Re: change lspp ipc auditing
On Fri, 2006-03-31 at 15:22 -0500, Steve Grubb wrote:
Hi,
The patch below converts IPC auditing to collect sid's and convert to context
string only if it needs to output an audit record. This patch depends on the
inode audit change patch already being applied.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c
linux-2.6.16.x86_64/kernel/auditsc.c
--- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-03-31 08:32:14.000000000 -0500
+++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-03-31 08:55:33.000000000 -0500
@@ -734,16 +740,16 @@ static void audit_log_exit(struct audit_
context->names[i].osid, &ctx, &len)) {
audit_log_format(ab, " obj=%u",
context->names[i].osid);
- call_panic = 1;
+ call_panic = 2;
Why set it to 2? If you want a count of panic-related events, you
likely want call_panic++; in each case, but you don't seem to use it
anyway beyond being a simple boolean flag.
BTW, I personally have no strong opinion on whether to call audit_panic
in this case. It does yield uglier code, and I'm sure that the kernel
developers won't be happy to see additional code paths that can
ultimately lead to a panic(), so if you think it unnecessary, feel free
to drop.
Otherwise, the patch looks sane to me.
--
Stephen Smalley
National Security Agency