diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2009-02-11 16:12:28 (GMT) |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-02-11 22:40:14 (GMT) |
| commit | 523979adfa0b79d4e3aa053220c37a9233294206 (patch) | |
| tree | 15ff42f935f9d443220edb118f3980432f924360 /security/integrity/ima/ima_policy.c | |
| parent | ed850a52af971528b048812c4215cef298af0d3b (diff) | |
| download | linux-523979adfa0b79d4e3aa053220c37a9233294206.tar.xz | |
integrity: audit update
Based on discussions on linux-audit, as per Steve Grubb's request
http://lkml.org/lkml/2009/2/6/269, the following changes were made:
- forced audit result to be either 0 or 1.
- made template names const
- Added new stand-alone message type: AUDIT_INTEGRITY_RULE
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 23810e0..b5291ad 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -12,7 +12,6 @@ */ #include <linux/module.h> #include <linux/list.h> -#include <linux/audit.h> #include <linux/security.h> #include <linux/magic.h> #include <linux/parser.h> @@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) char *p; int result = 0; - ab = audit_log_start(current->audit_context, GFP_KERNEL, - AUDIT_INTEGRITY_STATUS); + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE); entry->action = -1; while ((p = strsep(&rule, " \n")) != NULL) { @@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) AUDIT_SUBJ_TYPE); break; case Opt_err: - printk(KERN_INFO "%s: unknown token: %s\n", - __FUNCTION__, p); + audit_log_format(ab, "UNKNOWN=%s ", p); break; } } if (entry->action == UNKNOWN) result = -EINVAL; - audit_log_format(ab, "res=%d", result); + audit_log_format(ab, "res=%d", !result ? 0 : 1); audit_log_end(ab); return result; } @@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) */ int ima_parse_add_rule(char *rule) { - const char *op = "add_rule"; + const char *op = "update_policy"; struct ima_measure_rule_entry *entry; int result = 0; int audit_info = 0; @@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule) mutex_lock(&ima_measure_mutex); list_add_tail(&entry->list, &measure_policy_rules); mutex_unlock(&ima_measure_mutex); - } else + } else { kfree(entry); + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, + NULL, op, "invalid policy", result, + audit_info); + } return result; } |