* [PATCH ghak59 V1 0/2] tree and watch rule log cleanups
@ 2018-06-14 20:20 Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Make some tree and watch rule logging cleanups before applying
normalizations and record connections for ghak 59.
See: https://github.com/linux-audit/audit-kernel/issues/50
Richard Guy Briggs (2):
audit: tree: check audit_enabled
audit: watch: simplify audit_enabled check
kernel/audit_tree.c | 2 ++
kernel/audit_watch.c | 29 +++++++++++++++--------------
2 files changed, 17 insertions(+), 14 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
@ 2018-06-14 20:20 ` Richard Guy Briggs
2018-06-28 15:43 ` Paul Moore
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2 siblings, 1 reply; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Respect the audit_enabled flag when printing tree rule config change
records.
See: https://github.com/linux-audit/audit-kernel/issues/50
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_tree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 67e6956..5e9d1e5 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -497,6 +497,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
{
struct audit_buffer *ab;
+ if (!audit_enabled)
+ return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
@ 2018-06-14 20:20 ` Richard Guy Briggs
2018-06-28 15:47 ` Paul Moore
2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2 siblings, 1 reply; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 20:20 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Check the audit_enabled flag and bail immediately. This does not change
the functionality, but brings the code format in line with similar
checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
and elsewhere in the audit code.
See: https://github.com/linux-audit/audit-kernel/issues/50
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_watch.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index f1ba889..9b4836b 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
{
- if (audit_enabled) {
- struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
- if (unlikely(!ab))
- return;
- audit_log_format(ab, "auid=%u ses=%u op=%s",
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current), op);
- audit_log_format(ab, " path=");
- audit_log_untrustedstring(ab, w->path);
- audit_log_key(ab, r->filterkey);
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
- }
+ struct audit_buffer *ab;
+
+ if (!audit_enabled)
+ return;
+ ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+ if (!ab)
+ return;
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ audit_get_sessionid(current), op);
+ audit_log_format(ab, " path=");
+ audit_log_untrustedstring(ab, w->path);
+ audit_log_key(ab, r->filterkey);
+ audit_log_format(ab, " list=%d res=1", r->listnr);
+ audit_log_end(ab);
}
/* Update inode info in audit rules based on filesystem event. */
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 0/2] tree and watch rule log cleanups
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
@ 2018-06-14 21:01 ` Richard Guy Briggs
2 siblings, 0 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-06-14 21:01 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: eparis
On 2018-06-14 16:20, Richard Guy Briggs wrote:
> Make some tree and watch rule logging cleanups before applying
> normalizations and record connections for ghak 59.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
Sorry, this patchset is mislabelled in the subject line and should be
ghak50.
> Richard Guy Briggs (2):
> audit: tree: check audit_enabled
> audit: watch: simplify audit_enabled check
>
> kernel/audit_tree.c | 2 ++
> kernel/audit_watch.c | 29 +++++++++++++++--------------
> 2 files changed, 17 insertions(+), 14 deletions(-)
>
> --
> 1.8.3.1
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
@ 2018-06-28 15:43 ` Paul Moore
0 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2018-06-28 15:43 UTC (permalink / raw)
To: rgb; +Cc: Eric Paris, linux-audit
On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Respect the audit_enabled flag when printing tree rule config change
> records.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/audit_tree.c | 2 ++
> 1 file changed, 2 insertions(+)
Merged, thanks.
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index 67e6956..5e9d1e5 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -497,6 +497,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
> {
> struct audit_buffer *ab;
>
> + if (!audit_enabled)
> + return;
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
@ 2018-06-28 15:47 ` Paul Moore
2018-07-13 15:39 ` Richard Guy Briggs
0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2018-06-28 15:47 UTC (permalink / raw)
To: rgb; +Cc: Eric Paris, linux-audit
On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Check the audit_enabled flag and bail immediately. This does not change
> the functionality, but brings the code format in line with similar
> checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
> and elsewhere in the audit code.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/audit_watch.c | 29 +++++++++++++++--------------
> 1 file changed, 15 insertions(+), 14 deletions(-)
Merged, thanks.
As a FYI for future patches, please don't use "audit: X: <one-liner>"
as a subject line unless you are crossing subsystem boundaries. As an
example, the following is okay:
audit: selinux: make things more awesomer
... while this isn't something I like seeing:
audit: watch: simplify audit_enabled check
... because the "watch" in this case refers to the audit watch code
which is part of the audit subsystem already.
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index f1ba889..9b4836b 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
>
> static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
> {
> - if (audit_enabled) {
> - struct audit_buffer *ab;
> - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> - if (unlikely(!ab))
> - return;
> - audit_log_format(ab, "auid=%u ses=%u op=%s",
> - from_kuid(&init_user_ns, audit_get_loginuid(current)),
> - audit_get_sessionid(current), op);
> - audit_log_format(ab, " path=");
> - audit_log_untrustedstring(ab, w->path);
> - audit_log_key(ab, r->filterkey);
> - audit_log_format(ab, " list=%d res=1", r->listnr);
> - audit_log_end(ab);
> - }
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return;
> + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> + if (!ab)
> + return;
> + audit_log_format(ab, "auid=%u ses=%u op=%s",
> + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> + audit_get_sessionid(current), op);
> + audit_log_format(ab, " path=");
> + audit_log_untrustedstring(ab, w->path);
> + audit_log_key(ab, r->filterkey);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> + audit_log_end(ab);
> }
>
> /* Update inode info in audit rules based on filesystem event. */
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check
2018-06-28 15:47 ` Paul Moore
@ 2018-07-13 15:39 ` Richard Guy Briggs
0 siblings, 0 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2018-07-13 15:39 UTC (permalink / raw)
To: Paul Moore; +Cc: Eric Paris, linux-audit
On 2018-06-28 11:47, Paul Moore wrote:
> On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> >
> > Check the audit_enabled flag and bail immediately. This does not change
> > the functionality, but brings the code format in line with similar
> > checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
> > and elsewhere in the audit code.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/50
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > kernel/audit_watch.c | 29 +++++++++++++++--------------
> > 1 file changed, 15 insertions(+), 14 deletions(-)
>
> Merged, thanks.
>
> As a FYI for future patches, please don't use "audit: X: <one-liner>"
> as a subject line unless you are crossing subsystem boundaries. As an
> example, the following is okay:
>
> audit: selinux: make things more awesomer
>
> ... while this isn't something I like seeing:
>
> audit: watch: simplify audit_enabled check
>
> ... because the "watch" in this case refers to the audit watch code
> which is part of the audit subsystem already.
Ok, so that watch keyword should have been used such as:
"audit: simplify watch audit_enabled check"
I had seen and used it as a sub-sub-system tag rather than an additional
sub-system tag.
Thanks.
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index f1ba889..9b4836b 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
> >
> > static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
> > {
> > - if (audit_enabled) {
> > - struct audit_buffer *ab;
> > - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> > - if (unlikely(!ab))
> > - return;
> > - audit_log_format(ab, "auid=%u ses=%u op=%s",
> > - from_kuid(&init_user_ns, audit_get_loginuid(current)),
> > - audit_get_sessionid(current), op);
> > - audit_log_format(ab, " path=");
> > - audit_log_untrustedstring(ab, w->path);
> > - audit_log_key(ab, r->filterkey);
> > - audit_log_format(ab, " list=%d res=1", r->listnr);
> > - audit_log_end(ab);
> > - }
> > + struct audit_buffer *ab;
> > +
> > + if (!audit_enabled)
> > + return;
> > + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> > + if (!ab)
> > + return;
> > + audit_log_format(ab, "auid=%u ses=%u op=%s",
> > + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> > + audit_get_sessionid(current), op);
> > + audit_log_format(ab, " path=");
> > + audit_log_untrustedstring(ab, w->path);
> > + audit_log_key(ab, r->filterkey);
> > + audit_log_format(ab, " list=%d res=1", r->listnr);
> > + audit_log_end(ab);
> > }
> >
> > /* Update inode info in audit rules based on filesystem event. */
> > --
> > 1.8.3.1
> >
>
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-07-13 15:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-14 20:20 [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
2018-06-14 20:20 ` [PATCH ghak59 V1 1/2] audit: tree: check audit_enabled Richard Guy Briggs
2018-06-28 15:43 ` Paul Moore
2018-06-14 20:20 ` [PATCH ghak59 V1 2/2] audit: watch: simplify audit_enabled check Richard Guy Briggs
2018-06-28 15:47 ` Paul Moore
2018-07-13 15:39 ` Richard Guy Briggs
2018-06-14 21:01 ` [PATCH ghak59 V1 0/2] tree and watch rule log cleanups Richard Guy Briggs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox