From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] minor update to rule add/delete messages (ver 2)
Date: Thu, 14 Dec 2006 19:44:08 -0500
Message-ID: <1166143448.8203.196.camel@localhost.localdomain>
References: <200612141148.47824.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200612141148.47824.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thu, 2006-12-14 at 11:48 -0500, Steve Grubb wrote:
> Hi,
> 
> I was looking at parsing some of these messages and found that I wanted what
> it was doing next to an op= for the parser to key on. Also missing was the list
> number and results.
> 
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>

Would you mind explaining why we had to drop the chuck from the original
patch to auditfilter.c which had:

if (r->filterkey) {
     audit_log_format(ab, " key=");
     audit_log_untrustedstring(ab, r->filterkey);
} else
     audit_log_format(ab, " key=(null)");

Also, can someone whack me with a clue bat?  Do we have a process for
getting audit patches into mainline kernel?  Do they still go through
viro's tree?  Should it go right to akpm?

-Eric

> 
> diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
> --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c	2006-12-14 09:59:04.000000000 -0500
> +++ linux-2.6.18.x86_64/kernel/auditfilter.c	2006-12-14 10:02:39.000000000 -0500
> @@ -938,9 +938,10 @@ static void audit_update_watch(struct au
>  		}
>  
>  		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> -		audit_log_format(ab, "audit updated rules specifying path=");
> +		audit_log_format(ab, "op=updated rules specifying path=");
>  		audit_log_untrustedstring(ab, owatch->path);
>  		audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
> +		audit_log_format(ab, " list=%d res=1", r->listnr);
>  		audit_log_end(ab);
>  
>  		audit_remove_watch(owatch);
> @@ -970,14 +971,14 @@ static void audit_remove_parent_watches(
>  			e = container_of(r, struct audit_entry, rule);
>  
>  			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> -			audit_log_format(ab, "audit implicitly removed rule path=");
> +			audit_log_format(ab, "op=remove rule path=");
>  			audit_log_untrustedstring(ab, w->path);
>  			if (r->filterkey) {
>  				audit_log_format(ab, " key=");
>  				audit_log_untrustedstring(ab, r->filterkey);
>  			} else
>  				audit_log_format(ab, " key=(null)");
> -			audit_log_format(ab, " list=%d", r->listnr);
> +			audit_log_format(ab, " list=%d res=1", r->listnr);
>  			audit_log_end(ab);
>  
>  			list_del(&r->rlist);
> @@ -1411,7 +1412,7 @@ static void audit_log_rule_change(uid_t 
>  			audit_log_format(ab, " subj=%s", ctx);
>  		kfree(ctx);
>  	}
> -	audit_log_format(ab, " %s rule key=", action);
> +	audit_log_format(ab, " op=%s rule key=", action);
>  	if (rule->filterkey)
>  		audit_log_untrustedstring(ab, rule->filterkey);
>  	else
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit