[PATCH] audit: use audit_log_task_info in audit_core_dumps and __audit_seccomp
Kees Cook
keescook at chromium.org
Tue Jan 14 18:39:42 UTC 2014
On Mon, Jan 13, 2014 at 6:56 PM, Eric Paris <eparis at redhat.com> wrote:
> We have a helper function which writes out all of the interesting
> identity information about tasks, audit_log_task_info(). We then have a
> second helper, audit_log_task(), which is only used by audit_core_dumps()
> and __audit_seccomp(). It is a light weight and only outputs some of the
> information about the task. There does not appear to be rational for
> its existence except audit_core_dumps() originally did it this way. At
> the time audit_log_task_info() did not exist. When __audit_seccomp came
> along audit_core_dumps() was split into this helper and reused. But
> there was a better helper in audit.c.
>
> This does reorder the records for audit_core_dumps() and
> __audit_seccomp(). The new record order is below. The number in () is
> the order in the old record. Entries without a () do not exist in the
> old record.
>
> audit_log_task_info:
> ppid pid (6) auid (1) uid (2) gid (3) euid
> suid fsuid egid sgid fsgid tty
> ses (4) comm (7) exe (8) subj (5)
>
> audit_log_task:
> auid uid gid ses subj pid comm exe
>
> It seems that reusing the task info pattern throughout records should
> allow for faster simpler more streamlined userspace records parsing, but
> changing order like this might be a deal breaker.
>
> Signed-off-by: Eric Paris <eparis at redhat.com>
Sounds fine to me. Thanks!
Acked-by: Kees Cook <keescook at chromium.org>
-Kees
--
Kees Cook
Chrome OS Security
More information about the Linux-audit
mailing list