smack: remove /smack/logging if audit is not configured

If CONFIG_AUDIT is not set then
SMACK does not generate audit messages,
however, keeps audit control file, /smack/logging,
while there is no entity to control.
This change removes audit control file /smack/logging
when audit is not configured in the kernel

Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

diff --git a/security/smack/smack.h b/security/smack/smack.h
index d9d3113be664269661c41505809bf27ae925e6b8..bf6a6ed3946cecd9c6db00987d0eb45ff0601434 100644 (file)
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -432,6 +432,12 @@ static inline struct smack_known *smk_of_current(void)
        return smk_of_task(smack_cred(current_cred()));
 }
 
+void smack_log(char *subject_label, char *object_label,
+               int request,
+               int result, struct smk_audit_info *auditdata);
+
+#ifdef CONFIG_AUDIT
+
 /*
  * logging functions
  */
@@ -439,12 +445,6 @@ static inline struct smack_known *smk_of_current(void)
 #define SMACK_AUDIT_ACCEPT 0x2
 extern int log_policy;
 
-void smack_log(char *subject_label, char *object_label,
-               int request,
-               int result, struct smk_audit_info *auditdata);
-
-#ifdef CONFIG_AUDIT
-
 /*
  * some inline functions to set up audit data
  * they do nothing if CONFIG_AUDIT is not set

diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 87a0ae65c524f0e11fb4606bc7b5235e1cda4d81..2e4a0cb22782b45729aa76033acb3d74f64c9cac 100644 (file)
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -45,11 +45,13 @@ LIST_HEAD(smack_known_list);
  */
 static u32 smack_next_secid = 10;
 
+#ifdef CONFIG_AUDIT
 /*
  * what events do we log
  * can be overwritten at run-time by /smack/logging
  */
 int log_policy = SMACK_AUDIT_DENIED;
+#endif /* CONFIG_AUDIT */
 
 /**
  * smk_access_entry - look up matching access rule

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 14b80ed08f1aff7f6acd1646d1040e6291ddd6a1..2e676a73ac431ad83d43d5b88f9d92ca4c076ed6 100644 (file)
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -41,7 +41,9 @@ enum smk_inos {
        SMK_AMBIENT     = 7,    /* internet ambient label */
        SMK_NET4ADDR    = 8,    /* single label hosts */
        SMK_ONLYCAP     = 9,    /* the only "capable" label */
+#ifdef CONFIG_AUDIT
        SMK_LOGGING     = 10,   /* logging */
+#endif /* CONFIG_AUDIT */
        SMK_LOAD_SELF   = 11,   /* task specific rules */
        SMK_ACCESSES    = 12,   /* access policy */
        SMK_MAPPED      = 13,   /* CIPSO level indicating mapped label */
@@ -2133,6 +2135,7 @@ static const struct file_operations smk_unconfined_ops = {
 };
 #endif /* CONFIG_SECURITY_SMACK_BRINGUP */
 
+#ifdef CONFIG_AUDIT
 /**
  * smk_read_logging - read() for /smack/logging
  * @filp: file pointer, not actually used
@@ -2197,6 +2200,7 @@ static const struct file_operations smk_logging_ops = {
        .write          = smk_write_logging,
        .llseek         = default_llseek,
 };
+#endif /* CONFIG_AUDIT */
 
 /*
  * Seq_file read operations for /smack/load-self
@@ -2883,8 +2887,10 @@ static int smk_fill_super(struct super_block *sb, struct fs_context *fc)
                        "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR},
                [SMK_ONLYCAP] = {
                        "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
+#ifdef CONFIG_AUDIT
                [SMK_LOGGING] = {
                        "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
+#endif /* CONFIG_AUDIT */
                [SMK_LOAD_SELF] = {
                        "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
                [SMK_ACCESSES] = {