On Fri, May 24, 2013 at 12:11:44PM -0400, Eric Paris wrote: > The audit_status structure was not designed with extensibility in mind. > Define a new AUDIT_SET_FEATURE message type which takes a new structure > of bits where things can be enabled/disabled/locked one at a time. This > structure should be able to grow in the future while maintaining forward > and backward compatibility (based loosly on the ideas from capabilities > and prctl) > > This does not actually add any features, but is just infrastructure to > allow new on/off types of audit system features.
However, it does surprisingly disable one! > diff --git a/kernel/audit.c b/kernel/audit.c > index f2f4666..3acbbc8 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -699,7 +798,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct > nlmsghdr *nlh) > if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) > err = > audit_set_backlog_limit(status_get->backlog_limit); > break; > - case AUDIT_USER: > + case AUDIT_GET_FEATURE: > + err = audit_get_feature(skb); > + if (err) > + return err; > + break; > + case AUDIT_SET_FEATURE: > + err = audit_set_feature(skb); > + if (err) > + return err; > + break; > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: > if (!audit_enabled && msg_type != AUDIT_USER_AVC) Can I assume that the removal of the AUDIT_USER case line was accidental? It has broken USER type AUDIT messages. - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit