[PATCH] Change "IP address" to more general term
by Eamon Walsh
The attached patch changes "IP address" to "network address" in the
libaudit header file comments and documentation.
Not making reference to a specific protocol will help me justify the use
of libaudit to some upstream maintainers.
Signed-off-by: Eamon Walsh <ewalsh(a)tycho.nsa.gov>
docs/audit_log_acct_message.3 | 2 +-
docs/audit_log_user_avc_message.3 | 2 +-
docs/audit_log_user_comm_message.3 | 2 +-
docs/audit_log_user_message.3 | 2 +-
docs/audit_log_user_semange_message.3 | 2 +-
docs/ausearch.8 | 2 +-
lib/audit_logging.c | 10 +++++-----
7 files changed, 11 insertions(+), 11 deletions(-)
--
Eamon Walsh <ewalsh(a)tycho.nsa.gov>
National Security Agency
18 years, 3 months
- task-watchers-register-audit-task-watcher.patch removed from -mm tree
by akpm@osdl.org
The patch titled
Task watchers: register audit task watcher
has been removed from the -mm tree. Its filename is
task-watchers-register-audit-task-watcher.patch
This patch was dropped because it was nacked by the maintainer
------------------------------------------------------
Subject: Task watchers: register audit task watcher
From: Matt Helsley <matthltc(a)us.ibm.com>
Adapt audit to use task watchers.
Signed-off-by: Matt Helsley <matthltc(a)us.ibm.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: <linux-audit(a)redhat.com>
Signed-off-by: Andrew Morton <akpm(a)osdl.org>
---
kernel/audit.c | 25 ++++++++++++++++++++++++-
kernel/exit.c | 3 ---
kernel/fork.c | 7 +------
3 files changed, 25 insertions(+), 10 deletions(-)
diff -puN kernel/audit.c~task-watchers-register-audit-task-watcher kernel/audit.c
--- a/kernel/audit.c~task-watchers-register-audit-task-watcher
+++ a/kernel/audit.c
@@ -48,6 +48,7 @@
#include <linux/module.h>
#include <linux/err.h>
#include <linux/kthread.h>
+#include <linux/notifier.h>
#include <linux/audit.h>
@@ -67,6 +68,26 @@ static int audit_initialized;
/* No syscall auditing will take place unless audit_enabled != 0. */
int audit_enabled;
+static int audit_task(struct notifier_block *nb, unsigned long val, void *t)
+{
+ struct task_struct *tsk = t;
+
+ switch(get_watch_event(val)) {
+ case WATCH_TASK_INIT:
+ /* Hack: -EFOO sets NOTIFY_STOP_MASK */
+ return audit_alloc(tsk);
+ case WATCH_TASK_FREE:
+ if (unlikely(tsk->audit_context))
+ audit_free(tsk);
+ default:
+ return NOTIFY_DONE;
+ }
+}
+
+static struct notifier_block __read_mostly audit_watch_tasks_nb = {
+ .notifier_call = audit_task,
+};
+
/* Default state when kernel boots without any parameters. */
static int audit_default;
@@ -734,8 +755,10 @@ static int __init audit_enable(char *str
printk(KERN_INFO "audit: %s%s\n",
audit_default ? "enabled" : "disabled",
audit_initialized ? "" : " (after initialization)");
- if (audit_initialized)
+ if (audit_initialized) {
audit_enabled = audit_default;
+ register_task_watcher(&audit_watch_tasks_nb);
+ }
return 1;
}
diff -puN kernel/exit.c~task-watchers-register-audit-task-watcher kernel/exit.c
--- a/kernel/exit.c~task-watchers-register-audit-task-watcher
+++ a/kernel/exit.c
@@ -35,7 +35,6 @@
#include <linux/futex.h>
#include <linux/compat.h>
#include <linux/pipe_fs_i.h>
-#include <linux/audit.h> /* for audit_free() */
#include <linux/resource.h>
#include <linux/notifier.h>
@@ -907,8 +906,6 @@ fastcall NORET_TYPE void do_exit(long co
if (unlikely(tsk->compat_robust_list))
compat_exit_robust_list(tsk);
#endif
- if (unlikely(tsk->audit_context))
- audit_free(tsk);
tsk->exit_code = code;
taskstats_exit_send(tsk, tidstats, group_dead, mycpu);
taskstats_exit_free(tidstats);
diff -puN kernel/fork.c~task-watchers-register-audit-task-watcher kernel/fork.c
--- a/kernel/fork.c~task-watchers-register-audit-task-watcher
+++ a/kernel/fork.c
@@ -39,7 +39,6 @@
#include <linux/notifier.h>
#include <linux/ptrace.h>
#include <linux/mount.h>
-#include <linux/audit.h>
#include <linux/profile.h>
#include <linux/rmap.h>
#include <linux/acct.h>
@@ -1091,11 +1090,9 @@ static struct task_struct *copy_process(
if ((retval = security_task_alloc(p)))
goto bad_fork_cleanup_policy;
- if ((retval = audit_alloc(p)))
- goto bad_fork_cleanup_security;
/* copy all the process information */
if ((retval = copy_semundo(clone_flags, p)))
- goto bad_fork_cleanup_audit;
+ goto bad_fork_cleanup_security;
if ((retval = copy_files(clone_flags, p)))
goto bad_fork_cleanup_semundo;
if ((retval = copy_fs(clone_flags, p)))
@@ -1273,8 +1270,6 @@ bad_fork_cleanup_files:
exit_files(p); /* blocking */
bad_fork_cleanup_semundo:
exit_sem(p);
-bad_fork_cleanup_audit:
- audit_free(p);
bad_fork_cleanup_security:
security_task_free(p);
notify_result = notify_watchers(WATCH_TASK_FREE, p);
_
Patches currently in -mm which might be from matthltc(a)us.ibm.com are
kernel-bug-fixing-for-kernel-kmodc.patch
task-watchers-register-audit-task-watcher.patch
task-watchers-register-per-task-delay-accounting.patch
task-watchers-register-profile-as-a-task-watcher.patch
task-watchers-add-support-for-per-task-watchers.patch
task-watchers-register-semundo-task-watcher.patch
task-watchers-register-per-task-semundo-watcher.patch
ipc-replace-kmalloc-and-memset-in-get_undo_list-with-kzalloc.patch
18 years, 3 months
[PATCH] Reporting file descriptors and exec args
by John D. Ramsdell
Here is a version of the previous patch that was produced using the
correct options to diff. This patch is by Jeremy Latt. In addition
to adding reports of the file descriptors created by the pipe and
socketpair system calls, it also adds reports of the string arguments
to the system calls open and execve. Knowing the name of the file
opened or exec'ed is also crucial to the analysis performed by Polgen.
John
Signed-off-by: John D. Ramsdell <ramsdell(a)mitre.org>
diff -uprN -X 2.6.16/Documentation/dontdiff 2.6.16/fs/exec.c linux-2.6.16-jlatt/fs/exec.c
--- 2.6.16/fs/exec.c 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.16-jlatt/fs/exec.c 2006-09-12 16:08:05.000000000 -0400
@@ -49,6 +49,7 @@
#include <linux/rmap.h>
#include <linux/acct.h>
#include <linux/cn_proc.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -1173,6 +1174,8 @@ int do_execve(char * filename,
if ((retval = bprm->argc) < 0)
goto out_mm;
+ audit_execve(bprm->argc, argv);
+
bprm->envc = count(envp, bprm->p / sizeof(void *));
if ((retval = bprm->envc) < 0)
goto out_mm;
diff -uprN -X 2.6.16/Documentation/dontdiff 2.6.16/fs/pipe.c linux-2.6.16-jlatt/fs/pipe.c
--- 2.6.16/fs/pipe.c 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.16-jlatt/fs/pipe.c 2006-09-12 16:08:22.000000000 -0400
@@ -15,6 +15,7 @@
#include <linux/pipe_fs_i.h>
#include <linux/uio.h>
#include <linux/highmem.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/ioctls.h>
@@ -781,6 +782,7 @@ int do_pipe(int *fd)
fd_install(j, f2);
fd[0] = i;
fd[1] = j;
+ audit_fd_pair(i, j);
return 0;
close_f12_inode_i_j:
diff -uprN -X 2.6.16/Documentation/dontdiff 2.6.16/include/linux/audit.h linux-2.6.16-jlatt/include/linux/audit.h
--- 2.6.16/include/linux/audit.h 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.16-jlatt/include/linux/audit.h 2006-09-12 16:07:13.000000000 -0400
@@ -68,6 +68,8 @@
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
#define AUDIT_CWD 1307 /* Current working directory */
+#define AUDIT_EXECVE 1309 /* exec arguments */
+#define AUDIT_FD_PAIR 1312 /* audit record for pipe/socketpair */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -238,6 +240,8 @@ extern int audit_sockaddr(int len, void
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
extern void audit_signal_info(int sig, struct task_struct *t);
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
+extern int audit_execve(int argc, char __user *__user *argv);
+extern int audit_fd_pair(int fd1, int fd2);
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
@@ -255,6 +259,8 @@ extern int audit_filter_user(struct netl
#define audit_avc_path(dentry, mnt) ({ 0; })
#define audit_signal_info(s,t) do { ; } while (0)
#define audit_filter_user(cb,t) ({ 1; })
+#define audit_execve(a, b) ({ 0; })
+#define audit_fd_pair(a, b) ({ 0; })
#endif
#ifdef CONFIG_AUDIT
diff -uprN -X 2.6.16/Documentation/dontdiff 2.6.16/kernel/auditsc.c linux-2.6.16-jlatt/kernel/auditsc.c
--- 2.6.16/kernel/auditsc.c 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.16-jlatt/kernel/auditsc.c 2006-09-12 16:13:03.000000000 -0400
@@ -44,6 +44,10 @@
#include <linux/compiler.h>
#include <asm/unistd.h>
+#include <linux/in.h>
+#include <linux/socket.h>
+#include <linux/binfmts.h>
+
/* 0 = no checking
1 = put_count checking
2 = verbose put_count checking
@@ -129,6 +133,17 @@ struct audit_aux_data_sockaddr {
char a[0];
};
+struct audit_aux_data_fd_pair {
+ struct audit_aux_data d;
+ int fd[2];
+};
+
+struct audit_aux_data_execve {
+ struct audit_aux_data d;
+ int argc;
+ char args[0];
+};
+
struct audit_aux_data_path {
struct audit_aux_data d;
struct dentry *dentry;
@@ -598,7 +613,7 @@ static int audit_filter_user_rules(struc
int audit_filter_user(struct netlink_skb_parms *cb, int type)
{
struct audit_entry *e;
- enum audit_state state;
+ enum audit_state state = AUDIT_DISABLED;
int ret = 1;
rcu_read_lock();
@@ -803,6 +818,22 @@ static void audit_log_task_info(struct a
up_read(&mm->mmap_sem);
}
+static const char *elide(const char *str)
+{
+ static char buf[1025];
+
+ if (strnlen(str, 1025) >= 1025) {
+ memcpy(buf, str, 1021);
+ buf[1021] = '.';
+ buf[1022] = '.';
+ buf[1023] = '.';
+ buf[1024] = '\0';
+ return buf;
+ }
+
+ return str;
+}
+
static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
{
int i;
@@ -820,6 +851,16 @@ static void audit_log_exit(struct audit_
audit_log_format(ab, " success=%s exit=%ld",
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
context->return_code);
+
+ switch (context->major) {
+ case __NR_open:
+ audit_log_format(ab, " filename=");
+ audit_log_untrustedstring(ab,
+ elide((const char *)context->argv[0]));
+ break;
+ }
+
+
audit_log_format(ab,
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
" pid=%d auid=%u uid=%u gid=%u"
@@ -872,7 +913,21 @@ static void audit_log_exit(struct audit_
struct audit_aux_data_path *axi = (void *)aux;
audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
break; }
-
+ case AUDIT_EXECVE: {
+ int i, pos;
+ struct audit_aux_data_execve *axs = (void *)aux;
+ audit_log_format(ab, "argc=%d", axs->argc);
+ pos = 0;
+ for(i=0; i < axs->argc; i++) {
+ audit_log_format(ab, " arg%d=", i);
+ audit_log_untrustedstring(ab, elide(axs->args+pos));
+ pos += strlen(axs->args+pos)+1;
+ }
+ break; }
+ case AUDIT_FD_PAIR: {
+ struct audit_aux_data_fd_pair *axs = (void *)aux;
+ audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]);
+ break; }
}
audit_log_end(ab);
}
@@ -1237,6 +1292,97 @@ int audit_socketcall(int nargs, unsigned
return 0;
}
+int audit_fd_pair(int fd1, int fd2)
+{
+ struct audit_context *context;
+ struct audit_aux_data_fd_pair *ax;
+
+ context = current->audit_context;
+ if (likely(!context)) {
+ return 0;
+ }
+
+ ax = kmalloc(sizeof(*ax), GFP_KERNEL);
+ if (!ax) {
+ return -ENOMEM;
+ }
+
+ ax->fd[0] = fd1;
+ ax->fd[1] = fd2;
+
+ ax->d.type = AUDIT_FD_PAIR;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
+
+/* includes \0 at end, and just long enough to trigger elipsis */
+#define MAX_ARG_LENGTH 1026
+
+int audit_execve(int argc, char __user *__user *argv)
+{
+ struct audit_aux_data_execve *ax;
+ int i;
+ int off;
+ int bytes_to_malloc;
+ struct audit_context *context;
+
+ context = current->audit_context;
+ if (likely(!context)) {
+ return 0;
+ }
+
+ bytes_to_malloc = sizeof(*ax);
+
+ for (i = 0; i < argc; i++) {
+ int len;
+
+ len = strnlen_user(argv[i], MAX_ARG_LENGTH);
+ if (!len) {
+ return -EFAULT;
+ } else if (len > MAX_ARG_LENGTH) {
+ len = MAX_ARG_LENGTH;
+ }
+ bytes_to_malloc += len;
+ }
+
+ ax = kmalloc(bytes_to_malloc, GFP_KERNEL);
+ if (!ax) {
+ return -ENOMEM;
+ }
+
+ off = 0;
+ for (i=0; i<argc; i++) {
+ int len;
+ char __user *arg;
+
+ if (get_user(arg, argv+i)) {
+ goto err_out;
+ }
+
+ len = strnlen_user(arg, MAX_ARG_LENGTH);
+ if (!len) {
+ goto err_out;
+ } else if (len > MAX_ARG_LENGTH) {
+ len = MAX_ARG_LENGTH;
+ }
+ if (copy_from_user(ax->args+off, arg, len-1)) {
+ goto err_out;
+ }
+ off += len;
+ ax->args[off-1] = '\0';
+ }
+
+ ax->d.type = AUDIT_EXECVE;
+ ax->d.next = context->aux;
+ ax->argc = argc;
+ context->aux = (void *)ax;
+ return 0;
+err_out:
+ kfree(ax);
+ return -EFAULT;
+}
+
int audit_sockaddr(int len, void *a)
{
struct audit_aux_data_sockaddr *ax;
diff -uprN -X 2.6.16/Documentation/dontdiff 2.6.16/net/socket.c linux-2.6.16-jlatt/net/socket.c
--- 2.6.16/net/socket.c 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.16-jlatt/net/socket.c 2006-09-12 16:05:49.000000000 -0400
@@ -1256,8 +1256,10 @@ asmlinkage long sys_socketpair(int famil
err = put_user(fd1, &usockvec[0]);
if (!err)
err = put_user(fd2, &usockvec[1]);
- if (!err)
+ if (!err) {
+ audit_fd_pair(fd1, fd2);
return 0;
+ }
sys_close(fd2);
sys_close(fd1);
18 years, 3 months
Re: [git pull] audit updates and fixes
by Andrew Morton
On Mon, 11 Sep 2006 18:37:49 +0100
Al Viro <viro(a)ftp.linux.org.uk> wrote:
> Audit fixes and missing bits; compared to the last attempt there are two added
> fixes from Amy... Please, pull:
> git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b28
This seems a bit.... late.
The patch adds a whole bunch of new extern-decls-in-C. It'd be nice to get
those into a header file sometime.
And sparc64 allmodconfig broke.
kernel/built-in.o(.text+0x36834): In function `audit_filter_rules':
: undefined reference to `audit_classify_syscall'
make: *** [.tmp_vmlinux1] Error 1
Possibly because the audit git tree fell out of -mm ages ago, partly
because its owner (ahem) ignored my request to resync it with upstream. I
have new scripts from Junio and shall try again.
18 years, 3 months
[PATCH] Reporting file descriptors created by pipe and socketpair
by John D. Ramsdell
The polgen tools suggest SELinux policy by analyzing dynamic traces of
a running set of related programs. It derives information flow by
tracking file descriptors used by a set of programs, and notes which
processes performs reads and writes. We would very much like to get
our raw data from autrace, however, the current traces it generates
lacks some crucial information. The record for the pipe and
socketpair system call does not include the file descriptors created
upon success. Enclosed is a patch by Mark Workman that remedies this
problem.
John
Signed-off-by: John D. Ramsdell <ramsdell(a)mitre.org>
*** a/kernel/auditsc.c 2006-03-20 00:53:29.000000000 -0500
--- b/kernel/auditsc.c 2006-06-26 08:21:56.000000000 -0400
***************
*** 820,825 ****
--- 820,846 ----
audit_log_format(ab, " success=%s exit=%ld",
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
context->return_code);
+
+ printk(KERN_INFO "%s auditing what?\n", __FUNCTION__);
+
+ switch (context->major) {
+ case __NR_socketcall:
+ if (context->argv[0] == SYS_SOCKETPAIR)
+ audit_log_format(ab, " descriptor pair=%d,%d",
+ current->audit_pids[0],
+ current->audit_pids[1]);
+ break;
+
+ case __NR_pipe:
+ audit_log_format(ab, " descriptor pair=%d,%d",
+ current->audit_pids[0],
+ current->audit_pids[1]);
+ break;
+
+ default: break;
+ }
+
+
audit_log_format(ab,
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
" pid=%d auid=%u uid=%u gid=%u"
*** a/fs/pipe.c 2006-03-20 00:53:29.000000000 -0500
--- b/fs/pipe.c 2006-06-26 10:10:15.000000000 -0400
***************
*** 779,786 ****
fd_install(i, f1);
fd_install(j, f2);
! fd[0] = i;
! fd[1] = j;
return 0;
close_f12_inode_i_j:
--- 779,786 ----
fd_install(i, f1);
fd_install(j, f2);
! current->audit_pids[0] = fd[0] = i;
! current->audit_pids[1] = fd[1] = j;
return 0;
close_f12_inode_i_j:
*** a/include/linux/sched.h 2006-03-20 00:53:29.000000000 -0500
--- b/include/linux/sched.h 2006-06-26 08:19:23.000000000 -0400
***************
*** 819,824 ****
--- 819,825 ----
void *security;
struct audit_context *audit_context;
seccomp_t seccomp;
+ int audit_pids [3];
/* Thread group tracking */
u32 parent_exec_id;
*** a/net/socket.c 2006-03-20 00:53:29.000000000 -0500
--- b/net/socket.c 2006-06-26 12:35:23.000000000 -0400
***************
*** 1256,1263 ****
err = put_user(fd1, &usockvec[0]);
if (!err)
err = put_user(fd2, &usockvec[1]);
! if (!err)
return 0;
sys_close(fd2);
sys_close(fd1);
--- 1256,1266 ----
err = put_user(fd1, &usockvec[0]);
if (!err)
err = put_user(fd2, &usockvec[1]);
! if (!err) {
! current->audit_pids[0] = fd1;
! current->audit_pids[1] = fd2;
return 0;
+ }
sys_close(fd2);
sys_close(fd1);
18 years, 3 months
inotify_rm_watch behavior
by Eduardo Madeira Fleury
Hey all,
I'm doing some tests and currently inotify_rm_watch is not performing any
permission checks, i.e., an ordinary user can remove a watch set by root on a
file with root:root 400 permission.
Is this the expected behavior? Seems like neither MAC nor MLS checks are being
done.
Regards,
--
Eduardo M. Fleury
IBM Linux Technology Center Brazil
Mobile: +55-19-81224410
email/sametime: efleury(a)br.ibm.com
18 years, 3 months
[PATCH] update audit rule change messages
by Amy Griffis
Make the audit message for implicit rule removal more informative.
Make the rule update message consistent with other messages.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index cba0708..6354ced 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -931,7 +931,7 @@ static void audit_update_watch(struct au
}
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "audit updated rules specifying watch=");
+ audit_log_format(ab, "audit updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
audit_log_end(ab);
@@ -954,19 +954,29 @@ static void audit_remove_parent_watches(
struct audit_watch *w, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *e;
+ struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
parent->flags |= AUDIT_PARENT_INVALID;
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "audit implicitly removed rule");
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab, r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " path=");
+ audit_log_untrustedstring(ab, w->path);
+ audit_log_format(ab, " list=%d", r->listnr);
+ audit_log_end(ab);
+
list_del(&r->rlist);
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
-
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit implicitly removed rule from list=%d\n",
- AUDIT_FILTER_EXIT);
}
audit_remove_watch(w);
}
18 years, 3 months
[PATCH] sanity check audit_buffer
by Amy Griffis
Add sanity checks for NULL audit_buffer consistent with other
audit_log* routines.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
diff --git a/kernel/audit.c b/kernel/audit.c
index 0a36091..963fd15 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1028,6 +1028,9 @@ void audit_log_hex(struct audit_buffer *
struct sk_buff *skb;
static const unsigned char *hex = "0123456789ABCDEF";
+ if (!ab)
+ return;
+
BUG_ON(!ab->skb);
skb = ab->skb;
avail = skb_tailroom(skb);
@@ -1060,6 +1063,9 @@ static void audit_log_n_string(struct au
unsigned char *ptr;
struct sk_buff *skb;
+ if (!ab)
+ return;
+
BUG_ON(!ab->skb);
skb = ab->skb;
avail = skb_tailroom(skb);
18 years, 3 months
