[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: watch question



On Mon, 2005-08-08 at 10:04 -0400, Linda Knippers wrote:
> I'm running the capp rules on my ia64 box with the .84 kernel and the
> 1.0.1 tools and I'm seeing audit records for things that I don't think
> I should be seeing them for.

Hmmm, yes. We ended up in auditfs_attach_wdata() because there was a
watch set, but because of the permissions mark it didn't actually get
triggered. Nevertheless, we still marked the context as auditable on the
way out. We shouldn't do that...

--- linux-2.6.9/kernel/auditsc.c~	2005-08-08 15:20:00.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c	2005-08-08 16:08:49.000000000 +0100
@@ -1396,10 +1396,13 @@ void auditfs_attach_wdata(struct inode *
 	}
 	spin_unlock(&auditfs_lock);
 
+	if (hlist_empty(&ax->watches))
+		goto no_watches;
+
 	if (context->in_syscall && !context->auditable &&
 		 AUDIT_DISABLED != audit_filter_syscall(current, context,
 							&audit_filter_list[AUDIT_FILTER_WATCH]))
-		 context->auditable = 1;
+		context->auditable = 1;
 
 	
 	ax->mask = mask;
@@ -1420,8 +1423,9 @@ auditfs_attach_wdata_fail:
 		audit_watch_put(this->watch);
 		kfree(this);
 	}
-	kfree(ax);
 	audit_panic("failed to allocate memory for fs watch record");
+ no_watches:
+	kfree(ax);
 }
 
 #endif /* CONFIG_AUDITFILESYSTEM */


-- 
dwmw2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]