[Apparmor-dev] [RFR] kernel fix for missing audit type

Steve Beattie sbeattie at suse.de
Thu Sep 6 00:43:05 MDT 2007 

On Wed, Sep 05, 2007 at 03:33:18PM -0700, John Johansen wrote:
> genprof/logprof fail with current versions of AppArmor when using syslog.
> This is because the audit type gets dropped from syslog messages.
> 
> Attached are 2 alternative patches to fix the problem.  The first is
> a patch to audit so it doesn't drop the audit message type which
> I am currently tyry to get feed back on from the audit list.

Hmm, I like this one, but the silence it's received on the audit list is
not promising.

> The second is a hopefully temporary patch to apparmor that mimicks
> the first by outputting the type field directly.  This results
> in audit messages getting 2 type fields 1 with a name and 1 with
> a number.
> 

> ---
>  kernel/audit.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1354,7 +1354,8 @@ void audit_log_end(struct audit_buffer *
>  			ab->skb = NULL;
>  			wake_up_interruptible(&kauditd_wait);
>  		} else {
> -			printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
> +			struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
> +			printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
>  		}
>  	}
>  	audit_buffer_free(ab);

> ---
>  security/apparmor/main.c |    8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> --- a/security/apparmor/main.c
> +++ b/security/apparmor/main.c
> @@ -326,17 +326,19 @@ static int aa_audit_base(struct aa_profi
>  		return type == AUDIT_APPARMOR_ALLOWED ? 0 : -ENOMEM;
>  	}
>  
> +	audit_log_format(ab, " type=%d", type);
> +
>  	if (sa->operation)
> -		audit_log_format(ab, "operation=\"%s\"", sa->operation);
> +		audit_log_format(ab, " operation=\"%s\"", sa->operation);
>  
>  	if (sa->info)
>  		audit_log_format(ab, " info=\"%s\"", sa->info);
>  
>  	if (sa->requested_mask)
> -		aa_audit_file_mask(ab, "requested_mask", sa->requested_mask);
> +		aa_audit_file_mask(ab, " requested_mask", sa->requested_mask);
>  
>  	if (sa->denied_mask)
> -		aa_audit_file_mask(ab, "denied_mask", sa->denied_mask);
> +		aa_audit_file_mask(ab, " denied_mask", sa->denied_mask);

Do note that aa_audit_file_mask() adds a prefix space, so these ast two
changes are unnecessary.

-- 
Steve Beattie
SUSE Labs, Novell Inc. 
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070905/ad06beb0/attachment.pgp

More information about the Apparmor-dev mailing list