Since the vast majority of files (99.993% on a typical system) have no fcaps, display "0" instead of the full zero-padded 16 hex digits in the two PATH record cap_f* fields to save netlink bandwidth and disk space.
Simply changing the format to %x won't work since the value is two (or possibly more in the future) 32-bit hexadecimal values concatenated and bits in higher order values will be misrepresented. Passes audit-testsuite and userspace tools already work fine. Please see the github issue tracker for more details https://github.com/linux-audit/audit-kernel/issues/101 Signed-off-by: Richard Guy Briggs <[email protected]> --- kernel/audit.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 2a8058764aa6..90cbc89fd6d2 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2057,11 +2057,16 @@ void audit_log_key(struct audit_buffer *ab, char *key) void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) { int i; - - audit_log_format(ab, " %s=", prefix); - CAP_FOR_EACH_U32(i) { - audit_log_format(ab, "%08x", - cap->cap[CAP_LAST_U32 - i]); + u32 nonzero = 0; + + CAP_FOR_EACH_U32(i) + nonzero |= cap->cap[CAP_LAST_U32 - i]; + if (nonzero) { + audit_log_format(ab, " %s=", prefix); + CAP_FOR_EACH_U32(i) + audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]); + } else { + audit_log_format(ab, " %s=0", prefix); } } -- 1.8.3.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
