audit: add feature audit_lost reset

Add a method to reset the audit_lost value. An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself will return a positive value repesenting the current audit_lost value and reset the counter to zero. If AUDIT_STATUS_LOST is not the only flag set, the reset command will be ignored. The value sent with the command is ignored. The return value will be the +ve lost value at reset time. An AUDIT_CONFIG_CHANGE message will be queued to the listening audit daemon. The message will be a standard CONFIG_CHANGE message with the fields "lost=0" and "old=" with the latter containing the value of audit_lost at reset time. See: https://github.com/linux-audit/audit-kernel/issues/3 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Richard Guy Briggs <rgb@redhat.com> 2017-01-13 03:26:29 -0500
committer: Paul Moore <paul@paul-moore.com> 2017-01-18 14:32:52 -0500
commit: 92c82e8a322b32a6cabe7d8800dc10401157a623 (patch)
tree: 32efb225fd981c63024087f030165baeb37e761c
parent: 89670affa2a62c4868a2dd8a4195a1a2ec58cb27 (diff)
2 files changed, 12 insertions, 2 deletions
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index c8dc97bc2c1b..3f24110ae63c 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -326,15 +326,19 @@ enum {
 #define AUDIT_STATUS_RATE_LIMIT         0x0008
 #define AUDIT_STATUS_BACKLOG_LIMIT      0x0010
 #define AUDIT_STATUS_BACKLOG_WAIT_TIME  0x0020
+#define AUDIT_STATUS_LOST               0x0040
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT      0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME  0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
 #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER   0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET         0x00000020
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
                                  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
                                  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
-                                  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
+                                  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
+                                  AUDIT_FEATURE_BITMAP_LOST_RESET)
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST            AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/audit.c b/kernel/audit.c
index 57acf2541fdd..25dd70a588b2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
   3) suppressed due to audit_rate_limit
   4) suppressed due to audit_backlog_limit
 */
-static atomic_t    audit_lost = ATOMIC_INIT(0);
+static atomic_t audit_lost = ATOMIC_INIT(0);
 /* The netlink socket. */
 static struct sock *audit_sock;
@@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        if (err < 0)
                                return err;
                }
+                if (s.mask == AUDIT_STATUS_LOST) {
+                        u32 lost = atomic_xchg(&audit_lost, 0);
+                        audit_log_config_change("lost", 0, lost, 1);
+                        return lost;
+                }
                break;
        }
        case AUDIT_GET_FEATURE:
author	Richard Guy Briggs <rgb@redhat.com>	2017-01-13 03:26:29 -0500
committer	Paul Moore <paul@paul-moore.com>	2017-01-18 14:32:52 -0500
commit	92c82e8a322b32a6cabe7d8800dc10401157a623 (patch)
tree	32efb225fd981c63024087f030165baeb37e761c
parent	89670affa2a62c4868a2dd8a4195a1a2ec58cb27 (diff)