From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: [PATCH] update audit rule change messages Date: Thu, 7 Sep 2006 17:46:18 -0400 Message-ID: <20060907214618.GE12003@fc.hp.com> References: <20060907210734.GC12003@fc.hp.com> <200609071722.53652.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k87LkXtk005930 for ; Thu, 7 Sep 2006 17:46:33 -0400 Received: from atlrel6.hp.com (atlrel6.hp.com [156.153.255.205]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k87LkV5P019626 for ; Thu, 7 Sep 2006 17:46:31 -0400 Received: from smtp2.fc.hp.com (smtp.fc.hp.com [15.11.136.114]) by atlrel6.hp.com (Postfix) with ESMTP id 6AB3637812 for ; Thu, 7 Sep 2006 17:46:26 -0400 (EDT) Received: from ldl.fc.hp.com (ldl.fc.hp.com [15.11.146.30]) by smtp2.fc.hp.com (Postfix) with ESMTP id 419B671591 for ; Thu, 7 Sep 2006 21:46:26 +0000 (UTC) Received: from localhost (ldl.lart [127.0.0.1]) by ldl.fc.hp.com (Postfix) with ESMTP id 073B01344C5 for ; Thu, 7 Sep 2006 15:46:26 -0600 (MDT) Received: from ldl.fc.hp.com ([127.0.0.1]) by localhost (ldl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10629-07 for ; Thu, 7 Sep 2006 15:46:22 -0600 (MDT) Content-Disposition: inline In-Reply-To: <200609071722.53652.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: [Thu Sep 07 2006, 05:22:53PM EDT] > Do you mind if we switch the order of these? Maybe path, key, list. Done. Make the audit message for implicit rule removal more informative. Make the rule update message consistent with other messages. Signed-off-by: Amy Griffis --- diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index cba0708..a44879b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -931,7 +931,7 @@ static void audit_update_watch(struct au } ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "audit updated rules specifying watch="); + audit_log_format(ab, "audit updated rules specifying path="); audit_log_untrustedstring(ab, owatch->path); audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); audit_log_end(ab); @@ -954,19 +954,28 @@ static void audit_remove_parent_watches( struct audit_watch *w, *nextw; struct audit_krule *r, *nextr; struct audit_entry *e; + struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); parent->flags |= AUDIT_PARENT_INVALID; list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { list_for_each_entry_safe(r, nextr, &w->rules, rlist) { e = container_of(r, struct audit_entry, rule); + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "audit implicitly removed rule path="); + audit_log_untrustedstring(ab, w->path); + if (r->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, r->filterkey); + } else + audit_log_format(ab, " key=(null)"); + audit_log_format(ab, " list=%d", r->listnr); + audit_log_end(ab); + list_del(&r->rlist); list_del_rcu(&e->list); call_rcu(&e->rcu, audit_free_rule_rcu); - - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit implicitly removed rule from list=%d\n", - AUDIT_FILTER_EXIT); } audit_remove_watch(w); }