AUDIT_FGETS(3) Linux Audit API AUDIT_FGETS(3)

audit_fgets, audit_fgets_more, audit_fgets_eof, audit_fgets_clear - buffered line reader helpers

#include <libaudit.h>

int audit_fgets(char *buf, size_t blen, int fd);
int audit_fgets_more(size_t blen);
int audit_fgets_eof(void);
void audit_fgets_clear(void);

audit_fgets reads from fd into buf up to blen bytes or through the next newline. Text is accumulated across calls in an internal buffer so that complete lines can be returned. The string is NUL terminated.

audit_fgets_more checks whether the buffer holds a newline or at least blen - 1 bytes.

audit_fgets_eof indicates whether end of file was reached on fd

audit_fgets_clear resets the internal buffer and EOF state, discarding any stored text.

These functions maintain static state and are therefore not thread safe.

audit_fgets returns -1 on error, 0 when no data is available, or the number of characters copied otherwise.

audit_fgets_more and audit_fgets_eof return 1 for true and 0 for false.

audit_fgets_clear returns no value.


The reason that this family of functions was created is because in auditd plugins, the event stream is stdin, which is descriptor 0. A typical pattern is to call select, poll, or epoll to wait for a record to arrive. As soon as it does, you need to read it. If you use fgets, you will wind up with big problems because you cannot mix low level descriptors with high level constructs like struct FILE. This family of functions allows you to correctly work only using descriptors but with the convenience of fgets.

fgets(3)

May 2025 Red Hat