[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: change lspp ipc auditing

On Fri, 2006-03-31 at 15:22 -0500, Steve Grubb wrote:
> Hi,
> The patch below converts IPC auditing to collect sid's and convert to context
> string only if it needs to output an audit record. This patch depends on the
> inode audit change patch already being applied.
> Signed-off-by: Steve Grubb <sgrubb redhat com>

> diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
> --- linux-2.6.16.x86_64.orig/kernel/auditsc.c	2006-03-31 08:32:14.000000000 -0500
> +++ linux-2.6.16.x86_64/kernel/auditsc.c	2006-03-31 08:55:33.000000000 -0500
> @@ -734,16 +740,16 @@ static void audit_log_exit(struct audit_
>  				context->names[i].osid, &ctx, &len)) { 
>  				audit_log_format(ab, " obj=%u",
>  						context->names[i].osid);
> -				call_panic = 1;
> +				call_panic = 2;

Why set it to 2?  If you want a count of panic-related events, you
likely want call_panic++; in each case, but you don't seem to use it
anyway beyond being a simple boolean flag.

BTW, I personally have no strong opinion on whether to call audit_panic
in this case.  It does yield uglier code, and I'm sure that the kernel
developers won't be happy to see additional code paths that can
ultimately lead to a panic(), so if you think it unnecessary, feel free
to drop.

Otherwise, the patch looks sane to me.

Stephen Smalley
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]