| Message ID | 20250117214655.3138888-1-andreev@swemel.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | smack: remove /smack/logging if audit is not configured | expand |
On 1/17/2025 1:46 PM, Konstantin Andreev wrote: > If CONFIG_AUDIT is not set then > SMACK does not generate audit messages, > however, keeps audit control file, /smack/logging, > while there is no entity to control. > This change removes audit control file /smack/logging > when audit is not configured in the kernel Is there a real reason to do this? I can easily see systems that expect to turn logging off getting upset if the interface disappears seemingly at random. > > Signed-off-by: Konstantin Andreev <andreev@swemel.ru> > --- > security/smack/smack.h | 12 ++++++------ > security/smack/smack_access.c | 2 ++ > security/smack/smackfs.c | 6 ++++++ > 3 files changed, 14 insertions(+), 6 deletions(-) > > diff --git a/security/smack/smack.h b/security/smack/smack.h > index c4d998972ba5..1fb6957545b5 100644 > --- a/security/smack/smack.h > +++ b/security/smack/smack.h > @@ -432,6 +432,12 @@ static inline struct smack_known *smk_of_current(void) > return smk_of_task(smack_cred(current_cred())); > } > > +void smack_log(char *subject_label, char *object_label, > + int request, > + int result, struct smk_audit_info *auditdata); > + > +#ifdef CONFIG_AUDIT > + > /* > * logging functions > */ > @@ -439,12 +445,6 @@ static inline struct smack_known *smk_of_current(void) > #define SMACK_AUDIT_ACCEPT 0x2 > extern int log_policy; > > -void smack_log(char *subject_label, char *object_label, > - int request, > - int result, struct smk_audit_info *auditdata); > - > -#ifdef CONFIG_AUDIT > - > /* > * some inline functions to set up audit data > * they do nothing if CONFIG_AUDIT is not set > diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c > index 3727379623e2..606cb340e819 100644 > --- a/security/smack/smack_access.c > +++ b/security/smack/smack_access.c > @@ -45,11 +45,13 @@ LIST_HEAD(smack_known_list); > */ > static u32 smack_next_secid = 10; > > +#ifdef CONFIG_AUDIT > /* > * what events do we log > * can be overwritten at run-time by /smack/logging > */ > int log_policy = SMACK_AUDIT_DENIED; > +#endif /* CONFIG_AUDIT */ > > /** > * smk_access_entry - look up matching access rule > diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c > index a7886cfc9dc3..c28188bc2bc8 100644 > --- a/security/smack/smackfs.c > +++ b/security/smack/smackfs.c > @@ -41,7 +41,9 @@ enum smk_inos { > SMK_AMBIENT = 7, /* internet ambient label */ > SMK_NET4ADDR = 8, /* single label hosts */ > SMK_ONLYCAP = 9, /* the only "capable" label */ > +#ifdef CONFIG_AUDIT > SMK_LOGGING = 10, /* logging */ > +#endif /* CONFIG_AUDIT */ > SMK_LOAD_SELF = 11, /* task specific rules */ > SMK_ACCESSES = 12, /* access policy */ > SMK_MAPPED = 13, /* CIPSO level indicating mapped label */ > @@ -2126,6 +2128,7 @@ static const struct file_operations smk_unconfined_ops = { > }; > #endif /* CONFIG_SECURITY_SMACK_BRINGUP */ > > +#ifdef CONFIG_AUDIT > /** > * smk_read_logging - read() for /smack/logging > * @filp: file pointer, not actually used > @@ -2190,6 +2193,7 @@ static const struct file_operations smk_logging_ops = { > .write = smk_write_logging, > .llseek = default_llseek, > }; > +#endif /* CONFIG_AUDIT */ > > /* > * Seq_file read operations for /smack/load-self > @@ -2876,8 +2880,10 @@ static int smk_fill_super(struct super_block *sb, struct fs_context *fc) > "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR}, > [SMK_ONLYCAP] = { > "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR}, > +#ifdef CONFIG_AUDIT > [SMK_LOGGING] = { > "logging", &smk_logging_ops, S_IRUGO|S_IWUSR}, > +#endif /* CONFIG_AUDIT */ > [SMK_LOAD_SELF] = { > "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, > [SMK_ACCESSES] = {
Casey Schaufler, 18 Jan 2025: > On 1/17/2025 1:46 PM, Konstantin Andreev wrote: >> If CONFIG_AUDIT is not set then >> SMACK does not generate audit messages, >> however, keeps audit control file, /smack/logging, >> while there is no entity to control. >> This change removes audit control file /smack/logging >> when audit is not configured in the kernel > > Is there a real reason to do this? Not more real than there are real reasons for fixing typos and spelling errors, removing unused or duplicating code, keeping one tab indentation, etc. The matter of style. Personally, I deprecate fake controls, they make me (as a user) think that it's me who is missing something. > I can easily see systems that expect to turn logging off getting > upset if the interface disappears seemingly at random. To me, the system builder who compiles audit out, on purpose, must be prepared for special treatment of his system. Certainly, I may not have a full picture. -- Regards, Konstantin Andreev
diff --git a/security/smack/smack.h b/security/smack/smack.h index c4d998972ba5..1fb6957545b5 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -432,6 +432,12 @@ static inline struct smack_known *smk_of_current(void) return smk_of_task(smack_cred(current_cred())); } +void smack_log(char *subject_label, char *object_label, + int request, + int result, struct smk_audit_info *auditdata); + +#ifdef CONFIG_AUDIT + /* * logging functions */ @@ -439,12 +445,6 @@ static inline struct smack_known *smk_of_current(void) #define SMACK_AUDIT_ACCEPT 0x2 extern int log_policy; -void smack_log(char *subject_label, char *object_label, - int request, - int result, struct smk_audit_info *auditdata); - -#ifdef CONFIG_AUDIT - /* * some inline functions to set up audit data * they do nothing if CONFIG_AUDIT is not set diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 3727379623e2..606cb340e819 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -45,11 +45,13 @@ LIST_HEAD(smack_known_list); */ static u32 smack_next_secid = 10; +#ifdef CONFIG_AUDIT /* * what events do we log * can be overwritten at run-time by /smack/logging */ int log_policy = SMACK_AUDIT_DENIED; +#endif /* CONFIG_AUDIT */ /** * smk_access_entry - look up matching access rule diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index a7886cfc9dc3..c28188bc2bc8 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -41,7 +41,9 @@ enum smk_inos { SMK_AMBIENT = 7, /* internet ambient label */ SMK_NET4ADDR = 8, /* single label hosts */ SMK_ONLYCAP = 9, /* the only "capable" label */ +#ifdef CONFIG_AUDIT SMK_LOGGING = 10, /* logging */ +#endif /* CONFIG_AUDIT */ SMK_LOAD_SELF = 11, /* task specific rules */ SMK_ACCESSES = 12, /* access policy */ SMK_MAPPED = 13, /* CIPSO level indicating mapped label */ @@ -2126,6 +2128,7 @@ static const struct file_operations smk_unconfined_ops = { }; #endif /* CONFIG_SECURITY_SMACK_BRINGUP */ +#ifdef CONFIG_AUDIT /** * smk_read_logging - read() for /smack/logging * @filp: file pointer, not actually used @@ -2190,6 +2193,7 @@ static const struct file_operations smk_logging_ops = { .write = smk_write_logging, .llseek = default_llseek, }; +#endif /* CONFIG_AUDIT */ /* * Seq_file read operations for /smack/load-self @@ -2876,8 +2880,10 @@ static int smk_fill_super(struct super_block *sb, struct fs_context *fc) "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR}, [SMK_ONLYCAP] = { "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR}, +#ifdef CONFIG_AUDIT [SMK_LOGGING] = { "logging", &smk_logging_ops, S_IRUGO|S_IWUSR}, +#endif /* CONFIG_AUDIT */ [SMK_LOAD_SELF] = { "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, [SMK_ACCESSES] = {
If CONFIG_AUDIT is not set then SMACK does not generate audit messages, however, keeps audit control file, /smack/logging, while there is no entity to control. This change removes audit control file /smack/logging when audit is not configured in the kernel Signed-off-by: Konstantin Andreev <andreev@swemel.ru> --- security/smack/smack.h | 12 ++++++------ security/smack/smack_access.c | 2 ++ security/smack/smackfs.c | 6 ++++++ 3 files changed, 14 insertions(+), 6 deletions(-)