Add bpf syscall command argument interpretation to auparse

ChangeLog

@@ -39,6 +39,7 @@
 - auparse_reset was not clearing everything it should
 - Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
 - In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
 
 2.8.3
 - Correct msg function name in LRU debug code

auparse/Makefile.am

@@ -1,5 +1,5 @@
 # Makefile.am -- 
-# Copyright 2006-08,2011-17 Red Hat Inc., Durham, North Carolina.
+# Copyright 2006-08,2011-18 Red Hat Inc., Durham, North Carolina.
 # All Rights Reserved.
 #
 # This library is free software; you can redistribute it and/or
@@ -65,7 +65,7 @@ BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \
 	tcpoptnametabs.h typetabs.h umounttabs.h inethooktabs.h \
 	netactiontabs.h \
 	normalize_obj_kind_maps.h normalize_record_maps.h \
-	normalize_syscall_maps.h normalize_evtypetabs.h
+	normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h
 noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
 	gen_clone-flagtabs_h \
 	gen_epoll_ctls_h gen_famtabs_h \
@@ -82,7 +82,7 @@ noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
 	gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
 	gen_umounttabs_h gen_inethooktabs_h gen_netactiontabs_h \
 	gen_normalize_record_map gen_normalize_syscall_map \
-	gen_normalize_obj_kind_map gen_normalize_evtypetabs_h
+	gen_normalize_obj_kind_map gen_normalize_evtypetabs_h gen_bpftabs_h
 
 gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
 gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"'
@@ -647,3 +647,16 @@ gen_normalize_evtypetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
 normalize_evtypetabs.h: gen_normalize_evtypetabs_h Makefile
 	./gen_normalize_evtypetabs_h --i2s evtype > $@
 
+gen_bpftabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h bpftab.h
+gen_bpftabs_h_CFLAGS = '-DTABLE_H="bpftab.h"'
+$(gen_bpftabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_bpftabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_bpftabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_bpftabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
+gen_bpftabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_bpftabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_bpftabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_bpftabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
+bpftabs.h: gen_bpftabs_h Makefile
+	./gen_bpftabs_h --i2s bpf > $@
+

auparse/interpret.c

@@ -1,6 +1,6 @@
 /*
 * interpret.c - Lookup values to something more readable
-* Copyright (c) 2007-09,2011-16 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2007-09,2011-16,2018 Red Hat Inc., Durham, North Carolina.
 * All Rights Reserved. 
 *
 * This library is free software; you can redistribute it and/or
@@ -119,6 +119,7 @@
 #include "ioctlreqtabs.h"
 #include "inethooktabs.h"
 #include "netactiontabs.h"
+#include "bpftabs.h"
 
 typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t;
 typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t;
@@ -2170,6 +2171,28 @@ static const char *print_exit_syscall(const char *val)
 	return out;
 }
 
+static const char *print_bpf(const char *val)
+{
+	unsigned int cmd;
+	char *out;
+	const char *str;
+
+	errno = 0;
+	cmd = strtoul(val, NULL, 16);
+	if (errno) {
+		if (asprintf(&out, "conversion error(%s)", val) < 0)
+			out = NULL;
+		return out;
+	}
+	str = bpf_i2s(cmd);
+	if (str == NULL) {
+		if (asprintf(&out, "unknown-bpf-cmd(%s)", val) < 0)
+			out = NULL;
+		return out;
+	} else
+		return strdup(str);
+}
+
 static const char *print_a0(const char *val, const idata *id)
 {
 	char *out;
@@ -2252,6 +2275,8 @@ static const char *print_a0(const char *val, const idata *id)
 			return print_ipccall(val, 16);
 		else if (strncmp(sys, "exit", 4) == 0)
 			return print_exit_syscall(val);
+               	else if (strcmp(sys, "bpf") == 0)
+			return print_bpf(val);
 	}
 	if (asprintf(&out, "0x%s", val) < 0)
 			out = NULL;