[PATCH] update audit rule change messages

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] update audit rule change messages
@ 2006-09-07 21:07 Amy Griffis
  2006-09-07 21:22 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Amy Griffis @ 2006-09-07 21:07 UTC (permalink / raw)
  To: linux-audit

Make the audit message for implicit rule removal more informative.
Make the rule update message consistent with other messages.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
---
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index cba0708..6354ced 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -931,7 +931,7 @@ static void audit_update_watch(struct au
 		}
 
 		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-		audit_log_format(ab, "audit updated rules specifying watch=");
+		audit_log_format(ab, "audit updated rules specifying path=");
 		audit_log_untrustedstring(ab, owatch->path);
 		audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
 		audit_log_end(ab);
@@ -954,19 +954,29 @@ static void audit_remove_parent_watches(
 	struct audit_watch *w, *nextw;
 	struct audit_krule *r, *nextr;
 	struct audit_entry *e;
+	struct audit_buffer *ab;
 
 	mutex_lock(&audit_filter_mutex);
 	parent->flags |= AUDIT_PARENT_INVALID;
 	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
 		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
 			e = container_of(r, struct audit_entry, rule);
+
+			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+			audit_log_format(ab, "audit implicitly removed rule");
+			if (r->filterkey) {
+				audit_log_format(ab, " key=");
+				audit_log_untrustedstring(ab, r->filterkey);
+			} else
+				audit_log_format(ab, " key=(null)");
+			audit_log_format(ab, " path=");
+			audit_log_untrustedstring(ab, w->path);
+			audit_log_format(ab, " list=%d", r->listnr);
+			audit_log_end(ab);
+
 			list_del(&r->rlist);
 			list_del_rcu(&e->list);
 			call_rcu(&e->rcu, audit_free_rule_rcu);
-
-			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-				 "audit implicitly removed rule from list=%d\n",
-				  AUDIT_FILTER_EXIT);
 		}
 		audit_remove_watch(w);
 	}

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] update audit rule change messages
  2006-09-07 21:07 [PATCH] update audit rule change messages Amy Griffis
@ 2006-09-07 21:22 ` Steve Grubb
  2006-09-07 21:46   ` Amy Griffis
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2006-09-07 21:22 UTC (permalink / raw)
  To: linux-audit

On Thursday 07 September 2006 17:07, Amy Griffis wrote:
> +                       if (r->filterkey) {
> +                               audit_log_format(ab, " key=");
> +                               audit_log_untrustedstring(ab,
> r->filterkey); +                       } else
> +                               audit_log_format(ab, " key=(null)");
> +                       audit_log_format(ab, " path=");
> +                       audit_log_untrustedstring(ab, w->path);

Do you mind if we switch the order of these? Maybe path, key, list.

Thanks for updating the messages.

-Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] update audit rule change messages
  2006-09-07 21:22 ` Steve Grubb
@ 2006-09-07 21:46   ` Amy Griffis
  0 siblings, 0 replies; 3+ messages in thread
From: Amy Griffis @ 2006-09-07 21:46 UTC (permalink / raw)
  To: linux-audit

Steve Grubb wrote:  [Thu Sep 07 2006, 05:22:53PM EDT]
> Do you mind if we switch the order of these? Maybe path, key, list.

Done.

Make the audit message for implicit rule removal more informative.
Make the rule update message consistent with other messages.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
---
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index cba0708..a44879b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -931,7 +931,7 @@ static void audit_update_watch(struct au
 		}
 
 		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-		audit_log_format(ab, "audit updated rules specifying watch=");
+		audit_log_format(ab, "audit updated rules specifying path=");
 		audit_log_untrustedstring(ab, owatch->path);
 		audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
 		audit_log_end(ab);
@@ -954,19 +954,28 @@ static void audit_remove_parent_watches(
 	struct audit_watch *w, *nextw;
 	struct audit_krule *r, *nextr;
 	struct audit_entry *e;
+	struct audit_buffer *ab;
 
 	mutex_lock(&audit_filter_mutex);
 	parent->flags |= AUDIT_PARENT_INVALID;
 	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
 		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
 			e = container_of(r, struct audit_entry, rule);
+
+			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+			audit_log_format(ab, "audit implicitly removed rule path=");
+			audit_log_untrustedstring(ab, w->path);
+			if (r->filterkey) {
+				audit_log_format(ab, " key=");
+				audit_log_untrustedstring(ab, r->filterkey);
+			} else
+				audit_log_format(ab, " key=(null)");
+			audit_log_format(ab, " list=%d", r->listnr);
+			audit_log_end(ab);
+
 			list_del(&r->rlist);
 			list_del_rcu(&e->list);
 			call_rcu(&e->rcu, audit_free_rule_rcu);
-
-			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-				 "audit implicitly removed rule from list=%d\n",
-				  AUDIT_FILTER_EXIT);
 		}
 		audit_remove_watch(w);
 	}

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-09-07 21:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-07 21:07 [PATCH] update audit rule change messages Amy Griffis
2006-09-07 21:22 ` Steve Grubb
2006-09-07 21:46   ` Amy Griffis

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.