NAME

       audit_fgets, audit_fgets_more, audit_fgets_eof, audit_fgets_clear - buffered line reader helpers

SYNOPSIS

       #include <libaudit.h>

       int audit_fgets(char *buf, size_t blen, int fd);
       int audit_fgets_more(size_t blen);
       int audit_fgets_eof(void);
       void audit_fgets_clear(void);

DESCRIPTION

       audit_fgets  reads  from  fd  into  buf up to blen bytes or through the next newline. Text is accumulated
       across calls in an internal buffer so that complete lines can be returned. The string is NUL terminated.

       audit_fgets_more checks whether the buffer holds a newline or at least blen - 1 bytes.

       audit_fgets_eof indicates whether end of file was reached on fd

       audit_fgets_clear resets the internal buffer and EOF state, discarding any stored text.

       These functions maintain static state and are therefore not thread safe.

RETURN VALUE

       audit_fgets returns -1 on error, 0 when no  data  is  available,  or  the  number  of  characters  copied
       otherwise.

       audit_fgets_more and audit_fgets_eof return 1 for true and 0 for false.

       audit_fgets_clear returns no value.

BACKGROUND

        The  reason that this family of functions was created is because in  auditd plugins, the event stream is
       stdin, which is  descriptor 0.  A typical pattern is to call select, poll, or epoll to wait for a  record
       to arrive. As soon as it does, you need to read it. If you  use fgets, you will wind up with big problems
       because you cannot mix  low level descriptors with high level constructs like struct FILE.   This  family
       of functions allows you to correctly work only using descriptors but with the convenience of fgets.

SEE ALSO

       fgets(3)

Red Hat                                             May 2025                                      AUDIT_FGETS(3)