Hello,
Thanks for the comments.

----- "Eric Paris" <eparis@redhat.com> wrote:
> A couple functions I think you can safely drop a level of indentation
> include audit_log_crypto_op(), audit_filter_rules(), and maybe
> log_crypto_op() needs a helper function to cut down the indentation?
> Maybe not.
Fixed all of these.

> I really don't like %s in audit_log_format().  So unless its easy to
> prove that the string meets all the rules and always will meet the
> rules, please use audit_log_string()  (and in this code I noticed that I
> could not verify 'operation' in this patch, which makes me very
> nervous.
The callers ensure that the inputs are trusted, but I did have untrusted input there at least once, so it is indeed safer.

Attached is an updated patch; in addition to the above changes, it also splits struct audit_crypto_op to three to avoid an union, making the code easier to read and more similar to other auxiliary data structures in auditsc.c.
    Mirek