change lspp ipc auditing
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 31 21:38:57 UTC 2006
On Fri, 2006-03-31 at 15:22 -0500, Steve Grubb wrote:
> Hi,
>
> The patch below converts IPC auditing to collect sid's and convert to context
> string only if it needs to output an audit record. This patch depends on the
> inode audit change patch already being applied.
>
> Signed-off-by: Steve Grubb <sgrubb at redhat.com>
>
> diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
> --- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-03-31 08:32:14.000000000 -0500
> +++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-03-31 08:55:33.000000000 -0500
> @@ -734,16 +740,16 @@ static void audit_log_exit(struct audit_
> context->names[i].osid, &ctx, &len)) {
> audit_log_format(ab, " obj=%u",
> context->names[i].osid);
> - call_panic = 1;
> + call_panic = 2;
Why set it to 2? If you want a count of panic-related events, you
likely want call_panic++; in each case, but you don't seem to use it
anyway beyond being a simple boolean flag.
BTW, I personally have no strong opinion on whether to call audit_panic
in this case. It does yield uglier code, and I'm sure that the kernel
developers won't be happy to see additional code paths that can
ultimately lead to a panic(), so if you think it unnecessary, feel free
to drop.
Otherwise, the patch looks sane to me.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list