1 files changed, 117 insertions, 0 deletions

diff --git a/framework/src/audit/src/ausearch-llist.h b/framework/src/audit/src/ausearch-llist.h
new file mode 100644
index 00000000..ada8ec81
--- /dev/null
+++ b/framework/src/audit/src/ausearch-llist.h
@@ -0,0 +1,117 @@
+/*
+* ausearch-llist.h - Header file for ausearch-llist.c
+* Copyright (c) 2005-2008, 2013-14 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
+* All Rights Reserved.
+*
+* This software may be freely redistributed and/or modified under the
+* terms of the GNU General Public License as published by the Free
+* Software Foundation; either version 2, or (at your option) any
+* later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; see the file COPYING. If not, write to the
+* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*
+* Authors:
+*   Steve Grubb <sgrubb@redhat.com>
+*   Marcelo Henrique Cerri <mhcerri@br.ibm.com>
+*/
+
+#ifndef AULIST_HEADER
+#define AULIST_HEADER
+
+#include "config.h"
+#include <sys/types.h>
+#include "ausearch-string.h"
+#include "ausearch-avc.h"
+#include "ausearch-common.h"
+
+
+typedef struct
+{
+        time_t sec;		// Event seconds
+        unsigned int milli;	// millisecond of the timestamp
+        unsigned long serial;	// Serial number of the event
+	const char *node;	// Machine's node name
+	int type;		// type of first event
+} event;
+
+typedef struct
+{
+  pid_t ppid;           // parent process ID
+  pid_t pid;            // process ID
+  uid_t uid;            // user ID
+  uid_t euid;           // effective user ID
+  uid_t loginuid;       // login user ID
+  gid_t gid;            // group ID
+  gid_t egid;           // effective group ID
+  success_t success;    // success flag, 1 = yes, 0 = no, -1 = unset
+  int arch;             // arch
+  int syscall;          // syscall
+  uint32_t session_id;  // Login session id
+  long long exit;       // Syscall exit code
+  int exit_is_set;      // Syscall exit code is valid
+  char *hostname;       // remote hostname
+  slist *filename;      // filename list
+  char *cwd;            // current working dir
+  char *exe;            // executable
+  slist *key;           // key field
+  char *terminal;       // terminal
+  char *comm;           // comm name
+  alist *avc;           // avcs for the event
+  char *acct;           // account used when uid is invalid
+  char *uuid;           // virtual machine unique universal identifier
+  char *vmname;         // virtual machine name
+} search_items;
+
+/* This is the node of the linked list. Any data elements that are per
+ *  record goes here. */
+typedef struct _lnode{
+  char *message;		// The whole unparsed message
+  unsigned mlen;                // Length of the message
+  int type;             	// message type (KERNEL, USER, LOGIN, etc)
+  unsigned long long a0;	// argv 0
+  unsigned long long a1;	// argv 1
+  unsigned int item;		// Which item of the same event
+  struct _lnode* next;		// Next node pointer
+} lnode;
+
+/* This is the linked list head. Only data elements that are 1 per
+ * event goes here. */
+typedef struct {
+  lnode *head;		// List head
+  lnode *cur;		// Pointer to current node
+  unsigned int cnt;	// How many items in this list
+
+			// Data we add as 1 per event
+  event e;		// event - time & serial number
+  search_items s;	// items in master rec that are searchable
+} llist;
+
+void list_create(llist *l);
+static inline void list_first(llist *l) { l->cur = l->head; }
+void list_last(llist *l);
+lnode *list_next(llist *l);
+lnode *list_prev(llist *l);
+static inline lnode *list_get_cur(llist *l) { return l->cur; }
+void list_append(llist *l, lnode *node);
+void list_clear(llist* l);
+int list_get_event(llist* l, event *e);
+
+/* Given a numeric index, find that record. */
+int list_find_item(llist *l, unsigned int i);
+
+/* Given a message type, find the matching node */
+lnode *list_find_msg(llist *l, int i);
+
+/* Given two message types, find the first matching node */
+lnode *list_find_msg_range(llist *l, int low, int high);
+
+#endif
+