[PATCH] smack: remove /smack/logging if audit is not configured
Casey Schaufler
casey at schaufler-ca.com
Sat Jan 18 17:17:39 UTC 2025
On 1/17/2025 1:46 PM, Konstantin Andreev wrote:
> If CONFIG_AUDIT is not set then
> SMACK does not generate audit messages,
> however, keeps audit control file, /smack/logging,
> while there is no entity to control.
> This change removes audit control file /smack/logging
> when audit is not configured in the kernel
Is there a real reason to do this? I can easily see systems
that expect to turn logging off getting upset if the interface
disappears seemingly at random.
>
> Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
> ---
> security/smack/smack.h | 12 ++++++------
> security/smack/smack_access.c | 2 ++
> security/smack/smackfs.c | 6 ++++++
> 3 files changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index c4d998972ba5..1fb6957545b5 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -432,6 +432,12 @@ static inline struct smack_known *smk_of_current(void)
> return smk_of_task(smack_cred(current_cred()));
> }
>
> +void smack_log(char *subject_label, char *object_label,
> + int request,
> + int result, struct smk_audit_info *auditdata);
> +
> +#ifdef CONFIG_AUDIT
> +
> /*
> * logging functions
> */
> @@ -439,12 +445,6 @@ static inline struct smack_known *smk_of_current(void)
> #define SMACK_AUDIT_ACCEPT 0x2
> extern int log_policy;
>
> -void smack_log(char *subject_label, char *object_label,
> - int request,
> - int result, struct smk_audit_info *auditdata);
> -
> -#ifdef CONFIG_AUDIT
> -
> /*
> * some inline functions to set up audit data
> * they do nothing if CONFIG_AUDIT is not set
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index 3727379623e2..606cb340e819 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -45,11 +45,13 @@ LIST_HEAD(smack_known_list);
> */
> static u32 smack_next_secid = 10;
>
> +#ifdef CONFIG_AUDIT
> /*
> * what events do we log
> * can be overwritten at run-time by /smack/logging
> */
> int log_policy = SMACK_AUDIT_DENIED;
> +#endif /* CONFIG_AUDIT */
>
> /**
> * smk_access_entry - look up matching access rule
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index a7886cfc9dc3..c28188bc2bc8 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -41,7 +41,9 @@ enum smk_inos {
> SMK_AMBIENT = 7, /* internet ambient label */
> SMK_NET4ADDR = 8, /* single label hosts */
> SMK_ONLYCAP = 9, /* the only "capable" label */
> +#ifdef CONFIG_AUDIT
> SMK_LOGGING = 10, /* logging */
> +#endif /* CONFIG_AUDIT */
> SMK_LOAD_SELF = 11, /* task specific rules */
> SMK_ACCESSES = 12, /* access policy */
> SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
> @@ -2126,6 +2128,7 @@ static const struct file_operations smk_unconfined_ops = {
> };
> #endif /* CONFIG_SECURITY_SMACK_BRINGUP */
>
> +#ifdef CONFIG_AUDIT
> /**
> * smk_read_logging - read() for /smack/logging
> * @filp: file pointer, not actually used
> @@ -2190,6 +2193,7 @@ static const struct file_operations smk_logging_ops = {
> .write = smk_write_logging,
> .llseek = default_llseek,
> };
> +#endif /* CONFIG_AUDIT */
>
> /*
> * Seq_file read operations for /smack/load-self
> @@ -2876,8 +2880,10 @@ static int smk_fill_super(struct super_block *sb, struct fs_context *fc)
> "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR},
> [SMK_ONLYCAP] = {
> "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
> +#ifdef CONFIG_AUDIT
> [SMK_LOGGING] = {
> "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
> +#endif /* CONFIG_AUDIT */
> [SMK_LOAD_SELF] = {
> "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
> [SMK_ACCESSES] = {
More information about the Linux-security-module-archive
mailing list