* [PATCH ghak59 V1 0/2] tree and watch rule log cleanups
@ 2018-06-14 20:20 Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Make some tree and watch rule logging cleanups before applying
normalizations and record connections for ghak 59.
See: https://github.com/linux-audit/audit-kernel/issues/50
Richard Guy Briggs (2):
audit: tree: check audit_enabled
audit: watch: simplify audit_enabled check
kernel/audit_tree.c | 2 ++
kernel/audit_watch.c | 29 +++++++++++++++--------------
2 files changed, 17 insertions(+), 14 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
@ 2018-06-14 20:20 ` Richard Guy Briggs
2018-06-28 15:43 ` Paul Moore
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2 siblings, 1 reply; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Respect the audit_enabled flag when printing tree rule config change
records.
See: https://github.com/linux-audit/audit-kernel/issues/50
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_tree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 67e6956..5e9d1e5 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -497,6 +497,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
{
struct audit_buffer *ab;
+ if (!audit_enabled)
+ return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
@ 2018-06-14 20:20 ` Richard Guy Briggs
2018-06-28 15:47 ` Paul Moore
2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2 siblings, 1 reply; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Check the audit_enabled flag and bail immediately. This does not change
the functionality, but brings the code format in line with similar
checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
and elsewhere in the audit code.
See: https://github.com/linux-audit/audit-kernel/issues/50
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_watch.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index f1ba889..9b4836b 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
{
- if (audit_enabled) {
- struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
- if (unlikely(!ab))
- return;
- audit_log_format(ab, "auid=%u ses=%u op=%s",
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current), op);
- audit_log_format(ab, " path=");
- audit_log_untrustedstring(ab, w->path);
- audit_log_key(ab, r->filterkey);
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
- }
+ struct audit_buffer *ab;
+
+ if (!audit_enabled)
+ return;
+ ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+ if (!ab)
+ return;
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ audit_get_sessionid(current), op);
+ audit_log_format(ab, " path=");
+ audit_log_untrustedstring(ab, w->path);
+ audit_log_key(ab, r->filterkey);
+ audit_log_format(ab, " list=%d res=1", r->listnr);
+ audit_log_end(ab);
}
/* Update inode info in audit rules based on filesystem event. */
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 0/2] tree and watch rule log cleanups
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
@ 2018-06-14 21:01 ` Richard Guy Briggs
2 siblings, 0 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 21:01 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: eparis
On 2018-06-14 16:20, Richard Guy Briggs wrote:
> Make some tree and watch rule logging cleanups before applying
> normalizations and record connections for ghak 59.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
Sorry, this patchset is mislabelled in the subject line and should be
ghak50.
> Richard Guy Briggs (2):
> audit: tree: check audit_enabled
> audit: watch: simplify audit_enabled check
>
> kernel/audit_tree.c | 2 ++
> kernel/audit_watch.c | 29 +++++++++++++++--------------
> 2 files changed, 17 insertions(+), 14 deletions(-)
>
> --
> 1.8.3.1
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
@ 2018-06-28 15:43 ` Paul Moore
0 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2018-06-28 15:43 UTC (permalink / raw)
To: rgb; +Cc: Eric Paris, linux-audit
On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Respect the audit_enabled flag when printing tree rule config change
> records.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/audit_tree.c | 2 ++
> 1 file changed, 2 insertions(+)
Merged, thanks.
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index 67e6956..5e9d1e5 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -497,6 +497,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
> {
> struct audit_buffer *ab;
>
> + if (!audit_enabled)
> + return;
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
@ 2018-06-28 15:47 ` Paul Moore
2018-07-13 15:39 ` Richard Guy Briggs
0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2018-06-28 15:47 UTC (permalink / raw)
To: rgb; +Cc: Eric Paris, linux-audit
On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Check the audit_enabled flag and bail immediately. This does not change
> the functionality, but brings the code format in line with similar
> checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
> and elsewhere in the audit code.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/audit_watch.c | 29 +++++++++++++++--------------
> 1 file changed, 15 insertions(+), 14 deletions(-)
Merged, thanks.
As a FYI for future patches, please don't use "audit: X: <one-liner>"
as a subject line unless you are crossing subsystem boundaries. As an
example, the following is okay:
audit: selinux: make things more awesomer
... while this isn't something I like seeing:
audit: watch: simplify audit_enabled check
... because the "watch" in this case refers to the audit watch code
which is part of the audit subsystem already.
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index f1ba889..9b4836b 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
>
> static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
> {
> - if (audit_enabled) {
> - struct audit_buffer *ab;
> - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> - if (unlikely(!ab))
> - return;
> - audit_log_format(ab, "auid=%u ses=%u op=%s",
> - from_kuid(&init_user_ns, audit_get_loginuid(current)),
> - audit_get_sessionid(current), op);
> - audit_log_format(ab, " path=");
> - audit_log_untrustedstring(ab, w->path);
> - audit_log_key(ab, r->filterkey);
> - audit_log_format(ab, " list=%d res=1", r->listnr);
> - audit_log_end(ab);
> - }
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return;
> + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> + if (!ab)
> + return;
> + audit_log_format(ab, "auid=%u ses=%u op=%s",
> + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> + audit_get_sessionid(current), op);
> + audit_log_format(ab, " path=");
> + audit_log_untrustedstring(ab, w->path);
> + audit_log_key(ab, r->filterkey);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> + audit_log_end(ab);
> }
>
> /* Update inode info in audit rules based on filesystem event. */
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check
2018-06-28 15:47 ` Paul Moore
@ 2018-07-13 15:39 ` Richard Guy Briggs
0 siblings, 0 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-07-13 15:39 UTC (permalink / raw)
To: Paul Moore; +Cc: Eric Paris, linux-audit
On 2018-06-28 11:47, Paul Moore wrote:
> On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> >
> > Check the audit_enabled flag and bail immediately. This does not change
> > the functionality, but brings the code format in line with similar
> > checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
> > and elsewhere in the audit code.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/50
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > kernel/audit_watch.c | 29 +++++++++++++++--------------
> > 1 file changed, 15 insertions(+), 14 deletions(-)
>
> Merged, thanks.
>
> As a FYI for future patches, please don't use "audit: X: <one-liner>"
> as a subject line unless you are crossing subsystem boundaries. As an
> example, the following is okay:
>
> audit: selinux: make things more awesomer
>
> ... while this isn't something I like seeing:
>
> audit: watch: simplify audit_enabled check
>
> ... because the "watch" in this case refers to the audit watch code
> which is part of the audit subsystem already.
Ok, so that watch keyword should have been used such as:
"audit: simplify watch audit_enabled check"
I had seen and used it as a sub-sub-system tag rather than an additional
sub-system tag.
Thanks.
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index f1ba889..9b4836b 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
> >
> > static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
> > {
> > - if (audit_enabled) {
> > - struct audit_buffer *ab;
> > - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> > - if (unlikely(!ab))
> > - return;
> > - audit_log_format(ab, "auid=%u ses=%u op=%s",
> > - from_kuid(&init_user_ns, audit_get_loginuid(current)),
> > - audit_get_sessionid(current), op);
> > - audit_log_format(ab, " path=");
> > - audit_log_untrustedstring(ab, w->path);
> > - audit_log_key(ab, r->filterkey);
> > - audit_log_format(ab, " list=%d res=1", r->listnr);
> > - audit_log_end(ab);
> > - }
> > + struct audit_buffer *ab;
> > +
> > + if (!audit_enabled)
> > + return;
> > + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> > + if (!ab)
> > + return;
> > + audit_log_format(ab, "auid=%u ses=%u op=%s",
> > + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> > + audit_get_sessionid(current), op);
> > + audit_log_format(ab, " path=");
> > + audit_log_untrustedstring(ab, w->path);
> > + audit_log_key(ab, r->filterkey);
> > + audit_log_format(ab, " list=%d res=1", r->listnr);
> > + audit_log_end(ab);
> > }
> >
> > /* Update inode info in audit rules based on filesystem event. */
> > --
> > 1.8.3.1
> >
>
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-07-13 15:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
2018-06-28 15:43 ` Paul Moore
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
2018-06-28 15:47 ` Paul Moore
2018-07-13 15:39 ` Richard Guy Briggs
2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.