Merge branch 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit

Pull audit updates from Paul Moore: "A small set of patches for audit this time; just three in total and one is a spelling fix. The two patches with actual content are designed to help prevent new instances of auditd from displacing an existing, functioning auditd and to generate a log of the attempt. Not to worry, dead/stuck auditd instances can still be replaced by a new instance without problem. Nothing controversial, and everything passes our regression suite" * 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit: audit: Fix typo in comment audit: log failed attempts to change audit_pid configuration audit: stop an old auditd being starved out by a new auditd
author: Linus Torvalds <torvalds@linux-foundation.org> 2016-03-19 20:52:49 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2016-03-19 20:52:49 -0400
commit: 51b3eae8dbe5e6fa9657b21388ad6642d6934952 (patch)
tree: abf011b095e0fe66ca9730c53e1054ae973ecdfe
parent: de06dbfa7861c9019eedefc0c356ba86e5098f1b (diff)
parent: fd97646b05957348e01be3d9de5c3d979b25c819 (diff)
4 files changed, 24 insertions, 5 deletions
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c398eb..d820aa979620 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
 #define AUDIT_SECCOMP           1326    /* Secure Computing event */
 #define AUDIT_PROCTITLE         1327    /* Proctitle emit event */
 #define AUDIT_FEATURE_CHANGE    1328    /* audit log listing feature changes */
+#define AUDIT_REPLACE           1329    /* Replace auditd if this packet unanswerd */
 #define AUDIT_AVC               1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR       1401    /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 2651e423b2dc..678c3f000191 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -809,6 +809,16 @@ static int audit_set_feature(struct sk_buff *skb)
        return 0;
 }
+static int audit_replace(pid_t pid)
+{
+        struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
+                                               &pid, sizeof(pid));
+        if (!skb)
+                return -ENOMEM;
+        return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
+}
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
        u32                     seq;
@@ -870,9 +880,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                }
                if (s.mask & AUDIT_STATUS_PID) {
                        int new_pid = s.pid;
+                        pid_t requesting_pid = task_tgid_vnr(current);
-                        if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+                        if ((!new_pid) && (requesting_pid != audit_pid)) {
+                                audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
                                return -EACCES;
+                        }
+                        if (audit_pid && new_pid &&
+                            audit_replace(requesting_pid) != -ECONNREFUSED) {
+                                audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
+                                return -EEXIST;
+                        }
                        if (audit_enabled != AUDIT_OFF)
                                audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
                        audit_pid = new_pid;
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9f194aad0adc..3cf1c5978d39 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -185,7 +185,7 @@ static struct audit_watch *audit_init_watch(char *path)
        return watch;
 }
-/* Translate a watch string to kernel respresentation. */
+/* Translate a watch string to kernel representation. */
 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
 {
        struct audit_watch *watch;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b8ff9e193753..94ca7b1e5e7e 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -158,7 +158,7 @@ char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
        return str;
 }
-/* Translate an inode field to kernel respresentation. */
+/* Translate an inode field to kernel representation. */
 static inline int audit_to_inode(struct audit_krule *krule,
                                 struct audit_field *f)
 {
@@ -415,7 +415,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
        return 0;
 }
-/* Translate struct audit_rule_data to kernel's rule respresentation. */
+/* Translate struct audit_rule_data to kernel's rule representation. */
 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                                               size_t datasz)
 {
@@ -593,7 +593,7 @@ static inline size_t audit_pack_string(void **bufp, const char *str)
        return len;
 }
-/* Translate kernel rule respresentation to struct audit_rule_data. */
+/* Translate kernel rule representation to struct audit_rule_data. */
 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 {
        struct audit_rule_data *data;
author	Linus Torvalds <torvalds@linux-foundation.org>	2016-03-19 20:52:49 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2016-03-19 20:52:49 -0400
commit	51b3eae8dbe5e6fa9657b21388ad6642d6934952 (patch)
tree	abf011b095e0fe66ca9730c53e1054ae973ecdfe
parent	de06dbfa7861c9019eedefc0c356ba86e5098f1b (diff)
parent	fd97646b05957348e01be3d9de5c3d979b25c819 (diff)