[RFC PATCH v2 01/14] lsm: Only build lsm_audit.c if CONFIG_AUDIT is set
Paul Moore
paul at paul-moore.com
Wed Oct 23 00:07:00 UTC 2024
On Tue, Oct 22, 2024 at 12:10 PM Mickaël Salaün <mic at digikod.net> wrote:
>
> When CONFIG_AUDIT is set, its CONFIG_NET dependency is also set, and the
> dev_get_by_index and init_net symbols (used by dump_common_audit_data)
> are found by the linker. dump_common_audit_data() should then failed to
> build when CONFIG_NET is not set. However, because the compiler is
> smart, it knows that audit_log_start() always return NULL when
> !CONFIG_AUDIT, and it doesn't build the body of common_lsm_audit(). As
> a side effect, dump_common_audit_data() is not built and the linker
> doesn't error out because of missing symbols.
>
> Let's only build lsm_audit.o when CONFIG_AUDIT is set.
>
> ipv4_skb_to_auditdata() and ipv6_skb_to_auditdata() are only used by
> Smack if CONFIG_AUDIT is set, so they don't need fake implementations.
>
> Because common_lsm_audit() is used in multiple places without
> CONFIG_AUDIT checks, add a fake implementation.
>
> Cc: Casey Schaufler <casey at schaufler-ca.com>
> Cc: James Morris <jmorris at namei.org>
> Cc: Paul Moore <paul at paul-moore.com>
> Cc: Serge E. Hallyn <serge at hallyn.com>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> Link: https://lore.kernel.org/r/20241022161009.982584-2-mic@digikod.net
> ---
> include/linux/lsm_audit.h | 14 ++++++++++++++
> security/Makefile | 2 +-
> 2 files changed, 15 insertions(+), 1 deletion(-)
I think this fix is the right thing to do regardless of the rest of
the patchset so I've merged it into lsm/dev, if anyone objects please
speak up.
Thanks!
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list