Re: [RFC][PATCH] (#7U2) [linux-2.6.12-rc2-mm1] file system auditing
On Mon, 2005-04-25 at 17:01 -0400, Steve Grubb wrote:
On Saturday 23 April 2005 01:09, Timothy R. Chavez wrote:
> diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/audit.c
> linux-2.6.12-rc2-mm1~audit/kernel/audit.c ---
> linux-2.6.12-rc2-mm1~orig/kernel/audit.c 2005-04-11 14:15:36.000000000
> +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/audit.c 2005-04-21
> 20:58:37.000000000 +0000 @@ -322,6 +322,8 @@ static int
> audit_netlink_ok(kernel_cap_t
> case AUDIT_SET:
> case AUDIT_ADD:
> case AUDIT_DEL:
> + case AUDIT_WATCH_INS:
> + case AUDIT_WATCH_REM:
> if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
> err = -EPERM;
> break;
Don't you really want to add AUDIT_WATCH_LIST to this?
Nope, "AUDIT_WATCH_LIST" is no longer being sent to the kernel. I took
your suggestion and made "-l" list both rules and watches. Thus, when
we request a list we still use "AUDIT_LIST". When the requested list is
sent back from the kernel to auditctl, AUDIT_LIST is sent to signify
that the incoming list entry is a rule and AUDIT_WATCH_LIST is sent to
signify that the incoming list entry is a watch.
-tim