diff options
| author | Paul Moore <pmoore@redhat.com> | 2016-01-13 09:18:55 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2016-01-13 09:18:55 -0500 |
| commit | 96368701e1c89057bbf39222e965161c68a85b4b (patch) | |
| tree | b8d652f4ca36f45f0f327f6e6d57c02309e53c29 | |
| parent | d865e573b8a4f30fbb74fa7666ca81e3132eb547 (diff) | |
audit: force seccomp event logging to honor the audit_enabled flag
Previously we were emitting seccomp audit records regardless of the
audit_enabled setting, a deparature from the rest of audit. This
patch makes seccomp auditing consistent with the rest of the audit
record generation code in that when audit_enabled=0 nothing is logged
by the audit subsystem.
The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
code change was in the audit_seccomp() definition.
Signed-off-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Paul Moore <pmoore@redhat.com>
| -rw-r--r-- | include/linux/audit.h | 204 |
1 files changed, 104 insertions, 100 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 20eba1eb0a3c..476bc1237ec2 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -113,6 +113,107 @@ struct filename; | |||
| 113 | 113 | ||
| 114 | extern void audit_log_session_info(struct audit_buffer *ab); | 114 | extern void audit_log_session_info(struct audit_buffer *ab); |
| 115 | 115 | ||
| 116 | #ifdef CONFIG_AUDIT | ||
| 117 | /* These are defined in audit.c */ | ||
| 118 | /* Public API */ | ||
| 119 | extern __printf(4, 5) | ||
| 120 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 121 | const char *fmt, ...); | ||
| 122 | |||
| 123 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); | ||
| 124 | extern __printf(2, 3) | ||
| 125 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); | ||
| 126 | extern void audit_log_end(struct audit_buffer *ab); | ||
| 127 | extern bool audit_string_contains_control(const char *string, | ||
| 128 | size_t len); | ||
| 129 | extern void audit_log_n_hex(struct audit_buffer *ab, | ||
| 130 | const unsigned char *buf, | ||
| 131 | size_t len); | ||
| 132 | extern void audit_log_n_string(struct audit_buffer *ab, | ||
| 133 | const char *buf, | ||
| 134 | size_t n); | ||
| 135 | extern void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 136 | const char *string, | ||
| 137 | size_t n); | ||
| 138 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 139 | const char *string); | ||
| 140 | extern void audit_log_d_path(struct audit_buffer *ab, | ||
| 141 | const char *prefix, | ||
| 142 | const struct path *path); | ||
| 143 | extern void audit_log_key(struct audit_buffer *ab, | ||
| 144 | char *key); | ||
| 145 | extern void audit_log_link_denied(const char *operation, | ||
| 146 | struct path *link); | ||
| 147 | extern void audit_log_lost(const char *message); | ||
| 148 | #ifdef CONFIG_SECURITY | ||
| 149 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); | ||
| 150 | #else | ||
| 151 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 152 | { } | ||
| 153 | #endif | ||
| 154 | |||
| 155 | extern int audit_log_task_context(struct audit_buffer *ab); | ||
| 156 | extern void audit_log_task_info(struct audit_buffer *ab, | ||
| 157 | struct task_struct *tsk); | ||
| 158 | |||
| 159 | extern int audit_update_lsm_rules(void); | ||
| 160 | |||
| 161 | /* Private API (for audit.c only) */ | ||
| 162 | extern int audit_filter_user(int type); | ||
| 163 | extern int audit_filter_type(int type); | ||
| 164 | extern int audit_rule_change(int type, __u32 portid, int seq, | ||
| 165 | void *data, size_t datasz); | ||
| 166 | extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); | ||
| 167 | |||
| 168 | extern u32 audit_enabled; | ||
| 169 | #else /* CONFIG_AUDIT */ | ||
| 170 | static inline __printf(4, 5) | ||
| 171 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 172 | const char *fmt, ...) | ||
| 173 | { } | ||
| 174 | static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, | ||
| 175 | gfp_t gfp_mask, int type) | ||
| 176 | { | ||
| 177 | return NULL; | ||
| 178 | } | ||
| 179 | static inline __printf(2, 3) | ||
| 180 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | ||
| 181 | { } | ||
| 182 | static inline void audit_log_end(struct audit_buffer *ab) | ||
| 183 | { } | ||
| 184 | static inline void audit_log_n_hex(struct audit_buffer *ab, | ||
| 185 | const unsigned char *buf, size_t len) | ||
| 186 | { } | ||
| 187 | static inline void audit_log_n_string(struct audit_buffer *ab, | ||
| 188 | const char *buf, size_t n) | ||
| 189 | { } | ||
| 190 | static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 191 | const char *string, size_t n) | ||
| 192 | { } | ||
| 193 | static inline void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 194 | const char *string) | ||
| 195 | { } | ||
| 196 | static inline void audit_log_d_path(struct audit_buffer *ab, | ||
| 197 | const char *prefix, | ||
| 198 | const struct path *path) | ||
| 199 | { } | ||
| 200 | static inline void audit_log_key(struct audit_buffer *ab, char *key) | ||
| 201 | { } | ||
| 202 | static inline void audit_log_link_denied(const char *string, | ||
| 203 | const struct path *link) | ||
| 204 | { } | ||
| 205 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 206 | { } | ||
| 207 | static inline int audit_log_task_context(struct audit_buffer *ab) | ||
| 208 | { | ||
| 209 | return 0; | ||
| 210 | } | ||
| 211 | static inline void audit_log_task_info(struct audit_buffer *ab, | ||
| 212 | struct task_struct *tsk) | ||
| 213 | { } | ||
| 214 | #define audit_enabled 0 | ||
| 215 | #endif /* CONFIG_AUDIT */ | ||
| 216 | |||
| 116 | #ifdef CONFIG_AUDIT_COMPAT_GENERIC | 217 | #ifdef CONFIG_AUDIT_COMPAT_GENERIC |
| 117 | #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) | 218 | #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) |
| 118 | #else | 219 | #else |
| @@ -212,6 +313,9 @@ void audit_core_dumps(long signr); | |||
| 212 | 313 | ||
| 213 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) | 314 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| 214 | { | 315 | { |
| 316 | if (!audit_enabled) | ||
| 317 | return; | ||
| 318 | |||
| 215 | /* Force a record to be reported if a signal was delivered. */ | 319 | /* Force a record to be reported if a signal was delivered. */ |
| 216 | if (signr || unlikely(!audit_dummy_context())) | 320 | if (signr || unlikely(!audit_dummy_context())) |
| 217 | __audit_seccomp(syscall, signr, code); | 321 | __audit_seccomp(syscall, signr, code); |
| @@ -446,106 +550,6 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) | |||
| 446 | return uid_valid(audit_get_loginuid(tsk)); | 550 | return uid_valid(audit_get_loginuid(tsk)); |
| 447 | } | 551 | } |
| 448 | 552 | ||
| 449 | #ifdef CONFIG_AUDIT | ||
| 450 | /* These are defined in audit.c */ | ||
| 451 | /* Public API */ | ||
| 452 | extern __printf(4, 5) | ||
| 453 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 454 | const char *fmt, ...); | ||
| 455 | |||
| 456 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); | ||
| 457 | extern __printf(2, 3) | ||
| 458 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); | ||
| 459 | extern void audit_log_end(struct audit_buffer *ab); | ||
| 460 | extern bool audit_string_contains_control(const char *string, | ||
| 461 | size_t len); | ||
| 462 | extern void audit_log_n_hex(struct audit_buffer *ab, | ||
| 463 | const unsigned char *buf, | ||
| 464 | size_t len); | ||
| 465 | extern void audit_log_n_string(struct audit_buffer *ab, | ||
| 466 | const char *buf, | ||
| 467 | size_t n); | ||
| 468 | extern void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 469 | const char *string, | ||
| 470 | size_t n); | ||
| 471 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 472 | const char *string); | ||
| 473 | extern void audit_log_d_path(struct audit_buffer *ab, | ||
| 474 | const char *prefix, | ||
| 475 | const struct path *path); | ||
| 476 | extern void audit_log_key(struct audit_buffer *ab, | ||
| 477 | char *key); | ||
| 478 | extern void audit_log_link_denied(const char *operation, | ||
| 479 | struct path *link); | ||
| 480 | extern void audit_log_lost(const char *message); | ||
| 481 | #ifdef CONFIG_SECURITY | ||
| 482 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); | ||
| 483 | #else | ||
| 484 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 485 | { } | ||
| 486 | #endif | ||
| 487 | |||
| 488 | extern int audit_log_task_context(struct audit_buffer *ab); | ||
| 489 | extern void audit_log_task_info(struct audit_buffer *ab, | ||
| 490 | struct task_struct *tsk); | ||
| 491 | |||
| 492 | extern int audit_update_lsm_rules(void); | ||
| 493 | |||
| 494 | /* Private API (for audit.c only) */ | ||
| 495 | extern int audit_filter_user(int type); | ||
| 496 | extern int audit_filter_type(int type); | ||
| 497 | extern int audit_rule_change(int type, __u32 portid, int seq, | ||
| 498 | void *data, size_t datasz); | ||
| 499 | extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); | ||
| 500 | |||
| 501 | extern u32 audit_enabled; | ||
| 502 | #else /* CONFIG_AUDIT */ | ||
| 503 | static inline __printf(4, 5) | ||
| 504 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 505 | const char *fmt, ...) | ||
| 506 | { } | ||
| 507 | static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, | ||
| 508 | gfp_t gfp_mask, int type) | ||
| 509 | { | ||
| 510 | return NULL; | ||
| 511 | } | ||
| 512 | static inline __printf(2, 3) | ||
| 513 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | ||
| 514 | { } | ||
| 515 | static inline void audit_log_end(struct audit_buffer *ab) | ||
| 516 | { } | ||
| 517 | static inline void audit_log_n_hex(struct audit_buffer *ab, | ||
| 518 | const unsigned char *buf, size_t len) | ||
| 519 | { } | ||
| 520 | static inline void audit_log_n_string(struct audit_buffer *ab, | ||
| 521 | const char *buf, size_t n) | ||
| 522 | { } | ||
| 523 | static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 524 | const char *string, size_t n) | ||
| 525 | { } | ||
| 526 | static inline void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 527 | const char *string) | ||
| 528 | { } | ||
| 529 | static inline void audit_log_d_path(struct audit_buffer *ab, | ||
| 530 | const char *prefix, | ||
| 531 | const struct path *path) | ||
| 532 | { } | ||
| 533 | static inline void audit_log_key(struct audit_buffer *ab, char *key) | ||
| 534 | { } | ||
| 535 | static inline void audit_log_link_denied(const char *string, | ||
| 536 | const struct path *link) | ||
| 537 | { } | ||
| 538 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 539 | { } | ||
| 540 | static inline int audit_log_task_context(struct audit_buffer *ab) | ||
| 541 | { | ||
| 542 | return 0; | ||
| 543 | } | ||
| 544 | static inline void audit_log_task_info(struct audit_buffer *ab, | ||
| 545 | struct task_struct *tsk) | ||
| 546 | { } | ||
| 547 | #define audit_enabled 0 | ||
| 548 | #endif /* CONFIG_AUDIT */ | ||
| 549 | static inline void audit_log_string(struct audit_buffer *ab, const char *buf) | 553 | static inline void audit_log_string(struct audit_buffer *ab, const char *buf) |
| 550 | { | 554 | { |
| 551 | audit_log_n_string(ab, buf, strlen(buf)); | 555 | audit_log_n_string(ab, buf, strlen(buf)); |