1. 24 Jun, 2009 3 commits
    • Eric Paris's avatar
      Audit: dereferencing krule as if it were an audit_watch · e85188f4
      Eric Paris authored
      audit_update_watch() runs all of the rules for a given watch and duplicates
      them, attaches a new watch to them, and then when it finishes that process
      and has called free on all of the old rules (ok maybe still inside the rcu
      grace period) it proceeds to use the last element from list_for_each_entry_safe()
      as if it were a krule rather than being the audit_watch which was anchoring
      the list to output a message about audit rules changing.
      This patch unfies the audit message from two different places into a helper
      function and calls it from the correct location in audit_update_rules().  We
      will now get an audit message about the config changing for each rule (with
      each rules filterkey) rather than the previous garbage.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    • Eric Paris's avatar
      Audit: better estimation of execve record length · b87ce6e4
      Eric Paris authored
      The audit execve record splitting code estimates the length of the message
      generated.  But it forgot to include the "" that wrap each string in its
      estimation.  This means that execve messages with lots of tiny (1-2 byte)
      arguments could still cause records greater than 8k to be emitted.  Simply
      fix the estimate.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    • Eric Paris's avatar
      Audit: fix audit watch use after free · 35aa901c
      Eric Paris authored
      When an audit watch is added to a parent the temporary watch inside the
      original krule from userspace is freed.  Yet the original watch is used after
      the real watch was created in audit_add_rules()
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
  2. 23 Jun, 2009 37 commits