7:54 p.m.
Hi,
the dev= field of auditd information seems to be missing for open,
exec syscalls.
Is there a reason why this information is not available?
(I'd like to filter out all open calls on /proc...)
The log lines i get look like the following:
type=KERNEL msg=audit(1109035917.261:14548): item=0
name=/usr/share/locale/de/LC_MESSAGES/coreutils.mo inode=852010
dev=00:00
and the dev=00:00 value is bogus; I never get a different value.
I'm currently trying to use auditd to obtain an optimized "readahead"
file list for speeding up system boot. I had this idea some months
ago; maybe I should check recent boot speedup developments... ;-)
Greetings,
Erich Schubert
--
erich(a)(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_
eine Stunde wie eine Heimat aus. --- Herrmann Hesse
11:54 a.m.
* Erich Schubert (erich.schubert(a)gmail.com) wrote:
The log lines i get look like the following:
type=KERNEL msg=audit(1109035917.261:14548): item=0
name=/usr/share/locale/de/LC_MESSAGES/coreutils.mo inode=852010
dev=00:00
and the dev=00:00 value is bogus; I never get a different value.
The dev value is actually rdev. So it's not bogus if you're accessing,
for example, /dev/hda1. Reasonable question whether that's both
intentional and sufficient. Given namespace possibilities, I assumed
that dev/ino pair was dumped to uniquely identify the object.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
12:43 p.m.
On Tue, 2005-02-22 at 09:54 -0800, Chris Wright wrote:
The dev value is actually rdev. So it's not bogus if you're
accessing,
for example, /dev/hda1. Reasonable question whether that's both
intentional and sufficient. Given namespace possibilities, I assumed
that dev/ino pair was dumped to uniquely identify the object.
Yes, this looks like a bug to me in the audit code, particularly as the
existing filter code lets you filter based on rdev and ino (whereas I'd
expect you would want to filter based on a specific object identified by
(dev,ino) pair). Should path_lookup() be passing nd->dentry->d_inode-
i_sb->s_dev to audit_inode() instead?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
1:17 p.m.
New subject: [PATCH] get dev value for inode audit records
* Stephen Smalley (sds(a)tycho.nsa.gov) wrote:
On Tue, 2005-02-22 at 09:54 -0800, Chris Wright wrote:
> The dev value is actually rdev. So it's not bogus if you're accessing,
> for example, /dev/hda1. Reasonable question whether that's both
> intentional and sufficient. Given namespace possibilities, I assumed
> that dev/ino pair was dumped to uniquely identify the object.
Yes, this looks like a bug to me in the audit code, particularly as the
existing filter code lets you filter based on rdev and ino (whereas I'd
expect you would want to filter based on a specific object identified by
(dev,ino) pair). Should path_lookup() be passing nd->dentry->d_inode-
>i_sb->s_dev to audit_inode() instead?
That's what I was thinking, Erich said he'd give the patch a test. I
kept rdev and added dev. But, from the perspective of the converstaion
we had in the other thread (re: supplemental groups), shouldn't the
security attributes of the object be dumped as well? Here's a patch to
try Erich, but I think I'll spin up another one to dump uid/gid too.
thanks,
-chris
===== kernel/auditsc.c 1.6 vs edited =====
--- 1.6/kernel/auditsc.c 2005-01-30 22:33:47 -08:00
+++ edited/kernel/auditsc.c 2005-02-24 11:10:04 -08:00
@@ -89,6 +89,7 @@ enum audit_state {
struct audit_names {
const char *name;
unsigned long ino;
+ dev_t dev;
dev_t rdev;
};
@@ -338,7 +339,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMAJOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MAJOR(ctx->names[j].rdev)==value) {
+ if (MAJOR(ctx->names[j].dev)==value) {
++result;
break;
}
@@ -348,7 +349,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMINOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MINOR(ctx->names[j].rdev)==value) {
+ if (MINOR(ctx->names[j].dev)==value) {
++result;
break;
}
@@ -620,8 +621,12 @@ static void audit_log_exit(struct audit_
context->names[i].ino);
/* FIXME: should use format_dev_t, but ab structure is
* opaque. */
- if (context->names[i].rdev != -1)
+ if (context->names[i].dev != -1)
audit_log_format(ab, " dev=%02x:%02x",
+ MAJOR(context->names[i].dev),
+ MINOR(context->names[i].dev));
+ if (context->names[i].rdev != -1)
+ audit_log_format(ab, " rdev=%02x:%02x",
MAJOR(context->names[i].rdev),
MINOR(context->names[i].rdev));
audit_log_end(ab);
@@ -812,6 +817,7 @@ void audit_getname(const char *name)
BUG_ON(context->name_count >= AUDIT_NAMES);
context->names[context->name_count].name = name;
context->names[context->name_count].ino = (unsigned long)-1;
+ context->names[context->name_count].dev = -1;
context->names[context->name_count].rdev = -1;
++context->name_count;
}
@@ -859,7 +865,7 @@ EXPORT_SYMBOL(audit_putname);
/* Store the inode and device from a lookup. Called from
* fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, unsigned long ino, dev_t rdev)
+void audit_inode(const char *name, unsigned long ino, dev_t dev, dev_t rdev)
{
int idx;
struct audit_context *context = current->audit_context;
@@ -886,6 +892,7 @@ void audit_inode(const char *name, unsig
#endif
}
context->names[idx].ino = ino;
+ context->names[idx].dev = dev;
context->names[idx].rdev = rdev;
}
===== fs/namei.c 1.118 vs edited =====
--- 1.118/fs/namei.c 2005-01-20 21:00:21 -08:00
+++ edited/fs/namei.c 2005-02-24 11:02:46 -08:00
@@ -983,6 +983,7 @@ int fastcall path_lookup(const char *nam
&& nd && nd->dentry && nd->dentry->d_inode))
audit_inode(name,
nd->dentry->d_inode->i_ino,
+ nd->dentry->d_inode->i_sb->s_dev,
nd->dentry->d_inode->i_rdev);
return retval;
}
===== include/linux/audit.h 1.2 vs edited =====
--- 1.2/include/linux/audit.h 2005-01-30 22:33:47 -08:00
+++ edited/include/linux/audit.h 2005-02-24 10:58:24 -08:00
@@ -141,7 +141,7 @@ extern void audit_syscall_entry(struct t
extern void audit_syscall_exit(struct task_struct *task, int return_code);
extern void audit_getname(const char *name);
extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+extern void audit_inode(const char *name, unsigned long ino, dev_t dev, dev_t rdev);
/* Private API (for audit.c only) */
extern int audit_receive_filter(int type, int pid, int uid, int seq,
@@ -157,7 +157,7 @@ extern uid_t audit_get_loginuid(struct a
#define audit_syscall_exit(t,r) do { ; } while (0)
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
-#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_inode(n,i,d, r) do { ; } while (0)
#define audit_get_loginuid(c) ({ -1; })
#endif
1:39 p.m.
New subject: [PATCH] get dev value for inode audit records
Chris Wright wrote:
That's what I was thinking, Erich said he'd give the patch a
test. I
kept rdev and added dev. But, from the perspective of the converstaion
we had in the other thread (re: supplemental groups), shouldn't the
security attributes of the object be dumped as well? Here's a patch to
try Erich, but I think I'll spin up another one to dump uid/gid too.
thanks,
-chris
Don't forget the mode for completeness :) That should be similar to a portion
of the (rough idea) patch that I submitted to the list on Jan 21. I believe you
stated that this information would be redundant with Tim's audit additions
(although I could have misinterpreted that). Is that no longer the case? I
apologize for my ignorance here - I really do hope to be able to start playing
with Tim's patches soon (and David's prelim IPC audit patch).
Thanks,
Darrel
2:32 p.m.
New subject: [PATCH] get dev value for inode audit records - take 2
* Darrel Goeddel (dgoeddel(a)trustedcs.com) wrote:
Don't forget the mode for completeness :) That should be similar
to a
Thanks, I got it ;-) I checked BSM to make sure I was recording what
was needed there.
portion of the (rough idea) patch that I submitted to the list on Jan
21.
You're right, I forgot. Thanks, I just grabbed your initialized bit.
I have this vague recollection that i_ino == 0 doesn't happen (start at
1), but I can't find justification for this. If that's wrong it's simple
to add init member.
I believe you stated that this information would be redundant with
Tim's
audit additions (although I could have misinterpreted that). Is that no
longer the case? I apologize for my ignorance here - I really do hope to
be able to start playing with Tim's patches soon (and David's prelim IPC
audit patch).
I agree it's needed, and I think the confusion was around adding the lsm
inode bit (maybe I was the confused one).
This one does mode (including upper bits), uid, gid, dev, ino, rdev
(do we want to keep that?). Erich, does this let you filter on dev/ino
pair as expected?
thanks,
-chris
===== kernel/auditsc.c 1.6 vs edited =====
--- 1.6/kernel/auditsc.c 2005-01-30 22:33:47 -08:00
+++ edited/kernel/auditsc.c 2005-02-24 12:21:40 -08:00
@@ -89,6 +89,10 @@ enum audit_state {
struct audit_names {
const char *name;
unsigned long ino;
+ dev_t dev;
+ umode_t mode;
+ uid_t uid;
+ gid_t gid;
dev_t rdev;
};
@@ -338,7 +342,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMAJOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MAJOR(ctx->names[j].rdev)==value) {
+ if (MAJOR(ctx->names[j].dev)==value) {
++result;
break;
}
@@ -348,7 +352,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMINOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MINOR(ctx->names[j].rdev)==value) {
+ if (MINOR(ctx->names[j].dev)==value) {
++result;
break;
}
@@ -615,13 +619,15 @@ static void audit_log_exit(struct audit_
if (context->names[i].name)
audit_log_format(ab, " name=%s",
context->names[i].name);
- if (context->names[i].ino != (unsigned long)-1)
- audit_log_format(ab, " inode=%lu",
- context->names[i].ino);
- /* FIXME: should use format_dev_t, but ab structure is
- * opaque. */
- if (context->names[i].rdev != -1)
- audit_log_format(ab, " dev=%02x:%02x",
+ if (context->names[i].ino)
+ audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
+ " uid=%d gid=%d rdev=%02x:%02x",
+ context->names[i].ino,
+ MAJOR(context->names[i].dev),
+ MINOR(context->names[i].dev),
+ context->names[i].mode,
+ context->names[i].uid,
+ context->names[i].gid,
MAJOR(context->names[i].rdev),
MINOR(context->names[i].rdev));
audit_log_end(ab);
@@ -811,8 +817,7 @@ void audit_getname(const char *name)
}
BUG_ON(context->name_count >= AUDIT_NAMES);
context->names[context->name_count].name = name;
- context->names[context->name_count].ino = (unsigned long)-1;
- context->names[context->name_count].rdev = -1;
+ context->names[context->name_count].ino = 0;
++context->name_count;
}
@@ -859,7 +864,7 @@ EXPORT_SYMBOL(audit_putname);
/* Store the inode and device from a lookup. Called from
* fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, unsigned long ino, dev_t rdev)
+void audit_inode(const char *name, const struct inode *inode)
{
int idx;
struct audit_context *context = current->audit_context;
@@ -885,8 +890,12 @@ void audit_inode(const char *name, unsig
++context->ino_count;
#endif
}
- context->names[idx].ino = ino;
- context->names[idx].rdev = rdev;
+ context->names[idx].ino = inode->i_ino;
+ context->names[idx].dev = inode->i_sb->s_dev;
+ context->names[idx].mode = inode->i_mode;
+ context->names[idx].uid = inode->i_uid;
+ context->names[idx].gid = inode->i_gid;
+ context->names[idx].rdev = inode->i_rdev;
}
void audit_get_stamp(struct audit_context *ctx,
===== fs/namei.c 1.118 vs edited =====
--- 1.118/fs/namei.c 2005-01-20 21:00:21 -08:00
+++ edited/fs/namei.c 2005-02-24 11:21:26 -08:00
@@ -981,9 +981,7 @@ int fastcall path_lookup(const char *nam
retval = link_path_walk(name, nd);
if (unlikely(current->audit_context
&& nd && nd->dentry && nd->dentry->d_inode))
- audit_inode(name,
- nd->dentry->d_inode->i_ino,
- nd->dentry->d_inode->i_rdev);
+ audit_inode(name, nd->dentry->d_inode);
return retval;
}
===== include/linux/audit.h 1.2 vs edited =====
--- 1.2/include/linux/audit.h 2005-01-30 22:33:47 -08:00
+++ edited/include/linux/audit.h 2005-02-24 11:20:53 -08:00
@@ -141,7 +141,7 @@ extern void audit_syscall_entry(struct t
extern void audit_syscall_exit(struct task_struct *task, int return_code);
extern void audit_getname(const char *name);
extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+extern void audit_inode(const char *name, const struct inode *inode);
/* Private API (for audit.c only) */
extern int audit_receive_filter(int type, int pid, int uid, int seq,
@@ -157,7 +157,7 @@ extern uid_t audit_get_loginuid(struct a
#define audit_syscall_exit(t,r) do { ; } while (0)
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
-#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_inode(n,i) do { ; } while (0)
#define audit_get_loginuid(c) ({ -1; })
#endif
7:36 p.m.
New subject: [PATCH] get dev value for inode audit records - take 3
* Chris Wright (chrisw(a)osdl.org) wrote:
This one does mode (including upper bits), uid, gid, dev, ino, rdev
(do we want to keep that?). Erich, does this let you filter on dev/ino
pair as expected?
I tested filtering, works as expected. This generates something like:
type=KERNEL msg=audit(1109726066.172:15813214): item=0 name=/etc/passwd inode=8916426
dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00
Any issues before pushing it upstream?
thanks,
-chris
--
Inode audit records are currently only showing name, inode, and dev.
The device is calculated incorrectly, and similarly dev based filtering
is broken. Fix device node problems and add some more useful data to
inode audit record -- mode, uid, gid of inode.
Signed-off-by: Chris Wright <chrisw(a)osdl.org>
--- linus-2.6/kernel/auditsc.c~audit-inode-dev 2005-02-25 18:28:12.000000000 -0800
+++ linus-2.6/kernel/auditsc.c 2005-03-01 14:38:36.000000000 -0800
@@ -89,6 +89,10 @@ enum audit_state {
struct audit_names {
const char *name;
unsigned long ino;
+ dev_t dev;
+ umode_t mode;
+ uid_t uid;
+ gid_t gid;
dev_t rdev;
};
@@ -338,7 +342,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMAJOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MAJOR(ctx->names[j].rdev)==value) {
+ if (MAJOR(ctx->names[j].dev)==value) {
++result;
break;
}
@@ -348,7 +352,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMINOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MINOR(ctx->names[j].rdev)==value) {
+ if (MINOR(ctx->names[j].dev)==value) {
++result;
break;
}
@@ -616,12 +620,14 @@ static void audit_log_exit(struct audit_
audit_log_format(ab, " name=%s",
context->names[i].name);
if (context->names[i].ino != (unsigned long)-1)
- audit_log_format(ab, " inode=%lu",
- context->names[i].ino);
- /* FIXME: should use format_dev_t, but ab structure is
- * opaque. */
- if (context->names[i].rdev != -1)
- audit_log_format(ab, " dev=%02x:%02x",
+ audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
+ " uid=%d gid=%d rdev=%02x:%02x",
+ context->names[i].ino,
+ MAJOR(context->names[i].dev),
+ MINOR(context->names[i].dev),
+ context->names[i].mode,
+ context->names[i].uid,
+ context->names[i].gid,
MAJOR(context->names[i].rdev),
MINOR(context->names[i].rdev));
audit_log_end(ab);
@@ -814,7 +820,6 @@ void audit_getname(const char *name)
BUG_ON(context->name_count >= AUDIT_NAMES);
context->names[context->name_count].name = name;
context->names[context->name_count].ino = (unsigned long)-1;
- context->names[context->name_count].rdev = -1;
++context->name_count;
}
@@ -860,7 +865,7 @@ void audit_putname(const char *name)
/* Store the inode and device from a lookup. Called from
* fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, unsigned long ino, dev_t rdev)
+void audit_inode(const char *name, const struct inode *inode)
{
int idx;
struct audit_context *context = current->audit_context;
@@ -886,8 +891,12 @@ void audit_inode(const char *name, unsig
++context->ino_count;
#endif
}
- context->names[idx].ino = ino;
- context->names[idx].rdev = rdev;
+ context->names[idx].ino = inode->i_ino;
+ context->names[idx].dev = inode->i_sb->s_dev;
+ context->names[idx].mode = inode->i_mode;
+ context->names[idx].uid = inode->i_uid;
+ context->names[idx].gid = inode->i_gid;
+ context->names[idx].rdev = inode->i_rdev;
}
void audit_get_stamp(struct audit_context *ctx,
--- linus-2.6/include/linux/audit.h~audit-inode-dev 2005-02-24 16:28:23.000000000 -0800
+++ linus-2.6/include/linux/audit.h 2005-02-25 18:39:26.000000000 -0800
@@ -131,6 +131,9 @@ struct audit_context;
#endif
#ifdef CONFIG_AUDITSYSCALL
+/* forward decl for audit_inode */
+struct inode;
+
/* These are defined in auditsc.c */
/* Public API */
extern int audit_alloc(struct task_struct *task);
@@ -141,7 +144,7 @@ extern void audit_syscall_entry(struct t
extern void audit_syscall_exit(struct task_struct *task, int return_code);
extern void audit_getname(const char *name);
extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+extern void audit_inode(const char *name, const struct inode *inode);
/* Private API (for audit.c only) */
extern int audit_receive_filter(int type, int pid, int uid, int seq,
@@ -157,7 +160,7 @@ extern uid_t audit_get_loginuid(struct a
#define audit_syscall_exit(t,r) do { ; } while (0)
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
-#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_inode(n,i) do { ; } while (0)
#define audit_get_loginuid(c) ({ -1; })
#endif
--- linus-2.6/fs/namei.c~audit-inode-dev 2005-02-24 16:55:32.000000000 -0800
+++ linus-2.6/fs/namei.c 2005-02-25 18:39:26.000000000 -0800
@@ -992,9 +992,7 @@ int fastcall path_lookup(const char *nam
retval = link_path_walk(name, nd);
if (unlikely(current->audit_context
&& nd && nd->dentry && nd->dentry->d_inode))
- audit_inode(name,
- nd->dentry->d_inode->i_ino,
- nd->dentry->d_inode->i_rdev);
+ audit_inode(name, nd->dentry->d_inode);
return retval;
}
8:36 p.m.
New subject: [PATCH] get dev value for inode audit records - take 3
Hi,
I tested filtering, works as expected. This generates something
like:
type=KERNEL msg=audit(1109726066.172:15813214): item=0 name=/etc/passwd inode=8916426
dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00
I tried to have it do what I want, but I wasn't successful.
A typical log line looks like this:
type=KERNEL msg=audit(1109729446.695:310443): item=0
name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
uid=1000 gid=1000 rdev=00:00
Now I want to log only accesses to my IDE disk, so I tried
/usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3
My current list of filters is then
AUDIT_LIST: entry always syscall=execve
AUDIT_LIST: entry always devmajor=3 (0x3) syscall=open
And only execs are logged afterwards.
This is with audit 0.6.4, 2.6.11rc4, with the patch you sent earlier
(only differences I could find is that in the patch I applied, ino=0
and not -1 in the 5th chunk, and the missing forward declaration in
audit.h)
Greetings,
Erich Schubert
--
erich(a)(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_
eine Stunde wie eine Heimat aus. --- Herrmann Hesse
10:20 p.m.
New subject: [PATCH] get dev value for inode audit records - take 3
* Erich Schubert (erich.schubert(a)gmail.com) wrote:
I tried to have it do what I want, but I wasn't successful.
A typical log line looks like this:
type=KERNEL msg=audit(1109729446.695:310443): item=0
name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
uid=1000 gid=1000 rdev=00:00
Now I want to log only accesses to my IDE disk, so I tried
/usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3
devmajor is an exit filter. So try something like:
/usr/local/sbin/auditctl -a entry,possible -S open
/usr/local/sbin/auditctl -a exit,always -S open -F devmajor=3
and let me know if that works?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
5:02 p.m.
New subject: [PATCH] get dev value for inode audit records - take 3
Hi,
Works fine. Great, thank you! Reduces load a lot when /proc accesses
are no longer audited.
I currenly use
/usr/local/sbin/auditctl -a entry,always -S execve
/usr/local/sbin/auditctl -a entry,possible -S open
/usr/local/sbin/auditctl -a exit,never -S open -F devmajor=0
/usr/local/sbin/auditctl -a exit,always -S open
to get only real filesystem accesses.
Greetings,
Erich Schubert
--
erich(a)(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_
eine Stunde wie eine Heimat aus. --- Herrmann Hesse
6:38 p.m.
New subject: [PATCH] get dev value for inode audit records - take 3
* Erich Schubert (erich.schubert(a)gmail.com) wrote:
Works fine. Great, thank you! Reduces load a lot when /proc accesses
are no longer audited.
Great, thanks for testing.
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
8:11 a.m.
New subject: [PATCH] get dev value for inode audit records - take 3
On Tue, 2005-03-01 at 17:36 -0800, Chris Wright wrote:
#ifdef CONFIG_AUDITSYSCALL
+/* forward decl for audit_inode */
+struct inode;
I don't think it does any harm to make the forward declaration
unconditional. It probably doesn't need a comment either. Just put it
with the others for audit_buffer and audit_context, which might as well
be unconditional too.
--
dwmw2
4:44 p.m.
New subject: [PATCH] get dev value for inode audit records - take 3
* David Woodhouse (dwmw2(a)infradead.org) wrote:
On Tue, 2005-03-01 at 17:36 -0800, Chris Wright wrote:
> #ifdef CONFIG_AUDITSYSCALL
> +/* forward decl for audit_inode */
> +struct inode;
I don't think it does any harm to make the forward declaration
unconditional. It probably doesn't need a comment either. Just put it
with the others for audit_buffer and audit_context, which might as well
be unconditional too.
Good point. I like that, it's cleaner. Incremental patch below.
thanks,
-chris
--
Make audit.h forward declarations unconditional.
Signed-off-by: Chris Wright <chrisw(a)osdl.org>
===== include/linux/audit.h 1.4 vs edited =====
--- 1.4/include/linux/audit.h 2005-03-03 11:55:24 -08:00
+++ edited/include/linux/audit.h 2005-03-10 14:18:34 -08:00
@@ -125,15 +125,11 @@ struct audit_rule { /* for AUDIT_LIST,
#ifdef __KERNEL__
-#ifdef CONFIG_AUDIT
struct audit_buffer;
struct audit_context;
-#endif
-
-#ifdef CONFIG_AUDITSYSCALL
-/* forward decl for audit_inode */
struct inode;
+#ifdef CONFIG_AUDITSYSCALL
/* These are defined in auditsc.c */
/* Public API */
extern int audit_alloc(struct task_struct *task);
7226
days inactive
7242
days old
linux-audit@lists.linux-audit.osci.io
12 comments
5 participants
participants (5)
-
Chris Wright -
Darrel Goeddel -
David Woodhouse -
Erich Schubert -
Stephen Smalley