From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events Date: Wed, 16 Nov 2016 16:14:33 -0500 Message-ID: <2021110.61yJOaeqcU@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-226-170.phx2.redhat.com [10.3.226.170]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uAGLEYct027129 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 16 Nov 2016 16:14:34 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code logs the value of the field with quotes. This field is documented to not be encoded, so it should not have quotes. Signed-off-by: Steve Grubb --- diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c --- vanilla-4.9-rc5.orig/kernel/auditfilter.c 2016-10-02 19:24:33.000000000 -0400 +++ vanilla-4.9-rc5/kernel/auditfilter.c 2016-11-16 16:00:30.608728324 -0500 @@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char * return; audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); audit_log_task_context(ab); - audit_log_format(ab, " op="); - audit_log_string(ab, action); + audit_log_format(ab, " op=%s", action); audit_log_key(ab, rule->filterkey); audit_log_format(ab, " list=%d res=%d", rule->listnr, res); audit_log_end(ab); diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c vanilla-4.9-rc5/kernel/audit_fsnotify.c --- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c 2016-10-02 19:24:33.000000000 -0400 +++ vanilla-4.9-rc5/kernel/audit_fsnotify.c 2016-11-16 16:02:41.516728544 -0500 @@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return; - audit_log_format(ab, "auid=%u ses=%u op=", + audit_log_format(ab, "auid=%u ses=%u op=%s", from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current)); - audit_log_string(ab, op); + audit_get_sessionid(current), op); audit_log_format(ab, " path="); audit_log_untrustedstring(ab, audit_mark->path); audit_log_key(ab, rule->filterkey); diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c --- vanilla-4.9-rc5.orig/kernel/audit_tree.c 2016-10-02 19:24:33.000000000 -0400 +++ vanilla-4.9-rc5/kernel/audit_tree.c 2016-11-16 16:03:26.414728619 -0500 @@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return; - audit_log_format(ab, "op="); - audit_log_string(ab, "remove_rule"); + audit_log_format(ab, "op=remove_rule"); audit_log_format(ab, " dir="); audit_log_untrustedstring(ab, rule->tree->pathname); audit_log_key(ab, rule->filterkey); diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c --- vanilla-4.9-rc5.orig/kernel/audit_watch.c 2016-10-02 19:24:33.000000000 -0400 +++ vanilla-4.9-rc5/kernel/audit_watch.c 2016-11-16 16:04:18.287728706 -0500 @@ -242,10 +242,9 @@ static void audit_watch_log_rule_change( ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return; - audit_log_format(ab, "auid=%u ses=%u op=", + audit_log_format(ab, "auid=%u ses=%u op=%s", from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current)); - audit_log_string(ab, op); + audit_get_sessionid(current), op); audit_log_format(ab, " path="); audit_log_untrustedstring(ab, w->path); audit_log_key(ab, r->filterkey);