From 3759bf3c107d95e3a1e51b5544d1e242345d16f4 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Thu, 11 Jun 2009 14:31:34 -0400
Subject: [PATCH] --- yaml --- r: 154219 b: refs/heads/master c:
 e85188f424c8eec7f311deed9a70bec57aeed741 h: refs/heads/master i:   154217:
 405d81fc3dcbfe7b32f6415f362286a553bca69f   154215:
 481e185316678981226bedd67299e607f10203f1 v: v3

---
 [refs]                     |  2 +-
 trunk/kernel/auditfilter.c | 58 ++++++++++++++++----------------------
 2 files changed, 25 insertions(+), 35 deletions(-)

diff --git a/[refs] b/[refs]
index 51794816e36b..7951f6bee872 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: b87ce6e4187c24b06483c8266822ce5e6b7fa7f3
+refs/heads/master: e85188f424c8eec7f311deed9a70bec57aeed741
diff --git a/trunk/kernel/auditfilter.c b/trunk/kernel/auditfilter.c
index 19c0a0a2cede..e7466dd145c9 100644
--- a/trunk/kernel/auditfilter.c
+++ b/trunk/kernel/auditfilter.c
@@ -977,6 +977,27 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old,
 	return entry;
 }
 
+static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
+{
+	if (audit_enabled) {
+		struct audit_buffer *ab;
+		ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+		audit_log_format(ab, "auid=%u ses=%u op=",
+				 audit_get_loginuid(current),
+				 audit_get_sessionid(current));
+		audit_log_string(ab, op);
+		audit_log_format(ab, " path=");
+		audit_log_untrustedstring(ab, w->path);
+		if (r->filterkey) {
+			audit_log_format(ab, " key=");
+			audit_log_untrustedstring(ab, r->filterkey);
+		} else
+			audit_log_format(ab, " key=(null)");
+		audit_log_format(ab, " list=%d res=1", r->listnr);
+		audit_log_end(ab);
+	}
+}
+
 /* Update inode info in audit rules based on filesystem event. */
 static void audit_update_watch(struct audit_parent *parent,
 			       const char *dname, dev_t dev,
@@ -1023,24 +1044,11 @@ static void audit_update_watch(struct audit_parent *parent,
 					     &nentry->rule.list);
 			}
 
+			audit_watch_log_rule_change(r, owatch, "updated rules");
+
 			call_rcu(&oentry->rcu, audit_free_rule_rcu);
 		}
 
-		if (audit_enabled) {
-			struct audit_buffer *ab;
-			ab = audit_log_start(NULL, GFP_NOFS,
-				AUDIT_CONFIG_CHANGE);
-			audit_log_format(ab, "auid=%u ses=%u",
-				audit_get_loginuid(current),
-				audit_get_sessionid(current));
-			audit_log_format(ab,
-				" op=updated rules specifying path=");
-			audit_log_untrustedstring(ab, owatch->path);
-			audit_log_format(ab, " with dev=%u ino=%lu\n",
-				 dev, ino);
-			audit_log_format(ab, " list=%d res=1", r->listnr);
-			audit_log_end(ab);
-		}
 		audit_remove_watch(owatch);
 		goto add_watch_to_parent; /* event applies to a single watch */
 	}
@@ -1065,25 +1073,7 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
 	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
 		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
 			e = container_of(r, struct audit_entry, rule);
-			if (audit_enabled) {
-				struct audit_buffer *ab;
-				ab = audit_log_start(NULL, GFP_NOFS,
-					AUDIT_CONFIG_CHANGE);
-				audit_log_format(ab, "auid=%u ses=%u",
-					audit_get_loginuid(current),
-					audit_get_sessionid(current));
-				audit_log_format(ab, " op=remove rule path=");
-				audit_log_untrustedstring(ab, w->path);
-				if (r->filterkey) {
-					audit_log_format(ab, " key=");
-					audit_log_untrustedstring(ab,
-							r->filterkey);
-				} else
-					audit_log_format(ab, " key=(null)");
-				audit_log_format(ab, " list=%d res=1",
-					r->listnr);
-				audit_log_end(ab);
-			}
+			audit_watch_log_rule_change(r, w, "remove rule");
 			list_del(&r->rlist);
 			list_del(&r->list);
 			list_del_rcu(&e->list);