* [PATCH] update audit rule change messages
@ 2006-09-07 21:07 Amy Griffis
2006-09-07 21:22 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Amy Griffis @ 2006-09-07 21:07 UTC (permalink / raw)
To: linux-audit
Make the audit message for implicit rule removal more informative.
Make the rule update message consistent with other messages.
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
---
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index cba0708..6354ced 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -931,7 +931,7 @@ static void audit_update_watch(struct au
}
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "audit updated rules specifying watch=");
+ audit_log_format(ab, "audit updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
audit_log_end(ab);
@@ -954,19 +954,29 @@ static void audit_remove_parent_watches(
struct audit_watch *w, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *e;
+ struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
parent->flags |= AUDIT_PARENT_INVALID;
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "audit implicitly removed rule");
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab, r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " path=");
+ audit_log_untrustedstring(ab, w->path);
+ audit_log_format(ab, " list=%d", r->listnr);
+ audit_log_end(ab);
+
list_del(&r->rlist);
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
-
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit implicitly removed rule from list=%d\n",
- AUDIT_FILTER_EXIT);
}
audit_remove_watch(w);
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] update audit rule change messages
2006-09-07 21:07 [PATCH] update audit rule change messages Amy Griffis
@ 2006-09-07 21:22 ` Steve Grubb
2006-09-07 21:46 ` Amy Griffis
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2006-09-07 21:22 UTC (permalink / raw)
To: linux-audit
On Thursday 07 September 2006 17:07, Amy Griffis wrote:
> + if (r->filterkey) {
> + audit_log_format(ab, " key=");
> + audit_log_untrustedstring(ab,
> r->filterkey); + } else
> + audit_log_format(ab, " key=(null)");
> + audit_log_format(ab, " path=");
> + audit_log_untrustedstring(ab, w->path);
Do you mind if we switch the order of these? Maybe path, key, list.
Thanks for updating the messages.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] update audit rule change messages
2006-09-07 21:22 ` Steve Grubb
@ 2006-09-07 21:46 ` Amy Griffis
0 siblings, 0 replies; 3+ messages in thread
From: Amy Griffis @ 2006-09-07 21:46 UTC (permalink / raw)
To: linux-audit
Steve Grubb wrote: [Thu Sep 07 2006, 05:22:53PM EDT]
> Do you mind if we switch the order of these? Maybe path, key, list.
Done.
Make the audit message for implicit rule removal more informative.
Make the rule update message consistent with other messages.
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
---
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index cba0708..a44879b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -931,7 +931,7 @@ static void audit_update_watch(struct au
}
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "audit updated rules specifying watch=");
+ audit_log_format(ab, "audit updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
audit_log_end(ab);
@@ -954,19 +954,28 @@ static void audit_remove_parent_watches(
struct audit_watch *w, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *e;
+ struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
parent->flags |= AUDIT_PARENT_INVALID;
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "audit implicitly removed rule path=");
+ audit_log_untrustedstring(ab, w->path);
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab, r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " list=%d", r->listnr);
+ audit_log_end(ab);
+
list_del(&r->rlist);
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
-
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit implicitly removed rule from list=%d\n",
- AUDIT_FILTER_EXIT);
}
audit_remove_watch(w);
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-09-07 21:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-07 21:07 [PATCH] update audit rule change messages Amy Griffis
2006-09-07 21:22 ` Steve Grubb
2006-09-07 21:46 ` Amy Griffis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.