diff options
author | Richard Guy Briggs <rgb@redhat.com> | 2013-09-18 09:32:24 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2014-01-13 22:28:39 -0500 |
commit | 09f883a9023e7a86f92c731e80f30a9447f4bdbe (patch) | |
tree | a23e692d2816b1704aea60f3640e6f9fd2cdfad2 | |
parent | f910fde7307be80a1a228bba969c492f61f13281 (diff) |
audit: clean up AUDIT_GET/SET local variables and future-proof API
Re-named confusing local variable names (status_set and status_get didn't agree
with their command type name) and reduced their scope.
Future-proof API changes by not depending on the exact size of the audit_status
struct and by adding an API version field.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | include/uapi/linux/audit.h | 1 | ||||
-rw-r--r-- | kernel/audit.c | 54 |
2 files changed, 30 insertions, 25 deletions
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index e2f0d9977131..4fdedd4c88a1 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h | |||
@@ -376,6 +376,7 @@ struct audit_status { | |||
376 | __u32 backlog_limit; /* waiting messages limit */ | 376 | __u32 backlog_limit; /* waiting messages limit */ |
377 | __u32 lost; /* messages lost */ | 377 | __u32 lost; /* messages lost */ |
378 | __u32 backlog; /* messages waiting in queue */ | 378 | __u32 backlog; /* messages waiting in queue */ |
379 | __u32 version; /* audit api version number */ | ||
379 | }; | 380 | }; |
380 | 381 | ||
381 | struct audit_features { | 382 | struct audit_features { |
diff --git a/kernel/audit.c b/kernel/audit.c index 833f8e2003b7..80b7de02947b 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -743,7 +743,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
743 | { | 743 | { |
744 | u32 seq; | 744 | u32 seq; |
745 | void *data; | 745 | void *data; |
746 | struct audit_status *status_get, status_set; | ||
747 | int err; | 746 | int err; |
748 | struct audit_buffer *ab; | 747 | struct audit_buffer *ab; |
749 | u16 msg_type = nlh->nlmsg_type; | 748 | u16 msg_type = nlh->nlmsg_type; |
@@ -769,34 +768,38 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
769 | data = nlmsg_data(nlh); | 768 | data = nlmsg_data(nlh); |
770 | 769 | ||
771 | switch (msg_type) { | 770 | switch (msg_type) { |
772 | case AUDIT_GET: | 771 | case AUDIT_GET: { |
773 | memset(&status_set, 0, sizeof(status_set)); | 772 | struct audit_status s; |
774 | status_set.enabled = audit_enabled; | 773 | memset(&s, 0, sizeof(s)); |
775 | status_set.failure = audit_failure; | 774 | s.enabled = audit_enabled; |
776 | status_set.pid = audit_pid; | 775 | s.failure = audit_failure; |
777 | status_set.rate_limit = audit_rate_limit; | 776 | s.pid = audit_pid; |
778 | status_set.backlog_limit = audit_backlog_limit; | 777 | s.rate_limit = audit_rate_limit; |
779 | status_set.lost = atomic_read(&audit_lost); | 778 | s.backlog_limit = audit_backlog_limit; |
780 | status_set.backlog = skb_queue_len(&audit_skb_queue); | 779 | s.lost = atomic_read(&audit_lost); |
780 | s.backlog = skb_queue_len(&audit_skb_queue); | ||
781 | s.version = 1; | ||
781 | audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, | 782 | audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, |
782 | &status_set, sizeof(status_set)); | 783 | &s, sizeof(s)); |
783 | break; | 784 | break; |
784 | case AUDIT_SET: | 785 | } |
785 | if (nlmsg_len(nlh) < sizeof(struct audit_status)) | 786 | case AUDIT_SET: { |
786 | return -EINVAL; | 787 | struct audit_status s; |
787 | status_get = (struct audit_status *)data; | 788 | memset(&s, 0, sizeof(s)); |
788 | if (status_get->mask & AUDIT_STATUS_ENABLED) { | 789 | /* guard against past and future API changes */ |
789 | err = audit_set_enabled(status_get->enabled); | 790 | memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); |
791 | if (s.mask & AUDIT_STATUS_ENABLED) { | ||
792 | err = audit_set_enabled(s.enabled); | ||
790 | if (err < 0) | 793 | if (err < 0) |
791 | return err; | 794 | return err; |
792 | } | 795 | } |
793 | if (status_get->mask & AUDIT_STATUS_FAILURE) { | 796 | if (s.mask & AUDIT_STATUS_FAILURE) { |
794 | err = audit_set_failure(status_get->failure); | 797 | err = audit_set_failure(s.failure); |
795 | if (err < 0) | 798 | if (err < 0) |
796 | return err; | 799 | return err; |
797 | } | 800 | } |
798 | if (status_get->mask & AUDIT_STATUS_PID) { | 801 | if (s.mask & AUDIT_STATUS_PID) { |
799 | int new_pid = status_get->pid; | 802 | int new_pid = s.pid; |
800 | 803 | ||
801 | if (audit_enabled != AUDIT_OFF) | 804 | if (audit_enabled != AUDIT_OFF) |
802 | audit_log_config_change("audit_pid", new_pid, audit_pid, 1); | 805 | audit_log_config_change("audit_pid", new_pid, audit_pid, 1); |
@@ -804,14 +807,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
804 | audit_nlk_portid = NETLINK_CB(skb).portid; | 807 | audit_nlk_portid = NETLINK_CB(skb).portid; |
805 | audit_sock = NETLINK_CB(skb).sk; | 808 | audit_sock = NETLINK_CB(skb).sk; |
806 | } | 809 | } |
807 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) { | 810 | if (s.mask & AUDIT_STATUS_RATE_LIMIT) { |
808 | err = audit_set_rate_limit(status_get->rate_limit); | 811 | err = audit_set_rate_limit(s.rate_limit); |
809 | if (err < 0) | 812 | if (err < 0) |
810 | return err; | 813 | return err; |
811 | } | 814 | } |
812 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) | 815 | if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) |
813 | err = audit_set_backlog_limit(status_get->backlog_limit); | 816 | err = audit_set_backlog_limit(s.backlog_limit); |
814 | break; | 817 | break; |
818 | } | ||
815 | case AUDIT_GET_FEATURE: | 819 | case AUDIT_GET_FEATURE: |
816 | err = audit_get_feature(skb); | 820 | err = audit_get_feature(skb); |
817 | if (err) | 821 | if (err) |