[ARCHIVE DEBUG 13/13] audit_debug: print inode nr for each path when listing exe rules

Thu, 22 Oct 2015 12:03:36 -0700 

Debug to list inode number and path for each audit watch when audit
watch rules are listed.

Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
 kernel/audit.h          |    2 ++
 kernel/audit_fsnotify.c |    5 +++++
 kernel/auditfilter.c    |    1 +
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/kernel/audit.h b/kernel/audit.h
index 24ec861..a7cf1ad 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -271,6 +271,7 @@ extern int audit_watch_compare(struct audit_watch *watch, 
unsigned long ino, dev
 
 extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, 
char *pathname, int len);
 extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
+extern unsigned int audit_mark_ino(struct audit_fsnotify_mark *mark);
 extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
 extern void audit_remove_mark_rule(struct audit_krule *krule);
 extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long 
ino, dev_t dev);
@@ -287,6 +288,7 @@ extern int audit_exe_compare(struct task_struct *tsk, 
struct audit_fsnotify_mark
 #define audit_watch_compare(w, i, d) 0
 
 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
+#define audit_mark_ino(m) 0
 #define audit_mark_path(m) ""
 #define audit_remove_mark(m)
 #define audit_remove_mark_rule(k)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 27c6046..dcf788c 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -61,6 +61,11 @@ static void audit_fsnotify_free_mark(struct fsnotify_mark 
*mark)
        audit_fsnotify_mark_free(audit_mark);
 }
 
+unsigned int audit_mark_ino(struct audit_fsnotify_mark *mark)
+{
+       return mark->ino;
+}
+
 char *audit_mark_path(struct audit_fsnotify_mark *mark)
 {
        return mark->path;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7714d93..0c36546 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -645,6 +645,7 @@ static struct audit_rule_data *audit_krule_to_data(struct 
audit_krule *krule)
                case AUDIT_EXE:
                        data->buflen += data->values[i] =
                                audit_pack_string(&bufp, 
audit_mark_path(krule->exe));
+                       pr_warn("list: \"%s\" ino=%u\n", 
audit_mark_path(krule->exe), audit_mark_ino(krule->exe));
                        break;
                case AUDIT_LOGINUID_SET:
                        if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
-- 
1.7.1

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to