def parse_value(string, op, rule):
if rule.syscalls:
raise ParsingError(_('Architecture can not be changed after system '
'calls are selected'))
if op not in (Field.OP_EQ, Field.OP_NE):
raise ParsingError(_('The only valid operators for "%s" are "=" '
'and "!="') %
audit.audit_field_to_name(audit.AUDIT_ARCH))
rule.machine = util.parse_elf(string)
return string
def validate(self, list, rules):
'''Validate the rule, for usage within list in rules.
Raise ParsingError on error.
'''
for var in (field.var for field in self.fields):
if list is rules.exclude_rules and var != audit.AUDIT_MSGTYPE:
raise ParsingError('Field type "%s" is invalid in "exclude" '
'rules' % audit.audit_field_to_name(var))
if list is not rules.exclude_rules and var == audit.AUDIT_MSGTYPE:
raise ParsingError('Field type "%s" is valid only "exclude" '
'rules' % audit.audit_field_to_name(var))
if (list is not rules.exit_rules and
var in (audit.AUDIT_DIR, audit.AUDIT_OBJ_USER,
audit.AUDIT_OBJ_ROLE, audit.AUDIT_OBJ_TYPE,
audit.AUDIT_OBJ_LEV_LOW, audit.AUDIT_OBJ_LEV_HIGH,
audit.AUDIT_WATCH)):
raise ParsingError('Field type "%s" is valid only in system '
'call exit and watch rules' %
audit.audit_field_to_name(var))
if (list is rules.entry_rules and
var in (audit.AUDIT_DEVMAJOR, audit.AUDIT_DEVMINOR,
audit.AUDIT_INODE, audit.AUDIT_EXIT,
audit.AUDIT_SUCCESS)):
raise ParsingError('Field type "%s" is not valid in system '
'call entry rules' %
audit.audit_field_to_name(var))
if list is rules.exclude_rules and len(self.fields) > 1:
# FIXME: this is to avoid -F msgtype=1 -F msgtype=2 not doing the
# right thing, but it prevents range expressions from working
raise ParsingError('Only one field is allowed in "exclude" rules')
keys = (field.value for field in self.fields
if field.var == audit.AUDIT_FILTERKEY)
if len('\x01'.join(keys)) > audit.AUDIT_MAX_KEY_LEN:
raise ParsingError('Total key length is too long')
def option_text(self, rule):
'''Return a string representing this field as an auditctl option.
Use rule to determine the correct syntax.
'''
val = self._value_text()
if self.var == audit.AUDIT_FILTERKEY:
assert self.op == self.OP_EQ
return '-k %s' % val
elif (self.var == audit.AUDIT_PERM and
len([f for f in rule.fields
if f.var in (audit.AUDIT_DIR, audit.AUDIT_WATCH)]) == 1):
assert self.op == self.OP_EQ
return '-p %s' % val
else:
return '-F %s%s%s' % (audit.audit_field_to_name(self.var), self.op,
val)
def parse_value(string, op, *unused):
if op != Field.OP_EQ:
raise ParsingError(_('The only valid operator for "%s" is "="') %
audit.audit_field_to_name(audit.AUDIT_PERM))
val = 0
for c in string:
if c == 'r':
val |= audit.AUDIT_PERM_READ
elif c == 'w':
val |= audit.AUDIT_PERM_WRITE
elif c == 'x':
val |= audit.AUDIT_PERM_EXEC
elif c == 'a':
val |= audit.AUDIT_PERM_ATTR
else:
raise ParsingError(_('Unknown permission "%(char)c" in '
'"%(perms)s"') %
{'char': c, 'perms': string})
return val
def user_text(self):
'''Return an user-readable string representing this field.'''
return '%s %s %s' % (audit.audit_field_to_name(self.var), self.op,
self._value_text())
def parse_value(string, op, *unused):
if op not in (Field.OP_EQ, Field.OP_NE):
raise ParsingError(_('The only valid operators for "%s" are "=" '
'and "!="') %
audit.audit_field_to_name(audit.AUDIT_INODE))
return _IntFieldType.parse_value(string)