On 2017-01-13 10:48, Steve Grubb wrote: > On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote: > > Add a method to reset the audit_lost value. > > > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself > > will return a positive value repesenting the current audit_lost value > > and reset the counter to zero. If AUDIT_STATUS_LOST is not the > > only flag set, the reset command will be ignored. The value sent with > > the command is ignored. The return value will be the +ve lost value at > > reset time. > > > > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit > > daemon. The message will be a standard CONFIG_CHANGE message with the > > fields "lost=0" and "old=" with the latter containing the value of > > audit_lost at reset time. > > This passes testing and event looks good.
Did you create a formal test for it or just test it manually? > Acked-by: Steve Grubb <[email protected]> > > This clears the way for audit-2.7.1 release today. > > -Steve > > > See: https://github.com/linux-audit/audit-kernel/issues/3 > > > > Signed-off-by: Richard Guy Briggs <[email protected]> > > --- > > There is a merge conflict anticipated with the exclude filter > > FEATURE_BITMAP patch (ghak5) > > > > v2: > > Switch from AUDIT_GET to AUDIT_SET > > Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP > > Return +ve lost value, reply AUDIT_LOST_RESET msg to sender > > > > v3: > > Switch, from reply to sender, to queue to audit log > > > > v4: > > Switch from LOST_RESET to CONFIG_CHANGE log msg > > Re-add AUDIT_FEATURE_BITMASK > > --- > > --- > > include/uapi/linux/audit.h | 6 +++++- > > kernel/audit.c | 8 +++++++- > > 2 files changed, 12 insertions(+), 2 deletions(-) > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index c8dc97b..3f24110 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -326,15 +326,19 @@ enum { > > #define AUDIT_STATUS_RATE_LIMIT 0x0008 > > #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010 > > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > > +#define AUDIT_STATUS_LOST 0x0040 > > > > #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > > #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > + > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > > AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \ > > - AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) > > + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > > + AUDIT_FEATURE_BITMAP_LOST_RESET) > > > > /* deprecated: AUDIT_VERSION_* */ > > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 57acf25..25dd70a 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -121,7 +121,7 @@ u32 audit_sig_sid = 0; > > 3) suppressed due to audit_rate_limit > > 4) suppressed due to audit_backlog_limit > > */ > > -static atomic_t audit_lost = ATOMIC_INIT(0); > > +static atomic_t audit_lost = ATOMIC_INIT(0); > > > > /* The netlink socket. */ > > static struct sock *audit_sock; > > @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb, > > struct nlmsghdr *nlh) if (err < 0) > > return err; > > } > > + if (s.mask == AUDIT_STATUS_LOST) { > > + u32 lost = atomic_xchg(&audit_lost, 0); > > + > > + audit_log_config_change("lost", 0, lost, 1); > > + return lost; > > + } > > break; > > } > > case AUDIT_GET_FEATURE: - RGB -- Richard Guy Briggs <[email protected]> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
