From 3ae10182b94ef4ea4b2ce217f858584cb33c4e8f Mon Sep 17 00:00:00 2001
From: Holger Hetterich <hhetter@novell.com>
Date: Thu, 18 Feb 2010 15:13:59 +0100
Subject: [PATCH] s3: vfs_full_audit.c: implement negated vfs_ops in the success/failure list

Supports negated arguments in configuration like:
full_audit:success = all !readdir !telldir !closedir
Update the manpage accordingly.
Part of BSO#4025
---
 docs-xml/manpages-3/vfs_full_audit.8.xml |   11 +++++++----
 source3/modules/vfs_full_audit.c         |   18 +++++++++++++-----
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/docs-xml/manpages-3/vfs_full_audit.8.xml b/docs-xml/manpages-3/vfs_full_audit.8.xml
index 1d519e2..9c9dc84 100644
--- a/docs-xml/manpages-3/vfs_full_audit.8.xml
+++ b/docs-xml/manpages-3/vfs_full_audit.8.xml
@@ -184,7 +184,8 @@
 		<listitem>
 		<para>LIST is a list of VFS operations that should be
 		recorded if they succeed. Operations are specified using
-		the names listed above.
+		the names listed above. Operations can be unset by prefixing
+		the names with "!".
 		</para>
 
 		</listitem>
@@ -195,7 +196,8 @@
 		<listitem>
 		<para>LIST is a list of VFS operations that should be
 		recorded if they failed. Operations are specified using
-		the names listed above.
+		the names listed above. Operations can be unset by prefixing
+		the names with "!".
 		</para>
 
 		</listitem>
@@ -232,7 +234,8 @@
 
 	<para>Log file and directory open operations on the [records]
 	share using the LOCAL7 facility and ALERT priority, including
-	the username and IP address:</para>
+	the username and IP address. Logging excludes the open VFS function
+	on failures:</para>
 
 <programlisting>
         <smbconfsection name="[records]"/>
@@ -240,7 +243,7 @@
 	<smbconfoption name="vfs objects">full_audit</smbconfoption>
 	<smbconfoption name="full_audit:prefix">%u|%I</smbconfoption>
 	<smbconfoption name="full_audit:success">open opendir</smbconfoption>
-	<smbconfoption name="full_audit:failure">all</smbconfoption>
+	<smbconfoption name="full_audit:failure">all !open</smbconfoption>
 	<smbconfoption name="full_audit:facility">LOCAL7</smbconfoption>
 	<smbconfoption name="full_audit:priority">ALERT</smbconfoption>
 </programlisting>
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 19ac7ad..c3b5167 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -433,11 +433,11 @@ static bool log_failure(vfs_handle_struct *handle, vfs_op_type op)
 
 static void init_bitmap(struct bitmap **bm, const char **ops)
 {
+	int i;
 	bool log_all = False;
-
+	bool negated_ops = False;
 	if (*bm != NULL)
 		return;
-
 	*bm = bitmap_allocate(SMB_VFS_OP_LAST);
 
 	if (*bm == NULL) {
@@ -447,12 +447,15 @@ static void init_bitmap(struct bitmap **bm, const char **ops)
 	}
 
 	while (*ops != NULL) {
-		int i;
 		bool found = False;
+		if ( *(*ops) == '!' && negated_ops == False) {
+			for (i=0; i<SMB_VFS_OP_LAST; i++) bitmap_set(*bm, i);
+			negated_ops = True;
+		}
 
 		if (strequal(*ops, "all")) {
 			log_all = True;
-			break;
+			found = True;
 		}
 
 		if (strequal(*ops, "none")) {
@@ -469,6 +472,11 @@ static void init_bitmap(struct bitmap **bm, const char **ops)
 				bitmap_set(*bm, i);
 				found = True;
 			}
+			if ( *(*ops) == '!' 
+				&& strequal(*ops + 1,vfs_op_names[i].name)) {
+				bitmap_clear(*bm,i);
+				found = True;
+			}
 		}
 		if (!found) {
 			DEBUG(0, ("Could not find opname %s, logging all\n",
@@ -479,7 +487,7 @@ static void init_bitmap(struct bitmap **bm, const char **ops)
 		ops += 1;
 	}
 
-	if (log_all) {
+	if (log_all && !negated_ops) {
 		/* The query functions default to True */
 		bitmap_free(*bm);
 		*bm = NULL;
-- 
1.6.4.2