Re: [RFC][PATCH 9/11] security: AppArmor - Audit changes

Re: [RFC][PATCH 9/11] security: AppArmor - Audit changes

[Amy Griffis]

Tony Jones wrote:     [Wed Apr 19 2006, 01:50:18PM EDT]
> This patch adds AppArmor support to the audit subsystem.
> 
> It creates id 1500 (already included in the the upstream auditd package) for 
> AppArmor messages.
> 
> It also exports the audit_log_vformat function (analagous to having both
> printk and vprintk exported).

linux-audit (cc'd) will likely want to review these changes.

> 
> Signed-off-by: Tony Jones <tonyj@suse.de>
> 
> ---
>  include/linux/audit.h |    5 +++++
>  kernel/audit.c        |    3 ++-
>  2 files changed, 7 insertions(+), 1 deletion(-)
> 
> --- linux-2.6.17-rc1.orig/include/linux/audit.h
> +++ linux-2.6.17-rc1/include/linux/audit.h
> @@ -95,6 +95,8 @@
>  #define AUDIT_LAST_KERN_ANOM_MSG    1799
>  #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
>  
> +#define AUDIT_AA		1500	/* AppArmor audit */
> +
>  #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
>  
>  /* Rule flags */
> @@ -349,6 +351,9 @@
>  				      __attribute__((format(printf,4,5)));
>  
>  extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
> +extern void		    audit_log_vformat(struct audit_buffer *ab,
> +					      const char *fmt, va_list args)
> +			    __attribute__((format(printf,2,0)));
>  extern void		    audit_log_format(struct audit_buffer *ab,
>  					     const char *fmt, ...)
>  			    __attribute__((format(printf,2,3)));
> --- linux-2.6.17-rc1.orig/kernel/audit.c
> +++ linux-2.6.17-rc1/kernel/audit.c
> @@ -797,7 +797,7 @@
>   * will be called a second time.  Currently, we assume that a printk
>   * can't format message larger than 1024 bytes, so we don't either.
>   */
> -static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
> +void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
>  			      va_list args)
>  {
>  	int len, avail;
> @@ -999,4 +999,5 @@
>  EXPORT_SYMBOL(audit_log_start);
>  EXPORT_SYMBOL(audit_log_end);
>  EXPORT_SYMBOL(audit_log_format);
> +EXPORT_SYMBOL(audit_log_vformat);
>  EXPORT_SYMBOL(audit_log);
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

Re: [RFC][PATCH 9/11] security: AppArmor - Audit changes

[Steve Grubb]

On Friday 21 April 2006 17:21, Amy Griffis wrote:
> linux-audit (cc'd) will likely want to review these changes.

Yes, I second that. Tony, please cc audit patches to linux-audit mail list so 
we can see them. That said, I did tell Tony they could use message type 
numbers 1500 - 1600 for AppArmor if they need it.

-Steve

Re: [RFC][PATCH 9/11] security: AppArmor - Audit changes

[Tony Jones]

On Fri, Apr 21, 2006 at 08:13:52PM -0400, Steve Grubb wrote:
> On Friday 21 April 2006 17:21, Amy Griffis wrote:
> > linux-audit (cc'd) will likely want to review these changes.
> 
> Yes, I second that. Tony, please cc audit patches to linux-audit mail list so 
> we can see them. That said, I did tell Tony they could use message type 
> numbers 1500 - 1600 for AppArmor if they need it.

Sorry, I thought I'd bounced this one patch in the series to the audit list.
I meant to. One more thing lost in the noise.  Apologies.

1500 should already be reserved for apparmor userside.  Only change is to 
enable it kernelside plus of course the one more symbol export to bloat the 
kernel image.  Export of the vformat call is to make it analagous to vprintk.  
Sometimes it's more convenient to have a single point of logging (as we do)
and you need to log data which is in va_list format.

Tony