On Wed, 2005-05-25 at 15:11 +0100, David Woodhouse wrote:
As an added bonus, this should prevent it oopsing if a task
doesn't have
an audit context but touches a watched inode.
Hm, seems I lied about this bit. Although I thought it _really_ hard, my
emacs wasn't listening. I had to actually type it before it worked...
--- linux-2.6.9/kernel/auditfs.c~ 2005-05-26 11:25:59.000000000 +0100
+++ linux-2.6.9/kernel/auditfs.c 2005-05-26 12:41:48.000000000 +0100
@@ -804,7 +804,7 @@ int audit_notify_watch(struct inode *ino
if (likely(!audit_enabled))
return 0;
- if (!inode)
+ if (!inode || !current->audit_context)
return 0;
data = inode_audit_data(inode);
This means that tasks with an audit context will get their actions
logged when they touch a watched inode, but actions performed by tasks
_without_ an audit context will not by logged.
This corresponds to the use of 'possible' with audit rules, which
allocates a context but does not mark it as auditable. Only if something
else happens which marks the context as auditable, such as a filesystem
watch triggering, will the syscall in question get logged.
--
dwmw2