On 2018-02-14 09:51, Kees Cook wrote: > On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs <r...@redhat.com> wrote: > > Audit link denied events emit disjointed records when audit is disabled. > > No records should be emitted when audit is disabled. > > > > See: https://github.com/linux-audit/audit-kernel/issues/21 > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > > --- > > kernel/audit.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 227db99..4c3fd24 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, > > const struct path *link) > > struct audit_buffer *ab; > > struct audit_names *name; > > > > + if (!audit_enabled || audit_dummy_context()) > > + return; > > + > > name = kzalloc(sizeof(*name), GFP_NOFS); > > if (!name) > > return; > > Doesn't this means errors here would be silent if audit isn't enabled? > I don't that; sysadmins should see this notification regardless of the > audit state...
This is a user error and not a system error, so I would think if system auditing is disabled, they don't care about this kind of error. Steve? > -Kees - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
