Steve Grubb wrote:
On Tuesday 14 November 2006 12:48, Paul Moore wrote:
>I'm trying to find a way to quickly determine if auditing is enabled and it
>looks like the only real way to do that is to declare audit_enabled as an
>extern and check the variable directly. Is there some interface for this
>that I am missing?
A good example of how to do this is in audit.h:
static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
if (unlikely(!audit_dummy_context()))
return __audit_ipc_obj(ipcp);
return 0;
}
__audit_ipc_obj is the real function that does the actual work. The
audit_dummy_context() function uses current, so it may not be suitable to use
on events that come from netlink. In that case, we'd need a new function that
takes a task struct.
From what I can tell audit_dummy_context() is really only useful in
detecting if
syscall auditing is enabled (it always returns true if
CONFIG_AUDITSYSCALL is
not checked at compile time) and not audit in general. I'm pretty sure I want
something that depends on audit in general and not just syscall auditing.
--
paul moore
linux security @ hp