On Mon, Dec 02, 2013 at 03:09:01PM -0500, Jeff Layton wrote:
> On Mon, 2 Dec 2013 11:11:09 -0800
> Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> > 3.10-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Jeff Layton <jlayton@xxxxxxxxxx>
> >
> > commit d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 upstream.
> >
> > ...to make it clear what the intent behind each record's operation was.
> >
> > In many cases you can infer this, based on the context of the syscall
> > and the result. In other cases it's not so obvious. For instance, in
> > the case where you have a file being renamed over another, you'll have
> > two different records with the same filename but different inode info.
> > By logging this information we can clearly tell which one was created
> > and which was deleted.
> >
> > This fixes what was broken in commit bfcec708.
> > Commit 79f6530c should also be backported to stable v3.7+.
> >
> > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
> > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
> > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> >
> > ---
> > kernel/audit.c | 20 ++++++++++++++++++++
> > 1 file changed, 20 insertions(+)
> >
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1537,6 +1537,26 @@ void audit_log_name(struct audit_context
> > }
> > }
> >
> > + /* log the audit_names record type */
> > + audit_log_format(ab, " nametype=");
> > + switch(n->type) {
> > + case AUDIT_TYPE_NORMAL:
> > + audit_log_format(ab, "NORMAL");
> > + break;
> > + case AUDIT_TYPE_PARENT:
> > + audit_log_format(ab, "PARENT");
> > + break;
> > + case AUDIT_TYPE_CHILD_DELETE:
> > + audit_log_format(ab, "DELETE");
> > + break;
> > + case AUDIT_TYPE_CHILD_CREATE:
> > + audit_log_format(ab, "CREATE");
> > + break;
> > + default:
> > + audit_log_format(ab, "UNKNOWN");
> > + break;
> > + }
> > +
> > audit_log_fcaps(ab, n);
> > audit_log_end(ab);
> > }
> >
> >
>
> I'm not sure this is really suitable or needed for stable. It's
> unlikely to hurt anything, but it doesn't really fix a problem per-se.
> It just adds a little extra info to the audit records.
I think that "extra info" is good to have, so I'll leave it, thanks.
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html