audit: fix formatting of AUDIT_CONFIG_CHANGE events

The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current
code logs the value of the field with quotes. This field is documented
to not be encoded, so it should not have quotes.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
[PM: reformatted commit description to make checkpatch.pl happy]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index f84f8d06e1f6d1010b9e61065c71596f320e28d9..f75154889aa9b5df52bdf5967a275ac1235cf819 100644 (file)
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c
        ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
        if (unlikely(!ab))
                return;
-       audit_log_format(ab, "auid=%u ses=%u op=",
+       audit_log_format(ab, "auid=%u ses=%u op=%s",
                         from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                        audit_get_sessionid(current));
-       audit_log_string(ab, op);
+                        audit_get_sessionid(current), op);
        audit_log_format(ab, " path=");
        audit_log_untrustedstring(ab, audit_mark->path);
        audit_log_key(ab, rule->filterkey);

diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 25772476fa4afcfec54210527f548588c402c109..055f11b0a50f1ac2a4684b51f300c054b71bd8ad 100644 (file)
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
        if (unlikely(!ab))
                return;
-       audit_log_format(ab, "op=");
-       audit_log_string(ab, "remove_rule");
+       audit_log_format(ab, "op=remove_rule");
        audit_log_format(ab, " dir=");
        audit_log_untrustedstring(ab, rule->tree->pathname);
        audit_log_key(ab, rule->filterkey);

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 0d302a87f21b58ac711aaf5720cca12640bfc0ef..686e068ec3da08ba3aa5f3f4d08084f00d838bcd 100644 (file)
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
                ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
                if (unlikely(!ab))
                        return;
-               audit_log_format(ab, "auid=%u ses=%u op=",
+               audit_log_format(ab, "auid=%u ses=%u op=%s",
                                 from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                                audit_get_sessionid(current));
-               audit_log_string(ab, op);
+                                audit_get_sessionid(current), op);
                audit_log_format(ab, " path=");
                audit_log_untrustedstring(ab, w->path);
                audit_log_key(ab, r->filterkey);

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac497e4602e76389c8d56d274372a31c0aa..632e90d1005f741afebeeb9b176aa3e7ff0890e9 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
                return;
        audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
        audit_log_task_context(ab);
-       audit_log_format(ab, " op=");
-       audit_log_string(ab, action);
+       audit_log_format(ab, " op=%s", action);
        audit_log_key(ab, rule->filterkey);
        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
        audit_log_end(ab);