From: Eric Paris <eparis@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] minor update to rule add/delete messages (ver 2)
Date: Thu, 14 Dec 2006 19:44:08 -0500 [thread overview]
Message-ID: <1166143448.8203.196.camel@localhost.localdomain> (raw)
In-Reply-To: <200612141148.47824.sgrubb@redhat.com>
On Thu, 2006-12-14 at 11:48 -0500, Steve Grubb wrote:
> Hi,
>
> I was looking at parsing some of these messages and found that I wanted what
> it was doing next to an op= for the parser to key on. Also missing was the list
> number and results.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Would you mind explaining why we had to drop the chuck from the original
patch to auditfilter.c which had:
if (r->filterkey) {
audit_log_format(ab, " key=");
audit_log_untrustedstring(ab, r->filterkey);
} else
audit_log_format(ab, " key=(null)");
Also, can someone whack me with a clue bat? Do we have a process for
getting audit patches into mainline kernel? Do they still go through
viro's tree? Should it go right to akpm?
-Eric
>
> diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
> --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2006-12-14 09:59:04.000000000 -0500
> +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2006-12-14 10:02:39.000000000 -0500
> @@ -938,9 +938,10 @@ static void audit_update_watch(struct au
> }
>
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> - audit_log_format(ab, "audit updated rules specifying path=");
> + audit_log_format(ab, "op=updated rules specifying path=");
> audit_log_untrustedstring(ab, owatch->path);
> audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> audit_log_end(ab);
>
> audit_remove_watch(owatch);
> @@ -970,14 +971,14 @@ static void audit_remove_parent_watches(
> e = container_of(r, struct audit_entry, rule);
>
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> - audit_log_format(ab, "audit implicitly removed rule path=");
> + audit_log_format(ab, "op=remove rule path=");
> audit_log_untrustedstring(ab, w->path);
> if (r->filterkey) {
> audit_log_format(ab, " key=");
> audit_log_untrustedstring(ab, r->filterkey);
> } else
> audit_log_format(ab, " key=(null)");
> - audit_log_format(ab, " list=%d", r->listnr);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> audit_log_end(ab);
>
> list_del(&r->rlist);
> @@ -1411,7 +1412,7 @@ static void audit_log_rule_change(uid_t
> audit_log_format(ab, " subj=%s", ctx);
> kfree(ctx);
> }
> - audit_log_format(ab, " %s rule key=", action);
> + audit_log_format(ab, " op=%s rule key=", action);
> if (rule->filterkey)
> audit_log_untrustedstring(ab, rule->filterkey);
> else
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2006-12-15 0:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-14 16:48 [PATCH] minor update to rule add/delete messages (ver 2) Steve Grubb
2006-12-15 0:44 ` Eric Paris [this message]
2006-12-15 11:19 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1166143448.8203.196.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.