smack: remove /smack/logging if audit is not configured

If CONFIG_AUDIT is not set then SMACK does not generate audit messages, however, keeps audit control file, /smack/logging, while there is no entity to control. This change removes audit control file /smack/logging when audit is not configured in the kernel Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2025-12-27 12:21:22 -05:00 · 2025-01-18 00:46:46 +03:00
parent 6cce0cc386
commit bf9f14c91a
3 changed files with 14 additions and 6 deletions
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -432,6 +432,12 @@ static inline struct smack_known *smk_of_current(void)
 	return smk_of_task(smack_cred(current_cred()));
 }

+void smack_log(char *subject_label, char *object_label,
+		int request,
+		int result, struct smk_audit_info *auditdata);
+
+#ifdef CONFIG_AUDIT
+
 /*
 * logging functions
 */
@@ -439,12 +445,6 @@ static inline struct smack_known *smk_of_current(void)
 #define SMACK_AUDIT_ACCEPT 0x2
 extern int log_policy;

-void smack_log(char *subject_label, char *object_label,
-		int request,
-		int result, struct smk_audit_info *auditdata);
-
-#ifdef CONFIG_AUDIT
-
 /*
 * some inline functions to set up audit data
 * they do nothing if CONFIG_AUDIT is not set
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -45,11 +45,13 @@ LIST_HEAD(smack_known_list);
 */
 static u32 smack_next_secid = 10;

+#ifdef CONFIG_AUDIT
 /*
 * what events do we log
 * can be overwritten at run-time by /smack/logging
 */
 int log_policy = SMACK_AUDIT_DENIED;
+#endif /* CONFIG_AUDIT */

 /**
 * smk_access_entry - look up matching access rule
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -41,7 +41,9 @@ enum smk_inos {
 	SMK_AMBIENT	= 7,	/* internet ambient label */
 	SMK_NET4ADDR	= 8,	/* single label hosts */
 	SMK_ONLYCAP	= 9,	/* the only "capable" label */
+#ifdef CONFIG_AUDIT
 	SMK_LOGGING	= 10,	/* logging */
+#endif /* CONFIG_AUDIT */
 	SMK_LOAD_SELF	= 11,	/* task specific rules */
 	SMK_ACCESSES	= 12,	/* access policy */
 	SMK_MAPPED	= 13,	/* CIPSO level indicating mapped label */
@@ -2133,6 +2135,7 @@ static const struct file_operations smk_unconfined_ops = {
 };
 #endif /* CONFIG_SECURITY_SMACK_BRINGUP */

+#ifdef CONFIG_AUDIT
 /**
 * smk_read_logging - read() for /smack/logging
 * @filp: file pointer, not actually used
@@ -2197,6 +2200,7 @@ static const struct file_operations smk_logging_ops = {
 	.write		= smk_write_logging,
 	.llseek		= default_llseek,
 };
+#endif /* CONFIG_AUDIT */

 /*
 * Seq_file read operations for /smack/load-self
@@ -2883,8 +2887,10 @@ static int smk_fill_super(struct super_block *sb, struct fs_context *fc)
 			"netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR},
 		[SMK_ONLYCAP] = {
 			"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
+#ifdef CONFIG_AUDIT
 		[SMK_LOGGING] = {
 			"logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
+#endif /* CONFIG_AUDIT */
 		[SMK_LOAD_SELF] = {
 			"load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
 		[SMK_ACCESSES] = {