More updating of auparse normalizer for new syscalls

Author: stevegrubb

auparse/normalize-internal.h

@@ -93,12 +93,13 @@
 #define NORM_WHAT_SYSTEM	15
 #define NORM_WHAT_AUDIT_RULE	16
 #define NORM_WHAT_AUDIT_CONFIG	17
-#define NORM_WHAT_MAC_CONFIG	18
+#define NORM_WHAT_SECURITY_POLICY	18
 #define NORM_WHAT_FILESYSTEM	19
 #define NORM_WHAT_MEMORY	20
 #define NORM_WHAT_KEYSTROKES	21
 #define NORM_WHAT_DEVICE	22
 #define NORM_WHAT_SOFTWARE	23
+#define NORM_WHAT_INTEGRITY_POLICY	24
 
 // This enum is used to map events to what kind they are
 #define NORM_EVTYPE_UNKNOWN		0

auparse/normalize.c

@@ -619,6 +619,9 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 	if (objtype == NORM_UNKNOWN)
 		normalize_syscall_map_s2i(syscall, &objtype);
 
+// FIXME: Need to address: landlock_*, lsm_*, map_shadow_stack, pkey_*,
+// kexec_file_load, They likely need new NORM_* types. Also, these suggest
+// that NORM_WHAT_ may need some new types.
 	switch (objtype)
 	{
 		case NORM_FILE:
@@ -778,7 +781,7 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 		case NORM_MAC_LOAD:
 			act = normalize_record_map_i2s(ttype);
 			// FIXME: What is the object?
-			D.thing.what = NORM_WHAT_MAC_CONFIG;
+			D.thing.what = NORM_WHAT_SECURITY_POLICY;
 			break;
 		case NORM_MAC_CONFIG:
 			act = normalize_record_map_i2s(ttype);
@@ -789,7 +792,7 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 				D.thing.primary = set_field(D.thing.primary,
 					auparse_get_field_num(au));
 			}
-			D.thing.what = NORM_WHAT_MAC_CONFIG;
+			D.thing.what = NORM_WHAT_SECURITY_POLICY;
 			break;
 		case NORM_MAC_ENFORCE:
 			act = normalize_record_map_i2s(ttype);
@@ -800,7 +803,7 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 				D.thing.primary = set_field(D.thing.primary,
 					auparse_get_field_num(au));
 			}
-			D.thing.what = NORM_WHAT_MAC_CONFIG;
+			D.thing.what = NORM_WHAT_SECURITY_POLICY;
 			break;
 		case NORM_MAC_ERR:
 			// FIXME: What could the object be?
@@ -1109,7 +1112,10 @@ static int normalize_compound(auparse_state_t *au)
 
 	otype = type = auparse_get_type(au);
 
-	// All compound events have a syscall record, find it
+	// All compound events have a syscall record, find it. After this
+	// loop, type should be syscall, and otype is the original type.
+	// Traditionally, the first record is the purpose of the event and
+	// the syscall is added on next to support/enhance information content.
 	if (type != AUDIT_SYSCALL) {
 		do {
 			// If we go off the end without finding a syscall
@@ -1359,17 +1365,17 @@ static value_t find_simple_object(auparse_state_t *au, int type)
 			break;
 		case AUDIT_MAC_CONFIG_CHANGE:
 			f = auparse_find_field(au, "bool");
-			D.thing.what = NORM_WHAT_MAC_CONFIG;
+			D.thing.what = NORM_WHAT_SECURITY_POLICY;
 			break;
 		case AUDIT_MAC_STATUS:
 			f = auparse_find_field(au, "enforcing");
-			D.thing.what = NORM_WHAT_MAC_CONFIG;
+			D.thing.what = NORM_WHAT_SECURITY_POLICY;
 			break;
 		// These deal with policy, not sure about object yet
 		case AUDIT_MAC_POLICY_LOAD:
 		case AUDIT_LABEL_OVERRIDE:
 		case AUDIT_DEV_ALLOC ... AUDIT_USER_MAC_CONFIG_CHANGE:
-			D.thing.what = NORM_WHAT_MAC_CONFIG;
+			D.thing.what = NORM_WHAT_SECURITY_POLICY;
 			break;
 		case AUDIT_USER:
 			f = auparse_find_field(au, "addr");
@@ -1861,7 +1867,7 @@ static int normalize_simple(auparse_state_t *au)
 		}
 
 		// Object type
-		D.thing.what = NORM_WHAT_MAC_CONFIG;
+		D.thing.what = NORM_WHAT_SECURITY_POLICY;
 
 		// Results
 		set_results(au, 0);

auparse/normalize_obj_kind_map.h

@@ -1,6 +1,6 @@
 /*
  * normalize_obj_kind_map.h
- * Copyright (c) 2016-18,21 Red Hat Inc.
+ * Copyright (c) 2016-24 Red Hat Inc.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -41,9 +41,10 @@ _S(NORM_WHAT_PRINTER, "printer")
 _S(NORM_WHAT_SYSTEM, "system")
 _S(NORM_WHAT_AUDIT_RULE, "admin-defined-rule")
 _S(NORM_WHAT_AUDIT_CONFIG, "audit-config")
-_S(NORM_WHAT_MAC_CONFIG, "mac-config")
+_S(NORM_WHAT_SECURITY_POLICY, "security-policy")
 _S(NORM_WHAT_MEMORY, "memory")
 _S(NORM_WHAT_KEYSTROKES, "keystrokes")
 _S(NORM_WHAT_DEVICE, "device")
 _S(NORM_WHAT_SOFTWARE, "software")
+_S(NORM_WHAT_INTEGRITY_POLICY, "integrity-policy")
 //_S(, "")

auparse/normalize_syscall_map.h

@@ -1,6 +1,6 @@
 /*
  * normalize_syscall_map.h
- * Copyright (c) 2016-17,2021-23 Red Hat Inc.
+ * Copyright (c) 2016-17,2021-24 Red Hat Inc.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -29,16 +29,19 @@ _S(NORM_FILE_STAT, "faccessat2")
 _S(NORM_FILE_CHPERM, "chmod")
 _S(NORM_FILE_CHPERM, "fchmod")
 _S(NORM_FILE_CHPERM, "fchmodat")
+_S(NORM_FILE_CHPERM, "fchmodat2")
 _S(NORM_FILE_CHOWN, "chown")
 _S(NORM_FILE_CHOWN, "fchown")
 _S(NORM_FILE_CHOWN, "fchownat")
+_S(NORM_FILE_CHOWN, "fchownat2")
 _S(NORM_FILE_CHOWN, "lchown")
 _S(NORM_FILE_LDMOD, "finit_module")
 _S(NORM_FILE_LDMOD, "init_module")
 _S(NORM_FILE_UNLDMOD, "delete_module")
 _S(NORM_FILE_CHATTR, "setxattr")
 _S(NORM_FILE_CHATTR, "fsetxattr")
 _S(NORM_FILE_CHATTR, "lsetxattr")
+_S(NORM_FILE_CHATTR, "mount_setattr")
 _S(NORM_FILE_DIR, "mkdir")
 _S(NORM_FILE_DIR, "mkdirat")
 _S(NORM_FILE_MOUNT, "fsconfig")
@@ -55,16 +58,20 @@ _S(NORM_FILE_STAT, "stat64")
 _S(NORM_FILE_STAT, "statx")
 _S(NORM_FILE_SYS_STAT, "statfs")
 _S(NORM_FILE_SYS_STAT, "fstatfs")
+_S(NORM_FILE_SYS_STAT, "statmount")
 _S(NORM_FILE, "creat")
 _S(NORM_FILE, "fallocate")
 _S(NORM_FILE, "truncate")
 _S(NORM_FILE, "ftruncate")
 _S(NORM_FILE, "memfd_create")
+_S(NORM_FILE, "memfd_secret")
 _S(NORM_FILE, "open")
 _S(NORM_FILE, "openat")
 _S(NORM_FILE, "openat2")
 _S(NORM_FILE, "readlink")
 _S(NORM_FILE, "readlinkat")
+_S(NORM_FILE, "open_by_handle_at")
+_S(NORM_FILE, "pidfd_getfd")
 _S(NORM_FILE_CHATTR, "removexattr")
 _S(NORM_FILE_CHATTR, "fremovexattr")
 _S(NORM_FILE_CHATTR, "lremovexattr")