[RFC][PATCH] (#7U2) [linux-2.6.12-rc2-mm1] file system auditing
Timothy R. Chavez
tinytim at us.ibm.com
Mon Apr 25 21:28:13 UTC 2005
On Mon, 2005-04-25 at 17:01 -0400, Steve Grubb wrote:
> On Saturday 23 April 2005 01:09, Timothy R. Chavez wrote:
> > diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/audit.c
> > linux-2.6.12-rc2-mm1~audit/kernel/audit.c ---
> > linux-2.6.12-rc2-mm1~orig/kernel/audit.c 2005-04-11 14:15:36.000000000
> > +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/audit.c 2005-04-21
> > 20:58:37.000000000 +0000 @@ -322,6 +322,8 @@ static int
> > audit_netlink_ok(kernel_cap_t
> > case AUDIT_SET:
> > case AUDIT_ADD:
> > case AUDIT_DEL:
> > + case AUDIT_WATCH_INS:
> > + case AUDIT_WATCH_REM:
> > if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
> > err = -EPERM;
> > break;
>
> Don't you really want to add AUDIT_WATCH_LIST to this?
Nope, "AUDIT_WATCH_LIST" is no longer being sent to the kernel. I took
your suggestion and made "-l" list both rules and watches. Thus, when
we request a list we still use "AUDIT_LIST". When the requested list is
sent back from the kernel to auditctl, AUDIT_LIST is sent to signify
that the incoming list entry is a rule and AUDIT_WATCH_LIST is sent to
signify that the incoming list entry is a watch.
-tim
More information about the Linux-audit
mailing list