in rule/rule.go [394:434]
func (r ruleData) toAuditRuleData() (*auditRuleData, error) {
data := &auditRuleData{auditRuleHeader: auditRuleHeader{
Flags: r.flags,
Action: r.action,
FieldCount: uint32(len(r.fields)),
}}
if r.allSyscalls {
for i := range data.Mask {
data.Mask[i] = 0xFFFFFFFF
}
// NOTE: This was added to match the binary output when listing rules
// from the kernel. See https://github.com/elastic/go-libaudit/pull/97.
data.Mask[len(data.Mask)-1] = 0x0000FFFF
} else {
for _, syscallNum := range r.syscalls {
word := syscallNum / 32
bit := 1 << (syscallNum - (word * 32))
if int(word) > len(data.Mask) {
return nil, fmt.Errorf("invalid syscall number %v", syscallNum)
}
data.Mask[word] |= uint32(bit)
}
}
if len(r.fields) > len(data.Fields) {
return nil, fmt.Errorf("too many filters and keys, only %v total are supported", len(data.Fields))
}
for i := range r.fields {
data.Fields[i] = r.fields[i]
data.FieldFlags[i] = r.fieldFlags[i]
data.Values[i] = r.values[i]
}
for _, s := range r.strings {
data.Buf = append(data.Buf, []byte(s)...)
}
data.BufLen = uint32(len(data.Buf))
return data, nil
}