From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
Date: Thu, 10 Jan 2008 13:07:14 -0500
Message-ID: <1199988434.30996.15.camel@localhost.localdomain>
References: <1199985923.7836.63.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1199985923.7836.63.camel@klausk.br.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


On Thu, 2008-01-10 at 15:25 -0200, Klaus Heinrich Kiwi wrote:
> Steve, as we talked earlier through IRC, ausearch/aureport are expectin=
g
> the kernel anomalies messages to have auid=3D uid=3D gid=3D fields (in =
this
> order). This quick patch changes the ANOM_PROMISCUOUS message to the
> correct format (as already used by ANOM_ABEND).
>=20
> Applies on 2.6.24-rc7 from the audit.git tree
> =EF=BB=BF
> --=20
> Klaus Heinrich Kiwi
> Security Development - IBM Linux Technology Center
>=20
> --
>=20
> Fix ANOM_PROMISCUOUS message to the format as expected by
> audit userspace: auid=3D%u uid=3D%u gid=3D%u [...]

not that i have a problem with auditing uid and gid in ANOM_PROMISCUOUS
messages but doing it 'just because that's how userspace wants it'
doesn't seem like a good solution (aka if that were it i'd say fix
userspace not the kernel)

anyway, lets stick with conventions of ordering, first is what happened,
second is who-dun-it.

dev=3D%s prom=3D%d old_prom=3D%d auid=3D%d uid=3D%u gid=3D%u ses=3D%u

I guess i'm ok with adding if(audit_enabled) in the same patch.

I'm not ok with adding some sort of "disable just this message" in the
same patch.

-Eric

>=20
> Signed-off-by: Klaus Heinrich Kiwi <klausk@br.ibm.com>
> ---
>  net/core/dev.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
>=20
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0848da3..cd49cd0 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_de=
vice *dev, int inc)
>  							       "left");
>  		audit_log(current->audit_context, GFP_ATOMIC,
>  			AUDIT_ANOM_PROMISCUOUS,
> -			"dev=3D%s prom=3D%d old_prom=3D%d auid=3D%u ses=3D%u",
> +			"auid=3D%u uid=3D%u gid=3D%u dev=3D%s prom=3D%d old_prom=3D%d ses=3D=
%u",
> +			audit_get_loginuid(current->audit_context),
> +			current->uid, current->gid,
>  			dev->name, (dev->flags & IFF_PROMISC),
>  			(old_flags & IFF_PROMISC),
> -			audit_get_loginuid(current->audit_context),
>  			audit_get_sessionid(current->audit_context));
> =20
>  		if (dev->change_rx_flags)