* [PATCH ghak59 V1 0/2] tree and watch rule log cleanups
@ 2018-06-14 20:20 Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Make some tree and watch rule logging cleanups before applying
normalizations and record connections for ghak 59.
See: https://github.com/linux-audit/audit-kernel/issues/50
Richard Guy Briggs (2):
audit: tree: check audit_enabled
audit: watch: simplify audit_enabled check
kernel/audit_tree.c | 2 ++
kernel/audit_watch.c | 29 +++++++++++++++--------------
2 files changed, 17 insertions(+), 14 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled 2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs @ 2018-06-14 20:20 ` Richard Guy Briggs 2018-06-28 15:43 ` Paul Moore 2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs 2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs 2 siblings, 1 reply; 7+ messages in thread From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw) To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis Respect the audit_enabled flag when printing tree rule config change records. See: https://github.com/linux-audit/audit-kernel/issues/50 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- kernel/audit_tree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 67e6956..5e9d1e5 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c @@ -497,6 +497,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) { struct audit_buffer *ab; + if (!audit_enabled) + return; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return; -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled 2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs @ 2018-06-28 15:43 ` Paul Moore 0 siblings, 0 replies; 7+ messages in thread From: Paul Moore @ 2018-06-28 15:43 UTC (permalink / raw) To: rgb; +Cc: Eric Paris, linux-audit On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Respect the audit_enabled flag when printing tree rule config change > records. > > See: https://github.com/linux-audit/audit-kernel/issues/50 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > kernel/audit_tree.c | 2 ++ > 1 file changed, 2 insertions(+) Merged, thanks. > diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c > index 67e6956..5e9d1e5 100644 > --- a/kernel/audit_tree.c > +++ b/kernel/audit_tree.c > @@ -497,6 +497,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) > { > struct audit_buffer *ab; > > + if (!audit_enabled) > + return; > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > if (unlikely(!ab)) > return; > -- > 1.8.3.1 > -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check 2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs 2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs @ 2018-06-14 20:20 ` Richard Guy Briggs 2018-06-28 15:47 ` Paul Moore 2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs 2 siblings, 1 reply; 7+ messages in thread From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw) To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis Check the audit_enabled flag and bail immediately. This does not change the functionality, but brings the code format in line with similar checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(), and elsewhere in the audit code. See: https://github.com/linux-audit/audit-kernel/issues/50 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- kernel/audit_watch.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index f1ba889..9b4836b 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old) static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) { - if (audit_enabled) { - struct audit_buffer *ab; - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); - if (unlikely(!ab)) - return; - audit_log_format(ab, "auid=%u ses=%u op=%s", - from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current), op); - audit_log_format(ab, " path="); - audit_log_untrustedstring(ab, w->path); - audit_log_key(ab, r->filterkey); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - } + struct audit_buffer *ab; + + if (!audit_enabled) + return; + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); + if (!ab) + return; + audit_log_format(ab, "auid=%u ses=%u op=%s", + from_kuid(&init_user_ns, audit_get_loginuid(current)), + audit_get_sessionid(current), op); + audit_log_format(ab, " path="); + audit_log_untrustedstring(ab, w->path); + audit_log_key(ab, r->filterkey); + audit_log_format(ab, " list=%d res=1", r->listnr); + audit_log_end(ab); } /* Update inode info in audit rules based on filesystem event. */ -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check 2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs @ 2018-06-28 15:47 ` Paul Moore 2018-07-13 15:39 ` Richard Guy Briggs 0 siblings, 1 reply; 7+ messages in thread From: Paul Moore @ 2018-06-28 15:47 UTC (permalink / raw) To: rgb; +Cc: Eric Paris, linux-audit On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Check the audit_enabled flag and bail immediately. This does not change > the functionality, but brings the code format in line with similar > checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(), > and elsewhere in the audit code. > > See: https://github.com/linux-audit/audit-kernel/issues/50 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > kernel/audit_watch.c | 29 +++++++++++++++-------------- > 1 file changed, 15 insertions(+), 14 deletions(-) Merged, thanks. As a FYI for future patches, please don't use "audit: X: <one-liner>" as a subject line unless you are crossing subsystem boundaries. As an example, the following is okay: audit: selinux: make things more awesomer ... while this isn't something I like seeing: audit: watch: simplify audit_enabled check ... because the "watch" in this case refers to the audit watch code which is part of the audit subsystem already. > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > index f1ba889..9b4836b 100644 > --- a/kernel/audit_watch.c > +++ b/kernel/audit_watch.c > @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old) > > static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) > { > - if (audit_enabled) { > - struct audit_buffer *ab; > - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); > - if (unlikely(!ab)) > - return; > - audit_log_format(ab, "auid=%u ses=%u op=%s", > - from_kuid(&init_user_ns, audit_get_loginuid(current)), > - audit_get_sessionid(current), op); > - audit_log_format(ab, " path="); > - audit_log_untrustedstring(ab, w->path); > - audit_log_key(ab, r->filterkey); > - audit_log_format(ab, " list=%d res=1", r->listnr); > - audit_log_end(ab); > - } > + struct audit_buffer *ab; > + > + if (!audit_enabled) > + return; > + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); > + if (!ab) > + return; > + audit_log_format(ab, "auid=%u ses=%u op=%s", > + from_kuid(&init_user_ns, audit_get_loginuid(current)), > + audit_get_sessionid(current), op); > + audit_log_format(ab, " path="); > + audit_log_untrustedstring(ab, w->path); > + audit_log_key(ab, r->filterkey); > + audit_log_format(ab, " list=%d res=1", r->listnr); > + audit_log_end(ab); > } > > /* Update inode info in audit rules based on filesystem event. */ > -- > 1.8.3.1 > -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check 2018-06-28 15:47 ` Paul Moore @ 2018-07-13 15:39 ` Richard Guy Briggs 0 siblings, 0 replies; 7+ messages in thread From: Richard Guy Briggs @ 2018-07-13 15:39 UTC (permalink / raw) To: Paul Moore; +Cc: Eric Paris, linux-audit On 2018-06-28 11:47, Paul Moore wrote: > On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > > Check the audit_enabled flag and bail immediately. This does not change > > the functionality, but brings the code format in line with similar > > checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(), > > and elsewhere in the audit code. > > > > See: https://github.com/linux-audit/audit-kernel/issues/50 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > kernel/audit_watch.c | 29 +++++++++++++++-------------- > > 1 file changed, 15 insertions(+), 14 deletions(-) > > Merged, thanks. > > As a FYI for future patches, please don't use "audit: X: <one-liner>" > as a subject line unless you are crossing subsystem boundaries. As an > example, the following is okay: > > audit: selinux: make things more awesomer > > ... while this isn't something I like seeing: > > audit: watch: simplify audit_enabled check > > ... because the "watch" in this case refers to the audit watch code > which is part of the audit subsystem already. Ok, so that watch keyword should have been used such as: "audit: simplify watch audit_enabled check" I had seen and used it as a sub-sub-system tag rather than an additional sub-system tag. Thanks. > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > > index f1ba889..9b4836b 100644 > > --- a/kernel/audit_watch.c > > +++ b/kernel/audit_watch.c > > @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old) > > > > static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) > > { > > - if (audit_enabled) { > > - struct audit_buffer *ab; > > - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); > > - if (unlikely(!ab)) > > - return; > > - audit_log_format(ab, "auid=%u ses=%u op=%s", > > - from_kuid(&init_user_ns, audit_get_loginuid(current)), > > - audit_get_sessionid(current), op); > > - audit_log_format(ab, " path="); > > - audit_log_untrustedstring(ab, w->path); > > - audit_log_key(ab, r->filterkey); > > - audit_log_format(ab, " list=%d res=1", r->listnr); > > - audit_log_end(ab); > > - } > > + struct audit_buffer *ab; > > + > > + if (!audit_enabled) > > + return; > > + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); > > + if (!ab) > > + return; > > + audit_log_format(ab, "auid=%u ses=%u op=%s", > > + from_kuid(&init_user_ns, audit_get_loginuid(current)), > > + audit_get_sessionid(current), op); > > + audit_log_format(ab, " path="); > > + audit_log_untrustedstring(ab, w->path); > > + audit_log_key(ab, r->filterkey); > > + audit_log_format(ab, " list=%d res=1", r->listnr); > > + audit_log_end(ab); > > } > > > > /* Update inode info in audit rules based on filesystem event. */ > > -- > > 1.8.3.1 > > > > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 0/2] tree and watch rule log cleanups 2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs 2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs 2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs @ 2018-06-14 21:01 ` Richard Guy Briggs 2 siblings, 0 replies; 7+ messages in thread From: Richard Guy Briggs @ 2018-06-14 21:01 UTC (permalink / raw) To: Linux-Audit Mailing List; +Cc: eparis On 2018-06-14 16:20, Richard Guy Briggs wrote: > Make some tree and watch rule logging cleanups before applying > normalizations and record connections for ghak 59. > > See: https://github.com/linux-audit/audit-kernel/issues/50 Sorry, this patchset is mislabelled in the subject line and should be ghak50. > Richard Guy Briggs (2): > audit: tree: check audit_enabled > audit: watch: simplify audit_enabled check > > kernel/audit_tree.c | 2 ++ > kernel/audit_watch.c | 29 +++++++++++++++-------------- > 2 files changed, 17 insertions(+), 14 deletions(-) > > -- > 1.8.3.1 > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-07-13 15:39 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs 2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs 2018-06-28 15:43 ` Paul Moore 2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs 2018-06-28 15:47 ` Paul Moore 2018-07-13 15:39 ` Richard Guy Briggs 2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.