AUDIT_FEATURE_VERSION and AUDIT_FEATURE_BITMAP

Hi Steve, I'd rather have filed an issue on github linux-audit/audit-userspace, but I know you don't like using it. I didn't want to lose track of this issue. Looking through the userspace audit code when trying to figure out why --reset-lost wasn't working on RHEL7, I came across a compiler directive that was used a number of times and I don't understand why. In particular, in lib/libaudit.c, lib/netlink.c, src/auditctl-listing.c, src/auditctl.c, I see: #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) used together which does not make sense since they are unrelated. The AUDIT_FEATURE_BITMAP has *nothing* to do with AUDIT_FEATURE_VERSION. This naming was short-sighted in retrospect. AUDIT_SET_FEATURE (audit_set_feature()), AUDIT_GET_FEATURE (audit_request_features()) and AUDIT_FEATURE_LOGINID_IMMUTABLE (and unused AUDIT_FEATURE_ONLY_UNSET_LOGINUID) are related and present when AUDIT_FEATURE_VERSION is present and positive. They allow a kernel feature named in audit_feature_names[] to be turned off or oon and unlocked or locked. AUDIT_VERSION_* (deprecated), AUDIT_FEATURE_BITMAP_* along with the struct audit_status.feature_bitmap (STRUCT_AUDIT_STATUS_FEATURE_BITMAP) are used to simply determine if the kernel supports such a feature, extracted by audit_get_features() via load_feature_bitmap() and stored in features_bitmap (AUDIT_FEATURES_UNSET, AUDIT_FEATURES_UNSUPPORTED). Most (if not all) of the uses of the compiler directive above should be just the first half, HAVE_DECL_AUDIT_FEATURE_VERSION. The use in lib/libaudit.h of AUDIT_FEATURE_BITMAP_ALL in struct audit_reply->features should instead be HAVE_DECL_AUDIT_FEATURE_VERSION. - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635