watch question
David Woodhouse
dwmw2 at infradead.org
Mon Aug 8 15:14:07 UTC 2005
On Mon, 2005-08-08 at 10:04 -0400, Linda Knippers wrote:
> I'm running the capp rules on my ia64 box with the .84 kernel and the
> 1.0.1 tools and I'm seeing audit records for things that I don't think
> I should be seeing them for.
Hmmm, yes. We ended up in auditfs_attach_wdata() because there was a
watch set, but because of the permissions mark it didn't actually get
triggered. Nevertheless, we still marked the context as auditable on the
way out. We shouldn't do that...
--- linux-2.6.9/kernel/auditsc.c~ 2005-08-08 15:20:00.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-08-08 16:08:49.000000000 +0100
@@ -1396,10 +1396,13 @@ void auditfs_attach_wdata(struct inode *
}
spin_unlock(&auditfs_lock);
+ if (hlist_empty(&ax->watches))
+ goto no_watches;
+
if (context->in_syscall && !context->auditable &&
AUDIT_DISABLED != audit_filter_syscall(current, context,
&audit_filter_list[AUDIT_FILTER_WATCH]))
- context->auditable = 1;
+ context->auditable = 1;
ax->mask = mask;
@@ -1420,8 +1423,9 @@ auditfs_attach_wdata_fail:
audit_watch_put(this->watch);
kfree(this);
}
- kfree(ax);
audit_panic("failed to allocate memory for fs watch record");
+ no_watches:
+ kfree(ax);
}
#endif /* CONFIG_AUDITFILESYSTEM */
--
dwmw2
More information about the Linux-audit
mailing list