On 2018-06-28 11:47, Paul Moore wrote:
On Thu, Jun 14, 2018 at 4:22 PM Richard Guy Briggs
<rgb(a)redhat.com> wrote:
>
> Check the audit_enabled flag and bail immediately. This does not change
> the functionality, but brings the code format in line with similar
> checks in audit_tree_log_remove_rule(), audit_mark_log_rule_change(),
> and elsewhere in the audit code.
>
> See:
https://github.com/linux-audit/audit-kernel/issues/50
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit_watch.c | 29 +++++++++++++++--------------
> 1 file changed, 15 insertions(+), 14 deletions(-)
Merged, thanks.
As a FYI for future patches, please don't use "audit: X:
<one-liner>"
as a subject line unless you are crossing subsystem boundaries. As an
example, the following is okay:
audit: selinux: make things more awesomer
... while this isn't something I like seeing:
audit: watch: simplify audit_enabled check
... because the "watch" in this case refers to the audit watch code
which is part of the audit subsystem already.
Ok, so that watch keyword should have been used such as:
"audit: simplify watch audit_enabled check"
I had seen and used it as a sub-sub-system tag rather than an additional
sub-system tag.
Thanks.
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index f1ba889..9b4836b 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -238,20 +238,21 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch
*old)
>
> static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch
*w, char *op)
> {
> - if (audit_enabled) {
> - struct audit_buffer *ab;
> - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> - if (unlikely(!ab))
> - return;
> - audit_log_format(ab, "auid=%u ses=%u op=%s",
> - from_kuid(&init_user_ns,
audit_get_loginuid(current)),
> - audit_get_sessionid(current), op);
> - audit_log_format(ab, " path=");
> - audit_log_untrustedstring(ab, w->path);
> - audit_log_key(ab, r->filterkey);
> - audit_log_format(ab, " list=%d res=1", r->listnr);
> - audit_log_end(ab);
> - }
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return;
> + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> + if (!ab)
> + return;
> + audit_log_format(ab, "auid=%u ses=%u op=%s",
> + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> + audit_get_sessionid(current), op);
> + audit_log_format(ab, " path=");
> + audit_log_untrustedstring(ab, w->path);
> + audit_log_key(ab, r->filterkey);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> + audit_log_end(ab);
> }
>
> /* Update inode info in audit rules based on filesystem event. */
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635