AUDIT_FEATURE_VERSION and AUDIT_FEATURE_BITMAP

[Richard Guy Briggs]

Hi Steve,

I'd rather have filed an issue on github linux-audit/audit-userspace,
but I know you don't like using it.  I didn't want to lose track of this
issue.


Looking through the userspace audit code when trying to figure out why
--reset-lost wasn't working on RHEL7, I came across a compiler directive
that was used a number of times and I don't understand why.


In particular, in lib/libaudit.c, lib/netlink.c, src/auditctl-listing.c,
src/auditctl.c, I see:
	#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
	    defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
used together which does not make sense since they are unrelated.


The AUDIT_FEATURE_BITMAP has *nothing* to do with AUDIT_FEATURE_VERSION.


This naming was short-sighted in retrospect.


AUDIT_SET_FEATURE (audit_set_feature()), AUDIT_GET_FEATURE
(audit_request_features()) and AUDIT_FEATURE_LOGINID_IMMUTABLE (and
unused AUDIT_FEATURE_ONLY_UNSET_LOGINUID) are related and present when
AUDIT_FEATURE_VERSION is present and positive.  They allow a kernel
feature named in audit_feature_names[] to be turned off or oon and
unlocked or locked.


AUDIT_VERSION_* (deprecated), AUDIT_FEATURE_BITMAP_* along with the
struct audit_status.feature_bitmap (STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
are used to simply determine if the kernel supports such a feature,
extracted by audit_get_features() via load_feature_bitmap() and stored in
features_bitmap (AUDIT_FEATURES_UNSET, AUDIT_FEATURES_UNSUPPORTED).


Most (if not all) of the uses of the compiler directive above should be
just the first half, HAVE_DECL_AUDIT_FEATURE_VERSION.

The use in lib/libaudit.h of AUDIT_FEATURE_BITMAP_ALL in struct
audit_reply->features should instead be HAVE_DECL_AUDIT_FEATURE_VERSION.


- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635