Normally there would be an else here to do something like
audit_log_format(ab, " osid=%u", skb->secmark);
so that its recorded numerically if the context could not be looked up.
I disagree! That approach was dropped long ago when the secctx was first
introduced to prevent kernel information leaking into userspace (Eric
would know more about this as he designed that aspect of it a couple of
months ago). So the secctx is either present (and retrievable!) or not
present from the (xt_)audit point of view. For more information see
net/netfilter/nf_conntrack_standalone.c in the current nf-next tree.
In other words, no else is necessary.
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
