On Sat, 2013-11-02 at 03:26 -0400, Richard Guy Briggs wrote: > On Fri, May 24, 2013 at 12:11:44PM -0400, Eric Paris wrote: > > The audit_status structure was not designed with extensibility in mind. > > Define a new AUDIT_SET_FEATURE message type which takes a new structure > > of bits where things can be enabled/disabled/locked one at a time. This > > structure should be able to grow in the future while maintaining forward > > and backward compatibility (based loosly on the ideas from capabilities > > and prctl) > > > > This does not actually add any features, but is just infrastructure to > > allow new on/off types of audit system features. > > However, it does surprisingly disable one! > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index f2f4666..3acbbc8 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -699,7 +798,16 @@ static int audit_receive_msg(struct sk_buff *skb, > > struct nlmsghdr *nlh) > > if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) > > err = > > audit_set_backlog_limit(status_get->backlog_limit); > > break; > > - case AUDIT_USER: > > + case AUDIT_GET_FEATURE: > > + err = audit_get_feature(skb); > > + if (err) > > + return err; > > + break; > > + case AUDIT_SET_FEATURE: > > + err = audit_set_feature(skb); > > + if (err) > > + return err; > > + break; > > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: > > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: > > if (!audit_enabled && msg_type != AUDIT_USER_AVC) > > Can I assume that the removal of the AUDIT_USER case line was > accidental? It has broken USER type AUDIT messages.
Wow, Bad Eric. Bad. Please fix! -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
