[PATCH] filesystem location based auditing
Amy Griffis
amy.griffis at hp.com
Fri Feb 24 21:00:39 UTC 2006
On Fri, Feb 24, 2006 at 03:42:22PM -0500, Peter Staubach wrote:
> Amy Griffis wrote:
>
> >diff --git a/kernel/audit.c b/kernel/audit.c
> >index 4eb97b6..82d926e 100644
> >--- a/kernel/audit.c
> >+++ b/kernel/audit.c
> >@@ -552,6 +561,14 @@ static void audit_receive(struct sock *s
> >/* Initialize audit support at boot time. */
> >static int __init audit_init(void)
> >{
> >+ int i;
> >+
> >+ /* must be initialized before any audit_log calls */
> >+ for (i = 0; i < AUDIT_NR_FILTERS; i++) {
> >+ INIT_LIST_HEAD(&audit_filter_list[i].head);
> >+ spin_lock_init(&audit_filter_list[i].lock);
> >+ }
> >+
> > printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
> > audit_default ? "enabled" : "disabled");
> > audit_sock = netlink_kernel_create(NETLINK_AUDIT, 0,
> > audit_receive,
> >@@ -564,6 +581,11 @@ static int __init audit_init(void)
> > audit_initialized = 1;
> > audit_enabled = audit_default;
> > audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
> >+
> >+ audit_idev = inotify_init(audit_handle_ievent);
> >+ if (IS_ERR(audit_idev))
> >+ audit_panic("cannot initialize inotify device");
> >+
> > return 0;
> >}
> >__initcall(audit_init);
> >
>
> I don't mean to be too nit-picky, but what happens if the
> inotify_init()
> call fails and audit_failure is anything but AUDIT_FAIL_PANIC? The
> same
> sort of question, but with a little more immediacy, is also applicable
> for the call to netlink_kernel_create(). If this routine fails, the
> kernel may or may not panic, but if not, proceeds to use a NULL
> pointer
> as if it were a valid pointer.
>
> Perhaps while we're here, we could make the failure path a little more
> defensive to keep the system from tipping over at some future point
> when
> it tries use one of these pointers which are not supposed to be NULL,
> but are?
Agreed, thanks.
Which reminds me of the need to add the INOTIFY dependency to
AUDITSYSCALL in init/Kconfig.
More information about the Linux-audit
mailing list