in audit.go [183:233]
func (c *AuditClient) GetRules() ([][]byte, error) {
msg := syscall.NetlinkMessage{
Header: syscall.NlMsghdr{
Type: uint16(auparse.AUDIT_LIST_RULES),
Flags: syscall.NLM_F_REQUEST | syscall.NLM_F_ACK,
},
Data: nil,
}
// Send AUDIT_LIST_RULES message to the kernel.
seq, err := c.Netlink.Send(msg)
if err != nil {
return nil, fmt.Errorf("failed sending request: %w", err)
}
// Get the ack message which is a NLMSG_ERROR type whose error code is SUCCESS.
ack, err := c.getReply(seq)
if err != nil {
return nil, fmt.Errorf("failed to get audit ACK: %w", err)
}
if ack.Header.Type != syscall.NLMSG_ERROR {
return nil, fmt.Errorf("unexpected ACK to LIST_RULES, got type=%d", ack.Header.Type)
}
if err = ParseNetlinkError(ack.Data); err != nil {
return nil, err
}
var rules [][]byte
for {
reply, err := c.getReply(seq)
if err != nil {
return nil, fmt.Errorf("failed receiving rule data: %w", err)
}
if reply.Header.Type == syscall.NLMSG_DONE {
break
}
if reply.Header.Type != uint16(auparse.AUDIT_LIST_RULES) {
return nil, fmt.Errorf("unexpected message type %d while receiving rules", reply.Header.Type)
}
rule := make([]byte, len(reply.Data))
copy(rule, reply.Data)
rules = append(rules, rule)
}
return rules, nil
}