On 7/12/19 1:50 PM, James Morris wrote:
On Fri, 12 Jul 2019, Nicholas Franck wrote:+ case LSM_AUDIT_DATA_CAP: { + const struct inode *inode; + + if (a->u.cap_struct.cad) { + switch (a->u.cap_struct.cad->type) { + case CAP_AUX_DATA_INODE: { + inode = a->u.cap_struct.cad->u.inode; + + audit_log_format(ab, " dev="); + audit_log_untrustedstring(ab, + inode->i_sb->s_id); + audit_log_format(ab, " ino=%lu", + inode->i_ino); + break; + } + } + } + audit_log_format(ab, " capability=%d ", a->u.cap_struct.cap); break;Will this break any existing userspace log parsers?
I'm hoping not given that we are only adding auxiliary fields and those are already defined for other AVC audit messages. ausearch appeared to work fine. Added the linux-audit mailing list to the cc line to get their view.
