diff options
| author | Konstantin Andreev <andreev@swemel.ru> | 2025-01-18 00:46:46 +0300 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2025-02-13 18:33:55 -0800 |
| commit | bf9f14c91a05ec77ee3710703b699c2a32f80ae4 (patch) | |
| tree | 1dcd07aacf0c8755e17062400abeb0228d815270 | |
| parent | 6cce0cc3861337b3ad8d4ac131d6e47efa0954ec (diff) | |
| download | linux-bf9f14c91a05ec77ee3710703b699c2a32f80ae4.tar.gz linux-bf9f14c91a05ec77ee3710703b699c2a32f80ae4.tar.bz2 linux-bf9f14c91a05ec77ee3710703b699c2a32f80ae4.zip | |
smack: remove /smack/logging if audit is not configured
If CONFIG_AUDIT is not set then
SMACK does not generate audit messages,
however, keeps audit control file, /smack/logging,
while there is no entity to control.
This change removes audit control file /smack/logging
when audit is not configured in the kernel
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
| -rw-r--r-- | security/smack/smack.h | 12 | ||||
| -rw-r--r-- | security/smack/smack_access.c | 2 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 6 |
3 files changed, 14 insertions, 6 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index d9d3113be664..bf6a6ed3946c 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -432,6 +432,12 @@ static inline struct smack_known *smk_of_current(void) return smk_of_task(smack_cred(current_cred())); } +void smack_log(char *subject_label, char *object_label, + int request, + int result, struct smk_audit_info *auditdata); + +#ifdef CONFIG_AUDIT + /* * logging functions */ @@ -439,12 +445,6 @@ static inline struct smack_known *smk_of_current(void) #define SMACK_AUDIT_ACCEPT 0x2 extern int log_policy; -void smack_log(char *subject_label, char *object_label, - int request, - int result, struct smk_audit_info *auditdata); - -#ifdef CONFIG_AUDIT - /* * some inline functions to set up audit data * they do nothing if CONFIG_AUDIT is not set diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 87a0ae65c524..2e4a0cb22782 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -45,11 +45,13 @@ LIST_HEAD(smack_known_list); */ static u32 smack_next_secid = 10; +#ifdef CONFIG_AUDIT /* * what events do we log * can be overwritten at run-time by /smack/logging */ int log_policy = SMACK_AUDIT_DENIED; +#endif /* CONFIG_AUDIT */ /** * smk_access_entry - look up matching access rule diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 14b80ed08f1a..2e676a73ac43 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -41,7 +41,9 @@ enum smk_inos { SMK_AMBIENT = 7, /* internet ambient label */ SMK_NET4ADDR = 8, /* single label hosts */ SMK_ONLYCAP = 9, /* the only "capable" label */ +#ifdef CONFIG_AUDIT SMK_LOGGING = 10, /* logging */ +#endif /* CONFIG_AUDIT */ SMK_LOAD_SELF = 11, /* task specific rules */ SMK_ACCESSES = 12, /* access policy */ SMK_MAPPED = 13, /* CIPSO level indicating mapped label */ @@ -2133,6 +2135,7 @@ static const struct file_operations smk_unconfined_ops = { }; #endif /* CONFIG_SECURITY_SMACK_BRINGUP */ +#ifdef CONFIG_AUDIT /** * smk_read_logging - read() for /smack/logging * @filp: file pointer, not actually used @@ -2197,6 +2200,7 @@ static const struct file_operations smk_logging_ops = { .write = smk_write_logging, .llseek = default_llseek, }; +#endif /* CONFIG_AUDIT */ /* * Seq_file read operations for /smack/load-self @@ -2883,8 +2887,10 @@ static int smk_fill_super(struct super_block *sb, struct fs_context *fc) "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR}, [SMK_ONLYCAP] = { "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR}, +#ifdef CONFIG_AUDIT [SMK_LOGGING] = { "logging", &smk_logging_ops, S_IRUGO|S_IWUSR}, +#endif /* CONFIG_AUDIT */ [SMK_LOAD_SELF] = { "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, [SMK_ACCESSES] = { |