audit: invalid op= values for rules
Various audit events dealing with adding, removing and updating rules result in
invalid values set for the op keys which result in embedded spaces in op=
values.
The invalid values are
op="add rule" set in kernel/auditfilter.c
op="remove rule" set in kernel/auditfilter.c
op="remove rule" set in kernel/audit_tree.c
op="updated rules" set in kernel/audit_watch.c
op="remove rule" set in kernel/audit_watch.c
Replace the space in the above values with an underscore character ('_').
Coded-by: Burn Alting <burn@swtf.dyndns.org>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 135944a..bd418c48 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -457,7 +457,7 @@
if (unlikely(!ab))
return;
audit_log_format(ab, "op=");
- audit_log_string(ab, "remove rule");
+ audit_log_string(ab, "remove_rule");
audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 70b4554..ad9c168 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -314,7 +314,7 @@
&nentry->rule.list);
}
- audit_watch_log_rule_change(r, owatch, "updated rules");
+ audit_watch_log_rule_change(r, owatch, "updated_rules");
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
@@ -342,7 +342,7 @@
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
- audit_watch_log_rule_change(r, w, "remove rule");
+ audit_watch_log_rule_change(r, w, "remove_rule");
list_del(&r->rlist);
list_del(&r->list);
list_del_rcu(&e->list);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 8e9bc9c..b65a138 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1060,7 +1060,7 @@
return PTR_ERR(entry);
err = audit_add_rule(entry);
- audit_log_rule_change("add rule", &entry->rule, !err);
+ audit_log_rule_change("add_rule", &entry->rule, !err);
if (err)
audit_free_rule(entry);
break;
@@ -1070,7 +1070,7 @@
return PTR_ERR(entry);
err = audit_del_rule(entry);
- audit_log_rule_change("remove rule", &entry->rule, !err);
+ audit_log_rule_change("remove_rule", &entry->rule, !err);
audit_free_rule(entry);
break;
default:
