltab.h
new file mode 100644
index 00000000..bf376ade
--- /dev/null
+++ b/framework/src/audit/auparse/sockleveltab.h
@@ -0,0 +1,56 @@
+/* sockleveltab.h --
+ * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/linux/socket.h
+ */
+
+
+_S(0, "SOL_IP")
+_S(6, "SOL_TCP")
+_S(17, "SOL_UDP")
+_S(41, "SOL_IPV6")
+_S(58, "SOL_ICMPV6")
+_S(132, "SOL_SCTP")
+_S(136, "SOL_UDPLITE")
+_S(255, "SOL_RAW")
+_S(256, "SOL_IPX")
+_S(257, "SOL_AX25")
+_S(258, "SOL_ATALK")
+_S(259, "SOL_NETROM")
+_S(260, "SOL_ROSE")
+_S(261, "SOL_DECNET")
+_S(263, "SOL_PACKET")
+_S(264, "SOL_ATM")
+_S(265, "SOL_AAL")
+_S(266, "SOL_IRDA")
+_S(267, "SOL_NETBEUI")
+_S(268, "SOL_LLC")
+_S(269, "SOL_DCCP")
+_S(270, "SOL_NETLINK")
+_S(271, "SOL_TIPC")
+_S(272, "SOL_RXRPC")
+_S(273, "SOL_PPPOL2TP")
+_S(274, "SOL_BLUETOOTH")
+_S(275, "SOL_PNPIPE")
+_S(276, "SOL_RDS")
+_S(277, "SOL_IUCV")
+_S(278, "SOL_CAIF")
+_S(279, "SOL_ALG")
+_S(280, "SOL_NFC")
diff --git a/framework/src/audit/auparse/sockoptnametab.h b/framework/src/audit/auparse/sockoptnametab.h
new file mode 100644
index 00000000..85c6692d
--- /dev/null
+++ b/framework/src/audit/auparse/sockoptnametab.h
@@ -0,0 +1,84 @@
+/* sockoptnametab.h --
+ * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * File: include/uapi/asm-generic/socket.h
+ */
+
+
+_S(1, "SO_DEBUG")
+_S(2, "SO_REUSEADDR")
+_S(3, "SO_TYPE")
+_S(4, "SO_ERROR")
+_S(5, "SO_DONTROUTE")
+_S(6, "SO_BROADCAST")
+_S(7, "SO_SNDBUF")
+_S(8, "SO_RCVBUF")
+_S(9, "SO_KEEPALIVE")
+_S(10, "SO_OOBINLINE")
+_S(11, "SO_NO_CHECK")
+_S(12, "SO_PRIORITY")
+_S(13, "SO_LINGER")
+_S(14, "SO_BSDCOMPAT")
+_S(15, "SO_REUSEPORT")
+_S(16, "SO_PASSCRED")
+_S(17, "SO_PEERCRED")
+_S(18, "SO_RCVLOWAT")
+_S(19, "SO_SNDLOWAT")
+_S(20, "SO_RCVTIMEO")
+_S(21, "SO_SNDTIMEO")
+_S(22, "SO_SECURITY_AUTHENTICATION")
+_S(23, "SO_SECURITY_ENCRYPTION_TRANSPORT")
+_S(24, "SO_SECURITY_ENCRYPTION_NETWORK")
+_S(25, "SO_BINDTODEVICE")
+_S(26, "SO_ATTACH_FILTER")
+_S(27, "SO_DETACH_FILTER")
+_S(28, "SO_PEERNAME")
+_S(29, "SO_TIMESTAMP")
+_S(30, "SO_ACCEPTCONN")
+_S(31, "SO_PEERSEC")
+_S(32, "SO_SNDBUFFORCE")
+_S(33, "SO_RCVBUFFORCE")
+_S(34, "SO_PASSSEC")
+_S(35, "SO_TIMESTAMPNS")
+_S(36, "SO_MARK")
+_S(37, "SO_TIMESTAMPING")
+_S(38, "SO_PROTOCOL")
+_S(39, "SO_DOMAIN")
+_S(40, "SO_RXQ_OVFL")
+_S(41, "SO_WIFI_STATUS")
+_S(42, "SO_PEEK_OFF")
+_S(43, "SO_NOFCS")
+_S(44, "SO_LOCK_FILTER")
+_S(45, "SO_SELECT_ERR_QUEUE")
+_S(46, "SO_BUSY_POLL")
+_S(47, "SO_MAX_PACING_RATE")
+_S(48, "SO_BPF_EXTENSIONS")
+_S(49, "SO_INCOMING_CPU")
+_S(50, "SO_ATTACH_BPF")
+
+// PPC has these different
+_S(116, "SO_RCVLOWAT")
+_S(117, "SO_SNDLOWAT")
+_S(118, "SO_RCVTIMEO")
+_S(119, "SO_SNDTIMEO")
+_S(120, "SO_PASSCRED")
+_S(121, "SO_PEERCRED")
+
+
diff --git a/framework/src/audit/auparse/socktab.h b/framework/src/audit/auparse/socktab.h
new file mode 100644
index 00000000..8907b4b3
--- /dev/null
+++ b/framework/src/audit/auparse/socktab.h
@@ -0,0 +1,44 @@
+/* socktab.h --
+ * Copyright 2007,2011-13 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/net.h
+ */
+
+_S(SYS_SOCKET, "socket" )
+_S(SYS_BIND, "bind" )
+_S(SYS_CONNECT, "connect" )
+_S(SYS_LISTEN, "listen" )
+_S(SYS_ACCEPT, "accept" )
+_S(SYS_GETSOCKNAME, "getsockname" )
+_S(SYS_GETPEERNAME, "getpeername" )
+_S(SYS_SOCKETPAIR, "socketpair" )
+_S(SYS_SEND, "send" )
+_S(SYS_RECV, "recv" )
+_S(SYS_SENDTO, "sendto" )
+_S(SYS_RECVFROM, "recvfrom" )
+_S(SYS_SHUTDOWN, "shutdown" )
+_S(SYS_SETSOCKOPT, "setsockopt" )
+_S(SYS_GETSOCKOPT, "getsockopt" )
+_S(SYS_SENDMSG, "sendmsg" )
+_S(SYS_RECVMSG, "recvmsg" )
+_S(SYS_ACCEPT4, "accept4" )
+_S(19, "recvmmsg" )
+_S(20, "sendmmsg" )
+
diff --git a/framework/src/audit/auparse/socktypetab.h b/framework/src/audit/auparse/socktypetab.h
new file mode 100644
index 00000000..ec00ecfa
--- /dev/null
+++ b/framework/src/audit/auparse/socktypetab.h
@@ -0,0 +1,31 @@
+/* socktypetab.h --
+ * Copyright 2012 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/linux/net.h
+ */
+
+_S(1, "SOCK_STREAM")
+_S(2, "SOCK_DGRAM")
+_S(3, "SOCK_RAW")
+_S(4, "SOCK_RDM")
+_S(5, "SOCK_SEQPACKET")
+_S(6, "SOCK_DCCP")
+_S(10, "SOCK_PACKET")
+
diff --git a/framework/src/audit/auparse/tcpoptnametab.h b/framework/src/audit/auparse/tcpoptnametab.h
new file mode 100644
index 00000000..64e1cbe0
--- /dev/null
+++ b/framework/src/audit/auparse/tcpoptnametab.h
@@ -0,0 +1,49 @@
+/* tcpoptnametab.h --
+ * Copyright 2013-14 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/uapi/linux/tcp.h
+ */
+
+_S(1, "TCP_NODELAY")
+_S(2, "TCP_MAXSEG")
+_S(3, "TCP_CORK")
+_S(4, "TCP_KEEPIDLE")
+_S(5, "TCP_KEEPINTVL")
+_S(6, "TCP_KEEPCNT")
+_S(7, "TCP_SYNCNT")
+_S(8, "TCP_LINGER2")
+_S(9, "TCP_DEFER_ACCEPT")
+_S(10, "TCP_WINDOW_CLAMP")
+_S(11, "TCP_INFO")
+_S(12, "TCP_QUICKACK")
+_S(13, "TCP_CONGESTION")
+_S(14, "TCP_MD5SIG")
+_S(15, "TCP_COOKIE_TRANSACTIONS")
+_S(16, "TCP_THIN_LINEAR_TIMEOUTS")
+_S(17, "TCP_THIN_DUPACK")
+_S(18, "TCP_USER_TIMEOUT")
+_S(19, "TCP_REPAIR")
+_S(20, "TCP_REPAIR_QUEUE")
+_S(21, "TCP_QUEUE_SEQ")
+_S(22, "TCP_REPAIR_OPTIONS")
+_S(23, "TCP_FASTOPEN")
+_S(24, "TCP_TIMESTAMP")
+_S(25, "TCP_NOTSENT_LOWAT")
+
diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am
new file mode 100644
index 00000000..19793508
--- /dev/null
+++ b/framework/src/audit/auparse/test/Makefile.am
@@ -0,0 +1,91 @@
+# Makefile.am --
+# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Authors:
+# Steve Grubb <sgrubb@redhat.com>
+#
+
+CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur
+AUTOMAKE_OPTIONS = no-dependencies
+check_PROGRAMS = auparse_test
+dist_check_SCRIPTS = auparse_test.py
+EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log
+
+AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
+
+auparse_test_SOURCES = auparse_test.c
+auparse_test_LDFLAGS = -static
+auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+ ${top_builddir}/lib/libaudit.la
+
+drop_srcdir = sed 's,$(srcdir)/test,test,'
+
+check: auparse_test
+ test "$(top_srcdir)" = "$(top_builddir)" || \
+ cp $(top_srcdir)/auparse/test/test*.log .
+ LC_ALL=C \
+ ./auparse_test > auparse_test.cur
+ diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur
+if HAVE_PYTHON
+ cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
+ srcdir=$(srcdir) $(srcdir)/auparse_test.py \
+ | $(drop_srcdir) > auparse_test.cur
+ diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur
+endif
+ echo -e "===================\nAuparse Test Passes\n==================="
+
+diffcheck: auparse_test
+ ./auparse_test > auparse_test.cur
+ diff -u $(srcdir)/auparse_test.ref auparse_test.cur
+
+memcheck: auparse_test
+ valgrind --leak-check=yes --show-reachable=yes ./auparse_test
+
+pycheck: auparse_test.py
+if HAVE_PYTHON
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
+ srcdir=$(srcdir) $(srcdir)/auparse_test.py
+endif
+
+pydiffcheck: auparse_test.py
+if HAVE_PYTHON
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
+ srcdir=$(srcdir) $(srcdir)/auparse_test.py \
+ | $(drop_srcdir) > auparse_test.cur
+ diff $(srcdir)/auparse_test.ref auparse_test.cur
+endif
+
+pymemcheck: auparse_test.py
+if HAVE_PYTHON
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py
+
+${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c
+ cd ${top_builddir}/bindings/python && make
+endif
+
+clean-generic:
+ $(RM) *.cur
+if HAVE_PYTHON
+ $(RM) ${top_builddir}/bindings/swig/python/_audit.so
+endif
+ test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log
diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c
new file mode 100644
index 00000000..a6477d41
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.c
@@ -0,0 +1,469 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <locale.h>
+#include <errno.h>
+#include <libaudit.h>
+#include <auparse.h>
+
+
+static const char *buf[] = {
+ "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n"
+ "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
+
+ "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
+
+ NULL
+};
+
+
+static void walk_test(auparse_state_t *au)
+{
+ int event_cnt = 1, record_cnt;
+
+ do {
+ if (auparse_first_record(au) <= 0) {
+ printf("Error getting first record (%s)\n",
+ strerror(errno));
+ exit(1);
+ }
+ printf("event %d has %d records\n", event_cnt,
+ auparse_get_num_records(au));
+ record_cnt = 1;
+ do {
+ printf(" record %d of type %d(%s) has %d fields\n",
+ record_cnt,
+ auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+ printf(" line=%d file=%s\n",
+ auparse_get_line_number(au),
+ auparse_get_filename(au) ?
+ auparse_get_filename(au) : "None");
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ printf("Error getting timestamp - aborting\n");
+ exit(1);
+ }
+ printf(" event time: %u.%u:%lu, host=%s\n",
+ (unsigned)e->sec,
+ e->milli, e->serial, e->host ? e->host : "?");
+ auparse_first_field(au);
+ do {
+ printf(" %s=%s (%s)\n",
+ auparse_get_field_name(au),
+ auparse_get_field_str(au),
+ auparse_interpret_field(au));
+ } while (auparse_next_field(au) > 0);
+ printf("\n");
+ record_cnt++;
+ } while(auparse_next_record(au) > 0);
+ event_cnt++;
+ } while (auparse_next_event(au) > 0);
+}
+
+void light_test(auparse_state_t *au)
+{
+ int record_cnt;
+
+ do {
+ if (auparse_first_record(au) <= 0) {
+ puts("Error getting first record");
+ exit(1);
+ }
+ printf("event has %d records\n", auparse_get_num_records(au));
+ record_cnt = 1;
+ do {
+ printf(" record %d of type %d(%s) has %d fields\n",
+ record_cnt,
+ auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+ printf(" line=%d file=%s\n",
+ auparse_get_line_number(au),
+ auparse_get_filename(au) ?
+ auparse_get_filename(au) : "None");
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ printf("Error getting timestamp - aborting\n");
+ exit(1);
+ }
+ printf(" event time: %u.%u:%lu, host=%s\n",
+ (unsigned)e->sec,
+ e->milli, e->serial,
+ e->host ? e->host : "?");
+ printf("\n");
+ record_cnt++;
+ } while(auparse_next_record(au) > 0);
+
+ } while (auparse_next_event(au) > 0);
+}
+
+void simple_search(ausource_t source, austop_t where)
+{
+ auparse_state_t *au;
+ const char *val;
+
+ if (source == AUSOURCE_FILE) {
+ au = auparse_init(AUSOURCE_FILE, "./test.log");
+ val = "4294967295";
+ } else {
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ val = "848";
+ }
+ if (au == NULL) {
+ printf("auparse_init error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){
+ printf("ausearch_add_item error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_set_stop(au, where)){
+ printf("ausearch_set_stop error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) <= 0)
+ printf("Error searching for auid - %s\n", strerror(errno));
+ else
+ printf("Found %s = %s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ auparse_destroy(au);
+}
+
+void compound_search(ausearch_rule_t how)
+{
+ auparse_state_t *au;
+
+ au = auparse_init(AUSOURCE_FILE, "./test.log");
+ if (au == NULL) {
+ printf("auparse_init error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (how == AUSEARCH_RULE_AND) {
+ if (ausearch_add_item(au, "uid", "=", "0",
+ AUSEARCH_RULE_CLEAR)){
+ printf("ausearch_add_item 1 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "pid", "=", "13015", how)){
+ printf("ausearch_add_item 2 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "type", "=", "USER_START", how)){
+ printf("ausearch_add_item 3 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ } else {
+ if (ausearch_add_item(au, "auid", "=", "42",
+ AUSEARCH_RULE_CLEAR)){
+ printf("ausearch_add_item 4 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ // should stop on this one
+ if (ausearch_add_item(au, "auid", "=", "0", how)){
+ printf("ausearch_add_item 5 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "auid", "=", "500", how)){
+ printf("ausearch_add_item 6 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){
+ printf("ausearch_set_stop error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) <= 0)
+ printf("Error searching for auid - %s\n", strerror(errno));
+ else
+ printf("Found %s = %s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ auparse_destroy(au);
+}
+
+void regex_search(const char *expr)
+{
+ auparse_state_t *au;
+ int rc;
+
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("auparse_init error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_regex(au, expr)){
+ printf("ausearch_add_regex error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
+ printf("ausearch_set_stop error - %s\n", strerror(errno));
+ exit(1);
+ }
+ rc = ausearch_next_event(au);
+ if (rc < 0)
+ printf("Error searching for %s - %s\n", expr, strerror(errno));
+ else if (rc == 0)
+ printf("Not found\n");
+ else
+ printf("Found %s = %s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ auparse_destroy(au);
+}
+
+static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data)
+{
+ int *event_cnt = (int *)user_data;
+ int record_cnt;
+
+ if (cb_event_type == AUPARSE_CB_EVENT_READY) {
+ if (auparse_first_record(au) <= 0) {
+ printf("can't get first record\n");
+ return;
+ }
+ printf("event %d has %d records\n", *event_cnt,
+ auparse_get_num_records(au));
+ record_cnt = 1;
+ do {
+ printf(" record %d of type %d(%s) has %d fields\n",
+ record_cnt,
+ auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+ printf(" line=%d file=%s\n",
+ auparse_get_line_number(au),
+ auparse_get_filename(au) ?
+ auparse_get_filename(au) : "None");
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ return;
+ }
+ printf(" event time: %u.%u:%lu, host=%s\n",
+ (unsigned)e->sec,
+ e->milli, e->serial,
+ e->host ? e->host : "?");
+ auparse_first_field(au);
+ do {
+ printf(" %s=%s (%s)\n",
+ auparse_get_field_name(au),
+ auparse_get_field_str(au),
+ auparse_interpret_field(au));
+ } while (auparse_next_field(au) > 0);
+ printf("\n");
+ record_cnt++;
+ } while(auparse_next_record(au) > 0);
+ (*event_cnt)++;
+ }
+}
+
+int main(void)
+{
+ //char *files[4] = { "test.log", "test2.log", "test3.log", NULL };
+ char *files[3] = { "test.log", "test2.log", NULL };
+ setlocale (LC_ALL, "");
+ auparse_state_t *au;
+
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+
+ printf("Starting Test 1, iterate...\n");
+ while (auparse_next_event(au) > 0) {
+ if (auparse_find_field(au, "auid")) {
+ printf("%s=%s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ printf("interp auid=%s\n", auparse_interpret_field(au));
+ } else
+ printf("Error iterating to auid\n");
+ }
+ auparse_reset(au);
+ while (auparse_next_event(au) > 0) {
+ if (auparse_find_field(au, "auid")) {
+ do {
+ printf("%s=%s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ printf("interp auid=%s\n", auparse_interpret_field(au));
+ } while (auparse_find_field_next(au));
+ } else
+ printf("Error iterating to auid\n");
+ }
+ printf("Test 1 Done\n\n");
+
+ /* Reset, now lets go to beginning and walk the list manually */
+ printf("Starting Test 2, walk events, records, and fields...\n");
+ auparse_reset(au);
+ walk_test(au);
+ auparse_destroy(au);
+ printf("Test 2 Done\n\n");
+
+ /* Reset, now lets go to beginning and walk the list manually */
+ printf("Starting Test 3, walk events, records of 1 buffer...\n");
+ au = auparse_init(AUSOURCE_BUFFER, buf[1]);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ light_test(au);
+ auparse_destroy(au);
+ printf("Test 3 Done\n\n");
+
+ printf("Starting Test 4, walk events, records of 1 file...\n");
+ au = auparse_init(AUSOURCE_FILE, "./test.log");
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ walk_test(au);
+ auparse_destroy(au);
+ printf("Test 4 Done\n\n");
+
+ printf("Starting Test 5, walk events, records of 2 files...\n");
+ au = auparse_init(AUSOURCE_FILE_ARRAY, files);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ walk_test(au);
+ auparse_destroy(au);
+ printf("Test 5 Done\n\n");
+
+ printf("Starting Test 6, search...\n");
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){
+ printf("Error - %s", strerror(errno));
+ return 1;
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
+ printf("Error - %s", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) != 0) {
+ printf("Error search found something it shouldn't have\n");
+ }
+ puts("auid = 500 not found...which is correct");
+ ausearch_clear(au);
+ auparse_destroy(au);
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){
+ printf("Error - %s", strerror(errno));
+ return 1;
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
+ printf("Error - %s", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) <= 0) {
+ printf("Error searching for existence of auid\n");
+ }
+ puts("auid exists...which is correct");
+ puts("Testing BUFFER_ARRAY, stop on field");
+ simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD);
+ puts("Testing BUFFER_ARRAY, stop on record");
+ simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD);
+ puts("Testing BUFFER_ARRAY, stop on event");
+ simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT);
+ puts("Testing test.log, stop on field");
+ simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD);
+ puts("Testing test.log, stop on record");
+ simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD);
+ puts("Testing test.log, stop on event");
+ simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT);
+ auparse_destroy(au);
+ printf("Test 6 Done\n\n");
+
+ printf("Starting Test 7, compound search...\n");
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ compound_search(AUSEARCH_RULE_AND);
+ compound_search(AUSEARCH_RULE_OR);
+ auparse_destroy(au);
+ printf("Test 7 Done\n\n");
+
+ printf("Starting Test 8, regex search...\n");
+ puts("Doing regex match...");
+ regex_search("1143146623");
+ puts("Doing regex wildcard search...");
+ regex_search("11431466.*146");
+ printf("Test 8 Done\n\n");
+
+ /* Note: this should match Test 2 exactly */
+ printf("Starting Test 9, buffer feed...\n");
+ {
+ int event_cnt = 1;
+ size_t len, chunk_len = 3;
+ const char **cur_buf, *p_beg, *p_end, *p_chunk_beg,
+ *p_chunk_end;
+
+ au = auparse_init(AUSOURCE_FEED, 0);
+ auparse_add_callback(au, auparse_callback, &event_cnt, NULL);
+ for (cur_buf = buf, p_beg = *cur_buf; *cur_buf;
+ cur_buf++, p_beg = *cur_buf) {
+ len = strlen(p_beg);
+ p_end = p_beg + len;
+ p_chunk_beg = p_beg;
+ while (p_chunk_beg < p_end) {
+ p_chunk_end = p_chunk_beg + chunk_len;
+ if (p_chunk_end > p_end)
+ p_chunk_end = p_end;
+
+ //fwrite(p_chunk_beg, 1,
+ // p_chunk_end-p_chunk_beg, stdout);
+ auparse_feed(au, p_chunk_beg,
+ p_chunk_end-p_chunk_beg);
+ p_chunk_beg = p_chunk_end;
+ }
+ }
+
+ auparse_flush_feed(au);
+ auparse_destroy(au);
+ }
+ printf("Test 9 Done\n\n");
+
+ /* Note: this should match Test 4 exactly */
+ printf("Starting Test 10, file feed...\n");
+ {
+ int *event_cnt = malloc(sizeof(int));
+ size_t len;
+ char filename[] = "./test.log";
+ char buf[4];
+ FILE *fp;
+
+ *event_cnt = 1;
+ au = auparse_init(AUSOURCE_FEED, 0);
+ auparse_add_callback(au, auparse_callback, event_cnt, free);
+ if ((fp = fopen(filename, "r")) == NULL) {
+ fprintf(stderr, "could not open '%s', %s\n",
+ filename, strerror(errno));
+ return 1;
+ }
+ while ((len = fread(buf, 1, sizeof(buf), fp))) {
+ auparse_feed(au, buf, len);
+ }
+
+ fclose(fp);
+ auparse_flush_feed(au);
+ auparse_destroy(au);
+ }
+ printf("Test 10 Done\n\n");
+
+ puts("Finished non-admin tests\n");
+
+ return 0;
+}
+
diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py
new file mode 100755
index 00000000..9d9a5c4d
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.py
@@ -0,0 +1,262 @@
+#!/usr/bin/env python
+
+import os
+srcdir = os.getenv('srcdir')
+
+buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
+"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
+]
+files = [srcdir + "/test.log", srcdir + "/test2.log"]
+
+import sys
+import time
+load_path = '../../bindings/python/build/lib.linux-i686-2.4'
+if False:
+ sys.path.insert(0, load_path)
+
+import auparse
+import audit
+
+def none_to_null(s):
+ 'used so output matches C version'
+ if s is None:
+ return '(null)'
+ else:
+ return s
+
+def walk_test(au):
+ event_cnt = 1
+
+ au.reset()
+ while True:
+ if not au.first_record():
+ print "Error getting first record"
+ sys.exit(1)
+
+ print "event %d has %d records" % (event_cnt, au.get_num_records())
+
+ record_cnt = 1
+ while True:
+ print " record %d of type %d(%s) has %d fields" % \
+ (record_cnt,
+ au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
+ au.get_num_fields())
+ print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
+ event = au.get_timestamp()
+ if event is None:
+ print "Error getting timestamp - aborting"
+ sys.exit(1)
+
+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
+ au.first_field()
+ while True:
+ print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
+ if not au.next_field(): break
+ print
+ record_cnt += 1
+ if not au.next_record(): break
+ event_cnt += 1
+ if not au.parse_next_event(): break
+
+
+def light_test(au):
+ while True:
+ if not au.first_record():
+ print "Error getting first record"
+ sys.exit(1)
+
+ print "event has %d records" % (au.get_num_records())
+
+ record_cnt = 1
+ while True:
+ print " record %d of type %d(%s) has %d fields" % \
+ (record_cnt,
+ au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
+ au.get_num_fields())
+ print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
+ event = au.get_timestamp()
+ if event is None:
+ print "Error getting timestamp - aborting"
+ sys.exit(1)
+
+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
+ print
+ record_cnt += 1
+ if not au.next_record(): break
+ if not au.parse_next_event(): break
+
+def simple_search(au, source, where):
+
+ if source == auparse.AUSOURCE_FILE:
+ au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
+ val = "4294967295"
+ else:
+ au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+ val = "848"
+
+ au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
+ au.search_set_stop(where)
+ if not au.search_next_event():
+ print "Error searching for auid"
+ else:
+ print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
+
+def compound_search(au, how):
+ au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
+ if how == auparse.AUSEARCH_RULE_AND:
+ au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR)
+ au.search_add_item("pid", "=", "13015", how)
+ au.search_add_item("type", "=", "USER_START", how)
+ else:
+ au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR)
+ # should stop on this one
+ au.search_add_item("auid", "=", "0", how)
+ au.search_add_item("auid", "=", "500", how)
+
+ au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
+ if not au.search_next_event():
+ print "Error searching for auid"
+ else:
+ print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
+
+def feed_callback(au, cb_event_type, event_cnt):
+ if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
+ if not au.first_record():
+ print "Error getting first record"
+ sys.exit(1)
+
+ print "event %d has %d records" % (event_cnt[0], au.get_num_records())
+
+ record_cnt = 1
+ while True:
+ print " record %d of type %d(%s) has %d fields" % \
+ (record_cnt,
+ au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
+ au.get_num_fields())
+ print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
+ event = au.get_timestamp()
+ if event is None:
+ print "Error getting timestamp - aborting"
+ sys.exit(1)
+
+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
+ au.first_field()
+ while True:
+ print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
+ if not au.next_field(): break
+ print
+ record_cnt += 1
+ if not au.next_record(): break
+ event_cnt[0] += 1
+
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+
+print "Starting Test 1, iterate..."
+while au.parse_next_event():
+ if au.find_field("auid"):
+ print "%s=%s" % (au.get_field_name(), au.get_field_str())
+ print "interp auid=%s" % (au.interpret_field())
+ else:
+ print "Error iterating to auid"
+print "Test 1 Done\n"
+
+# Reset, now lets go to beginning and walk the list manually */
+print "Starting Test 2, walk events, records, and fields..."
+au.reset()
+walk_test(au)
+print "Test 2 Done\n"
+
+# Reset, now lets go to beginning and walk the list manually */
+print "Starting Test 3, walk events, records of 1 buffer..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
+light_test(au);
+print "Test 3 Done\n"
+
+print "Starting Test 4, walk events, records of 1 file..."
+au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
+walk_test(au);
+print "Test 4 Done\n"
+
+print "Starting Test 5, walk events, records of 2 files..."
+au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
+walk_test(au);
+print "Test 5 Done\n"
+
+print "Starting Test 6, search..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
+au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
+if au.search_next_event():
+ print "Error search found something it shouldn't have"
+else:
+ print "auid = 500 not found...which is correct"
+au.search_clear()
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
+au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
+au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
+if not au.search_next_event():
+ print "Error searching for existence of auid"
+print "auid exists...which is correct"
+print "Testing BUFFER_ARRAY, stop on field"
+simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
+print "Testing BUFFER_ARRAY, stop on record"
+simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
+print "Testing BUFFER_ARRAY, stop on event"
+simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
+print "Testing test.log, stop on field"
+simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
+print "Testing test.log, stop on record"
+simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
+print "Testing test.log, stop on event"
+simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
+print "Test 6 Done\n"
+
+print "Starting Test 7, compound search..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+compound_search(au, auparse.AUSEARCH_RULE_AND)
+compound_search(au, auparse.AUSEARCH_RULE_OR)
+print "Test 7 Done\n"
+
+print "Starting Test 8, regex search..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+print "Doing regex match...\n"
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+print "Test 8 Done\n"
+
+# Note: this should match Test 2 exactly
+# Note: this should match Test 2 exactly
+print "Starting Test 9, buffer feed..."
+au = auparse.AuParser(auparse.AUSOURCE_FEED);
+event_cnt = 1
+au.add_callback(feed_callback, [event_cnt])
+chunk_len = 3
+for s in buf:
+ s_len = len(s)
+ beg = 0
+ while beg < s_len:
+ end = min(s_len, beg + chunk_len)
+ data = s[beg:end]
+ beg += chunk_len
+ au.feed(data)
+au.flush_feed()
+print "Test 9 Done\n"
+
+# Note: this should match Test 4 exactly
+print "Starting Test 10, file feed..."
+au = auparse.AuParser(auparse.AUSOURCE_FEED);
+event_cnt = 1
+au.add_callback(feed_callback, [event_cnt])
+f = open(srcdir + "/test.log");
+while True:
+ data = f.read(4)
+ if not data: break
+ au.feed(data)
+au.flush_feed()
+print "Test 10 Done\n"
+
+print "Finished non-admin tests\n"
+
+au = None
+sys.exit(0)
+
diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref
new file mode 100644
index 00000000..6cc399bd
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.ref
@@ -0,0 +1,803 @@
+Starting Test 1, iterate...
+auid=4294967295
+interp auid=unset
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+auid=4294967295
+interp auid=unset
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+Test 1 Done
+
+Starting Test 2, walk events, records, and fields...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=?
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=?
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 2 Done
+
+Starting Test 3, walk events, records of 1 buffer...
+event has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=1 file=None
+ event time: 1143146623.879:146, host=?
+
+Test 3 Done
+
+Starting Test 4, walk events, records of 1 file...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=./test.log
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=./test.log
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=./test.log
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=./test.log
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=./test.log
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=./test.log
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 4 Done
+
+Starting Test 5, walk events, records of 2 files...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test.log
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test.log
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test.log
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test.log
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test.log
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test.log
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 8 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read (read)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 9 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test2.log
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 10 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test2.log
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 11 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test2.log
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 12 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test2.log
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 13 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test2.log
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 14 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test2.log
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 5 Done
+
+Starting Test 6, search...
+auid = 500 not found...which is correct
+auid exists...which is correct
+Testing BUFFER_ARRAY, stop on field
+Found auid = 848
+Testing BUFFER_ARRAY, stop on record
+Found type = SYSCALL
+Testing BUFFER_ARRAY, stop on event
+Found type = SYSCALL
+Testing test.log, stop on field
+Found auid = 4294967295
+Testing test.log, stop on record
+Found type = SYSCALL
+Testing test.log, stop on event
+Found type = AVC
+Test 6 Done
+
+Starting Test 7, compound search...
+Found type = USER_START
+Found auid = 0
+Test 7 Done
+
+Starting Test 8, regex search...
+Doing regex match...
+Found type = LOGIN
+Doing regex wildcard search...
+Found type = USER_LOGIN
+Test 8 Done
+
+Starting Test 9, buffer feed...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=?
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=?
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 9 Done
+
+Starting Test 10, file feed...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=None
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=None
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=None
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=None
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=None
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=None
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=None
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=None
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=None
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=None
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 10 Done
+
+Finished non-admin tests
+
diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py
new file mode 100644
index 00000000..d25e0645
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.ref.py
@@ -0,0 +1,793 @@
+Starting Test 1, iterate...
+auid=4294967295
+interp auid=unset
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+Test 1 Done
+
+Starting Test 2, walk events, records, and fields...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=(null)
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=(null)
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 2 Done
+
+Starting Test 3, walk events, records of 1 buffer...
+event has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=1 file=None
+ event time: 1143146623.879:146, host=(null)
+
+Test 3 Done
+
+Starting Test 4, walk events, records of 1 file...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test.log
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test.log
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test.log
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test.log
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test.log
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test.log
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 4 Done
+
+Starting Test 5, walk events, records of 2 files...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test.log
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test.log
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test.log
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test.log
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test.log
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test.log
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 8 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read (read)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 9 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test2.log
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 10 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test2.log
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 11 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test2.log
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 12 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test2.log
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 13 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test2.log
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 14 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test2.log
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 5 Done
+
+Starting Test 6, search...
+auid = 500 not found...which is correct
+auid exists...which is correct
+Testing BUFFER_ARRAY, stop on field
+Found auid = 848
+Testing BUFFER_ARRAY, stop on record
+Found type = SYSCALL
+Testing BUFFER_ARRAY, stop on event
+Found type = SYSCALL
+Testing test.log, stop on field
+Found auid = 4294967295
+Testing test.log, stop on record
+Found type = SYSCALL
+Testing test.log, stop on event
+Found type = AVC
+Test 6 Done
+
+Starting Test 7, compound search...
+Found type = USER_START
+Found auid = 0
+Test 7 Done
+
+Starting Test 8, regex search...
+Doing regex match...
+
+Test 8 Done
+
+Starting Test 9, buffer feed...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=(null)
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=(null)
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 9 Done
+
+Starting Test 10, file feed...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=None
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=None
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=None
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=None
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=None
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=None
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 10 Done
+
+Finished non-admin tests
+
diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log
new file mode 100644
index 00000000..e0ffabf5
--- /dev/null
+++ b/framework/src/audit/auparse/test/test.log
@@ -0,0 +1,10 @@
+type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
+type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
+type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
+type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
+type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log
new file mode 100644
index 00000000..588f1e04
--- /dev/null
+++ b/framework/src/audit/auparse/test/test2.log
@@ -0,0 +1,10 @@
+type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
+type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
+type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
+type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
+type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
diff --git a/framework/src/audit/auparse/tty_named_keys.h b/framework/src/audit/auparse/tty_named_keys.h
new file mode 100644
index 00000000..e71ae11e
--- /dev/null
+++ b/framework/src/audit/auparse/tty_named_keys.h
@@ -0,0 +1,409 @@
+/* tty_named_keys.h --
+ * Copyright 2008 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Miloslav Trmač <mitr@redhat.com>
+ */
+
+/* Longest sequences should go first, but these are comparatively common. */
+E("\x01", "^A")
+E("\x02", "^B")
+E("\x03", "^C") // Or "cancel" (3 terms)
+E("\x04", "^D")
+E("\x05", "^E")
+E("\x06", "^F")
+E("\x07", "^G")
+E("\x08", "backspace")
+E("\t", "tab")
+E("\n", "nl")
+E("\x0B", "^K")
+E("\x0C", "^L")
+E("\r", "ret")
+E("\x0E", "^N")
+E("\x0F", "^O")
+E("\x10", "^P")
+E("\x11", "^Q")
+E("\x12", "^R")
+E("\x13", "^S")
+E("\x14", "^T")
+E("\x15", "^U")
+E("\x16", "^V")
+E("\x17", "^W")
+E("\x18", "^X")
+E("\x19", "^Y")
+E("\x1A", "^Z") // Or "suspend" (9 terms)
+/* \x1B handled only after all other escape sequences */
+E("\x7F", "backspace") // 59 terms; alternative: "delete" (11 terms)
+
+// Based on terminal descriptions in ncrses-base-5.6-20.20080927.fc10.
+// Conflicts are marked by comments. Ordering: longest sequences first, then
+// lexicographically.
+E("\x1B[11;2~", "F13")
+E("\x1B[11;3~", "F49")
+E("\x1B[11;4~", "F61")
+E("\x1B[11;5~", "F25")
+E("\x1B[11;6~", "F37")
+E("\x1B[12;2~", "F14")
+E("\x1B[12;3~", "F50")
+E("\x1B[12;4~", "F62")
+E("\x1B[12;5~", "F26")
+E("\x1B[12;6~", "F38")
+E("\x1B[13;2~", "F15")
+E("\x1B[13;3~", "F51")
+E("\x1B[13;4~", "F63")
+E("\x1B[13;5~", "F27")
+E("\x1B[13;6~", "F39")
+E("\x1B[14;2~", "F16")
+E("\x1B[14;3~", "F52")
+E("\x1B[14;5~", "F28")
+E("\x1B[14;6~", "F40")
+E("\x1B[15;2~", "F17")
+E("\x1B[15;3~", "F53")
+E("\x1B[15;5~", "F29")
+E("\x1B[15;6~", "F41")
+E("\x1B[17;2~", "F18")
+E("\x1B[17;3~", "F54")
+E("\x1B[17;5~", "F30")
+E("\x1B[17;6~", "F42")
+E("\x1B[18;2~", "F19")
+E("\x1B[18;3~", "F55")
+E("\x1B[18;5~", "F31")
+E("\x1B[18;6~", "F43")
+E("\x1B[19;2~", "F20")
+E("\x1B[19;3~", "F56")
+E("\x1B[19;5~", "F32")
+E("\x1B[19;6~", "F44")
+E("\x1B[20;2~", "F21")
+E("\x1B[20;3~", "F57")
+E("\x1B[20;5~", "F33")
+E("\x1B[20;6~", "F45")
+E("\x1B[21;2~", "F22")
+E("\x1B[21;3~", "F58")
+E("\x1B[21;5~", "F34")
+E("\x1B[21;6~", "F46")
+E("\x1B[23;2~", "F23")
+E("\x1B[23;3~", "F59")
+E("\x1B[23;5~", "F35")
+E("\x1B[23;6~", "F47")
+E("\x1B[24;2~", "F24")
+E("\x1B[24;3~", "F60")
+E("\x1B[24;5~", "F36")
+E("\x1B[24;6~", "F48")
+E("\x1B""O1;2A", "scroll-backward")
+E("\x1B""O1;2B", "scroll-forward")
+E("\x1B""O1;2C", "shift-right")
+E("\x1B""O1;2D", "shift-left")
+E("\x1B[192z", "F11")
+E("\x1B[193z", "resume") // 3 terms; alternative "F12" (1 term)
+E("\x1B[194z", "options") // 3 terms; alternative "F13" (1 term)
+E("\x1B[195z", "undo") // 4 terms; alternative "F14" (1 term)
+E("\x1B[196z", "help") // 1 term; alternative "F15" (1 term)
+E("\x1B[197z", "copy")
+E("\x1B[198z", "F17")
+E("\x1B[199z", "F18")
+E("\x1B[1;2A", "scroll-backward")
+E("\x1B[1;2B", "scroll-forward")
+E("\x1B[1;2C", "shift-right")
+E("\x1B[1;2D", "shift-left")
+E("\x1B[1;2F", "shift-end")
+E("\x1B[1;2H", "shift-home")
+E("\x1B[200z", "find") // 1 term; alternative "F19" (1 term)
+E("\x1B[201z", "F20")
+E("\x1B[208z", "F31")
+E("\x1B[209z", "F32")
+E("\x1B[210z", "F33")
+E("\x1B[211z", "F34")
+E("\x1B[212z", "F35")
+E("\x1B[213z", "F36")
+E("\x1B[214z", "home")
+E("\x1B[215z", "F38")
+E("\x1B[216z", "page-up")
+E("\x1B[217z", "F40")
+E("\x1B[218z", "B2")
+E("\x1B[219z", "F42")
+E("\x1B[220z", "end")
+E("\x1B[221z", "F44")
+E("\x1B[222z", "page-down") // 4 terms; alternative "F45" (1 term)
+E("\x1B[224z", "F1")
+E("\x1B[225z", "F2")
+E("\x1B[226z", "F3")
+E("\x1B[227z", "F4")
+E("\x1B[228z", "F5")
+E("\x1B[229z", "F6")
+E("\x1B[230z", "F7")
+E("\x1B[231z", "F8")
+E("\x1B[232z", "F9")
+E("\x1B[233z", "F10")
+E("\x1B[234z", "F11") // 3 terms; alternative "F46" (1 term)
+E("\x1B[235z", "F12") // 3 terms; alternative "F47" (1 term)
+E("\x1B[2;2~", "shift-insert")
+E("\x1B[2;5~", "shift-insert")
+E("\x1B[3;2~", "shift-del")
+E("\x1B[3;5~", "shift-del")
+E("\x1B[5;2~", "shift-previous")
+E("\x1B[5;5~", "shift-previous")
+E("\x1B[6;2~", "shift-next")
+E("\x1B[6;5~", "shift-next")
+E("\x1B[11^", "F23")
+E("\x1B[11~", "F1")
+E("\x1B[12^", "F24")
+E("\x1B[12~", "F2")
+E("\x1B[13^", "F25")
+E("\x1B[13~", "F3")
+E("\x1B[14^", "F26")
+E("\x1B[14~", "F4")
+E("\x1B[15^", "F27")
+E("\x1B[15~", "F5")
+E("\x1B[17^", "F28")
+E("\x1B[17~", "F6")
+E("\x1B[18^", "F29")
+E("\x1B[18~", "F7")
+E("\x1B[19^", "F30")
+E("\x1B[19~", "F8")
+E("\x1B[20^", "F31")
+E("\x1B[20~", "F9")
+E("\x1B[21^", "F32")
+E("\x1B[21~", "F10") // 85 terms; alternative "F0" (9 terms)
+E("\x1B[23$", "F21")
+E("\x1B[23@", "F43")
+E("\x1B[23^", "F33")
+E("\x1B[23~", "F11")
+E("\x1B[24$", "F22")
+E("\x1B[24@", "F44")
+E("\x1B[24^", "F34")
+E("\x1B[24~", "F12")
+E("\x1B[25^", "F35")
+E("\x1B[25~", "F13")
+E("\x1B[26^", "F36")
+E("\x1B[26~", "F14")
+E("\x1B[28^", "F37")
+E("\x1B[28~", "F15") // 42 terms; alternative "help" (8 terms)
+E("\x1B[29^", "F38")
+E("\x1B[29~", "F16") // 42 terms; alternative "redo" (4 terms)
+E("\x1B[30~", "insert-line")
+E("\x1B[31^", "F39")
+E("\x1B[31~", "F17") // 46 terms; alternative "delete-line" (1 term)
+E("\x1B[32^", "F40")
+E("\x1B[32~", "F18")
+E("\x1B[33^", "F41")
+E("\x1B[33~", "F19")
+E("\x1B[34^", "F42")
+E("\x1B[34~", "F20")
+E("\x1B""O2A", "scroll-backward")
+E("\x1B""O2B", "scroll-forward")
+E("\x1B""O2C", "shift-right")
+E("\x1B""O2D", "shift-left")
+E("\x1B""O2P", "F13")
+E("\x1B""O2Q", "F14")
+E("\x1B""O2R", "F15")
+E("\x1B""O2S", "F16")
+E("\x1B""O3P", "F49")
+E("\x1B""O3Q", "F50")
+E("\x1B""O3R", "F51")
+E("\x1B""O3S", "F52")
+E("\x1B""O4P", "F61")
+E("\x1B""O4Q", "F62")
+E("\x1B""O4R", "F63")
+E("\x1B""O5C", "shift-right")
+E("\x1B""O5D", "shift-left")
+E("\x1B""O5F", "shift-end")
+E("\x1B""O5H", "shift-home")
+E("\x1B""O5P", "F25")
+E("\x1B""O5Q", "F26")
+E("\x1B""O5R", "F27")
+E("\x1B""O5S", "F28")
+E("\x1B""O6P", "F37")
+E("\x1B""O6Q", "F38")
+E("\x1B""O6R", "F39")
+E("\x1B""O6S", "F40")
+E("\x1B[1~", "home") // 30 terms; alternative "find" (42 terms, but "home" is used in Linux)
+E("\x1B[2$", "shift-insert")
+E("\x1B[2z", "insert")
+E("\x1B[2~", "insert")
+E("\x1B[3$", "shift-del")
+E("\x1B[3z", "delete")
+E("\x1B[3~", "delete")
+E("\x1B[4~", "end") // 30 terms; alternative "select" (42 terms, but "end" is used in Linux)
+E("\x1B[5$", "shift-previous")
+E("\x1B[5~", "page-up") // 86 terms; alternative "A3" (4 terms)
+E("\x1B[6$", "shift-next")
+E("\x1B[6~", "page-down") // 86 terms; alternative "C3" (4 terms)
+E("\x1B[7$", "shift-home")
+E("\x1B[7~", "home") // 17 terms; alternative "A1" (4 terms)
+E("\x1B[8$", "shift-end")
+E("\x1B[8^", "delete-eol")
+E("\x1B[8~", "end") // 17 terms; alternatives "C1" (4 terms), "delete-eol" (1 term)
+E("\x1B[>M", "mouse")
+E("\x1B[[A", "F1")
+E("\x1B[[B", "F2")
+E("\x1B[[C", "F3")
+E("\x1B[[D", "F4")
+E("\x1B[[E", "F5")
+E("\x9B""11~", "F1")
+E("\x9B""12~", "F2")
+E("\x9B""13~", "F3")
+E("\x9B""14~", "F4")
+E("\x9B""15~", "F5")
+E("\x9B""17~", "F6")
+E("\x9B""18~", "F7")
+E("\x9B""19~", "F8")
+E("\x9B""20~", "F9")
+E("\x9B""21~", "F10")
+E("\x9B""23~", "F11")
+E("\x9B""24~", "F12")
+E("\x9B""25~", "F13")
+E("\x9B""26~", "F14")
+E("\x9B""28~", "F15")
+E("\x9B""29~", "F16")
+E("\x9B""31~", "F17")
+E("\x9B""32~", "F18")
+E("\x9B""33~", "F19")
+E("\x9B""34~", "F20")
+E("\x1B""2$", "shift-insert")
+E("\x1B""OA", "up")
+E("\x1B""OB", "down")
+E("\x1B""OC", "right")
+E("\x1B""OD", "left")
+E("\x1B""OE", "B2") // 16 terms; alternative "begin" (5 terms)
+E("\x1B""OF", "end")
+E("\x1B""OH", "home")
+E("\x1B""OM", "send")
+E("\x1B""OP", "F1")
+E("\x1B""OQ", "F2")
+E("\x1B""OR", "F3")
+E("\x1B""OS", "F4")
+E("\x1B""OT", "F5")
+E("\x1B""OU", "F6")
+E("\x1B""OV", "F7")
+E("\x1B""OW", "F8")
+E("\x1B""OX", "F9")
+E("\x1B""OY", "F10")
+E("\x1B""OZ", "F11")
+E("\x1B""O[", "F12")
+E("\x1B""Ol", "F8")
+E("\x1B""On", "C3")
+E("\x1B""Op", "C1")
+E("\x1B""Oq", "C1") // 17 terms; alternatives "A1" (5 terms), "F0" (1 term)
+E("\x1B""Or", "B2")
+E("\x1B""Os", "C3") // 17 terms; alternative "A3" (7 terms)
+E("\x1B""Ot", "F5")
+E("\x1B""Ou", "B2") // 21 terms; alternative "F6" (4 terms), "begin" (4 terms)
+E("\x1B""Ov", "F7")
+E("\x1B""Ow", "A1") // 17 terms; alternative "F9" (4 terms)
+E("\x1B""Ox", "F10")
+E("\x1B""Oy", "A3") // 17 terms; alternative "F0" (5 terms)
+E("\x1B[9", "delete")
+E("\x1B[@", "F41") // 4 terms; alternative "insert" (3 terms)
+E("\x1B[A", "up")
+E("\x1B[B", "down")
+E("\x1B[C", "right")
+E("\x1B[D", "left")
+E("\x1B[E", "B2") // 9 terms; alternative "begin" (1 term)
+E("\x1B[F", "end") // 5 terms; alternative "lower-left" (3 terms)
+E("\x1B[G", "B2") // 9 terms; alternative "page-down" (4 terms)
+E("\x1B[H", "home")
+E("\x1B[I", "page-up")
+E("\x1B[L", "insert")
+E("\x1B[M", "mouse") // 83 terms; alternative "F1" (4 terms)
+E("\x1B[N", "F2")
+E("\x1B[O", "F3")
+E("\x1B[P", "F4")
+E("\x1B[Q", "F5")
+E("\x1B[R", "F6")
+E("\x1B[S", "F7")
+E("\x1B[T", "F8")
+E("\x1B[U", "F9") // 4 terms; alternative "page-down" (3 terms)
+E("\x1B[V", "F10") // 4 terms; alternative "page-dup" (3 terms)
+E("\x1B[W", "F11")
+E("\x1B[X", "F12")
+E("\x1B[Y", "F13") // 4 terms; alternative "end" (3 terms)
+E("\x1B[Z", "back-tab") // 59 terms; alternative "F14" (4 terms)
+E("\x1B[[", "F42")
+E("\x1B[\\", "F43")
+E("\x1B[]", "F44")
+E("\x1B[^", "F45")
+E("\x1B[_", "F46")
+E("\x1B[`", "F47")
+E("\x1B[a", "F15")
+E("\x1B[b", "F16")
+E("\x1B[c", "shift-right") // 15 terms; alternative "F17" (4 terms)
+E("\x1B[d", "shift-left") // 15 terms; alternative "F18" (4 terms)
+E("\x1B[e", "F19")
+E("\x1B[f", "F20")
+E("\x1B[g", "F21")
+E("\x1B[h", "F22")
+E("\x1B[i", "F23")
+E("\x1B[j", "F24")
+E("\x1B[k", "F25")
+E("\x1B[l", "F26")
+E("\x1B[m", "F27")
+E("\x1B[n", "F28")
+E("\x1B[o", "F29")
+E("\x1B[p", "F30")
+E("\x1B[q", "F31")
+E("\x1B[r", "F32")
+E("\x1B[s", "F33")
+E("\x1B[t", "F34")
+E("\x1B[u", "F35")
+E("\x1B[v", "F36")
+E("\x1B[w", "F37")
+E("\x1B[x", "F38")
+E("\x1B[y", "F39")
+E("\x1B[z", "F40")
+E("\x1B[{", "F48")
+E("\x9B""1~", "home")
+E("\x9B""2~", "insert")
+E("\x9B""3~", "delete")
+E("\x9B""4~", "end")
+E("\x9B""5~", "page-up")
+E("\x9B""6~", "page-down")
+E("\x1B""A", "up")
+E("\x1B""B", "down")
+E("\x1B""C", "right")
+E("\x1B""D", "left")
+E("\x1B""F", "end")
+E("\x1B""J", "clear")
+E("\x1B""P", "delete")
+E("\x1B""Q", "insert")
+E("\x1B""S", "page-down")
+E("\x1B""T", "page-up")
+E("\x1B""h", "home")
+E("\x1B""p", "F1")
+E("\x1B""q", "F2")
+E("\x1B""r", "F3")
+E("\x1B""s", "F4")
+E("\x1B""t", "F5")
+E("\x1B""u", "F6")
+E("\x1B""v", "F7")
+E("\x1B""w", "F8")
+E("\x1B\x09", "back-tab")
+E("\x8F""A", "up")
+E("\x8F""B", "down")
+E("\x8F""C", "right")
+E("\x8F""D", "left")
+E("\x8F""E", "begin")
+E("\x8F""M", "send")
+E("\x8F""q", "C1")
+E("\x8F""s", "C3")
+E("\x8F""u", "A3")
+E("\x8F""w", "A1")
+E("\x8F""y", "B2")
+E("\x9B""M", "mouse")
+E("\x9B""Z", "back-tab")
+
+E("\x1B", "esc")
diff --git a/framework/src/audit/auparse/typetab.h b/framework/src/audit/auparse/typetab.h
new file mode 100644
index 00000000..7ff53c31
--- /dev/null
+++ b/framework/src/audit/auparse/typetab.h
@@ -0,0 +1,127 @@
+/* typetab.h --
+ * Copyright 2007-09,2011-12,2014 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+
+_S(AUPARSE_TYPE_UID, "auid" )
+_S(AUPARSE_TYPE_UID, "uid" )
+_S(AUPARSE_TYPE_UID, "euid" )
+_S(AUPARSE_TYPE_UID, "suid" )
+_S(AUPARSE_TYPE_UID, "fsuid" )
+_S(AUPARSE_TYPE_UID, "ouid" )
+_S(AUPARSE_TYPE_UID, "oauid" )
+_S(AUPARSE_TYPE_UID, "iuid" )
+_S(AUPARSE_TYPE_UID, "id" )
+_S(AUPARSE_TYPE_UID, "inode_uid" )
+_S(AUPARSE_TYPE_UID, "sauid" )
+_S(AUPARSE_TYPE_UID, "obj_uid" )
+_S(AUPARSE_TYPE_GID, "obj_gid" )
+_S(AUPARSE_TYPE_GID, "gid" )
+_S(AUPARSE_TYPE_GID, "egid" )
+_S(AUPARSE_TYPE_GID, "sgid" )
+_S(AUPARSE_TYPE_GID, "fsgid" )
+_S(AUPARSE_TYPE_GID, "ogid" )
+_S(AUPARSE_TYPE_GID, "igid" )
+_S(AUPARSE_TYPE_GID, "inode_gid" )
+_S(AUPARSE_TYPE_GID, "new_gid" )
+_S(AUPARSE_TYPE_SYSCALL, "syscall" )
+_S(AUPARSE_TYPE_ARCH, "arch" )
+_S(AUPARSE_TYPE_EXIT, "exit" )
+_S(AUPARSE_TYPE_ESCAPED, "path" )
+_S(AUPARSE_TYPE_ESCAPED, "comm" )
+_S(AUPARSE_TYPE_ESCAPED, "exe" )
+_S(AUPARSE_TYPE_ESCAPED, "file" )
+_S(AUPARSE_TYPE_ESCAPED, "name" )
+_S(AUPARSE_TYPE_ESCAPED, "watch" )
+_S(AUPARSE_TYPE_ESCAPED, "cwd" )
+_S(AUPARSE_TYPE_ESCAPED, "cmd" )
+_S(AUPARSE_TYPE_ESCAPED, "acct" )
+_S(AUPARSE_TYPE_ESCAPED, "dir" )
+_S(AUPARSE_TYPE_ESCAPED, "key" )
+_S(AUPARSE_TYPE_ESCAPED, "vm" )
+_S(AUPARSE_TYPE_ESCAPED, "old-disk" )
+_S(AUPARSE_TYPE_ESCAPED, "new-disk" )
+_S(AUPARSE_TYPE_ESCAPED, "old-fs" )
+_S(AUPARSE_TYPE_ESCAPED, "new-fs" )
+_S(AUPARSE_TYPE_ESCAPED, "device" )
+_S(AUPARSE_TYPE_ESCAPED, "cgroup" )
+_S(AUPARSE_TYPE_PERM, "perm" )
+_S(AUPARSE_TYPE_PERM, "perm_mask" )
+_S(AUPARSE_TYPE_MODE, "mode" )
+_S(AUPARSE_TYPE_SOCKADDR, "saddr" )
+//_S(AUPARSE_TYPE_FLAGS, "flags" )
+_S(AUPARSE_TYPE_PROMISC, "prom" )
+_S(AUPARSE_TYPE_PROMISC, "old_prom" )
+_S(AUPARSE_TYPE_CAPABILITY, "capability" )
+_S(AUPARSE_TYPE_SUCCESS, "res" )
+_S(AUPARSE_TYPE_SUCCESS, "result" )
+_S(AUPARSE_TYPE_A0, "a0" )
+_S(AUPARSE_TYPE_A1, "a1" )
+_S(AUPARSE_TYPE_A2, "a2" )
+_S(AUPARSE_TYPE_A3, "a3" )
+_S(AUPARSE_TYPE_SIGNAL, "sig" )
+_S(AUPARSE_TYPE_LIST, "list" )
+_S(AUPARSE_TYPE_TTY_DATA, "data" )
+_S(AUPARSE_TYPE_SESSION, "ses" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pi" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pe" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pp" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "fp" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "fi" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "fe" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "new_pp" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "new_pi" )
+_S(AUPARSE_TYPE_CAP_BITMAP, "new_pe" )
+_S(AUPARSE_TYPE_NFPROTO, "family" )
+_S(AUPARSE_TYPE_ICMPTYPE, "icmptype" )
+_S(AUPARSE_TYPE_PROTOCOL, "proto" )
+_S(AUPARSE_TYPE_ADDR, "addr" )
+#ifdef WITH_APPARMOR
+_S(AUPARSE_TYPE_ESCAPED, "apparmor" )
+_S(AUPARSE_TYPE_ESCAPED, "operation" )
+_S(AUPARSE_TYPE_ESCAPED, "denied_mask" )
+_S(AUPARSE_TYPE_ESCAPED, "info" )
+_S(AUPARSE_TYPE_ESCAPED, "profile" )
+_S(AUPARSE_TYPE_ESCAPED, "requested_mask")
+#endif
+_S(AUPARSE_TYPE_PERSONALITY, "per" )
+_S(AUPARSE_TYPE_SECCOMP, "code" )
+_S(AUPARSE_TYPE_ESCAPED, "old-rng" )
+_S(AUPARSE_TYPE_ESCAPED, "new-rng" )
+_S(AUPARSE_TYPE_OFLAG, "oflag" )
+_S(AUPARSE_TYPE_ESCAPED, "ocomm" )
+_S(AUPARSE_TYPE_MMAP, "flags" )
+_S(AUPARSE_TYPE_SIGNAL, "sigev_signo" )
+_S(AUPARSE_TYPE_MAC_LABEL, "subj" )
+_S(AUPARSE_TYPE_MAC_LABEL, "obj" )
+_S(AUPARSE_TYPE_MAC_LABEL, "scontext" )
+_S(AUPARSE_TYPE_MAC_LABEL, "tcontext" )
+_S(AUPARSE_TYPE_MAC_LABEL, "vm-ctx" )
+_S(AUPARSE_TYPE_MAC_LABEL, "img-ctx" )
+_S(AUPARSE_TYPE_PROCTITLE, "proctitle" )
+_S(AUPARSE_TYPE_ESCAPED, "grp" )
+_S(AUPARSE_TYPE_ESCAPED, "new_group" )
+
diff --git a/framework/src/audit/auparse/umounttab.h b/framework/src/audit/auparse/umounttab.h
new file mode 100644
index 00000000..a673efb1
--- /dev/null
+++ b/framework/src/audit/auparse/umounttab.h
@@ -0,0 +1,30 @@
+/* umounttab.h --
+ * Copyright 2013 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ * Location: include/linux/fs.h
+ */
+
+
+_S(0x00000001, "MNT_FORCE" )
+_S(0x00000002, "MNT_DETACH" )
+_S(0x00000004, "MNT_EXPIRE" )
+_S(0x00000008, "UMOUNT_NOFOLLOW" )
+_S(0x80000001, "UMOUNT_UNUSED" )
+