Merge tag 'audit-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore: "Another relatively small pull request for audit, nine patches total. The only real new bit of functionality is the patch from Richard which adds the ability to filter records based on the filesystem type. The remainder are bug fixes and cleanups; the bug fix highlights include: - ensuring that we properly audit init/PID-1 (me) - allowing the audit daemon to shutdown the kernel/auditd connection cleanly by setting the audit PID to zero (Steve)" * tag 'audit-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: filter PATH records keyed on filesystem magic Audit: remove unused audit_log_secctx function audit: Allow auditd to set pid to 0 to end auditing audit: Add new syscalls to the perm=w filter audit: use audit_set_enabled() in audit_enable() audit: convert audit_ever_enabled to a boolean audit: don't use simple_strtol() anymore audit: initialize the audit subsystem as early as possible audit: ensure that 'audit=1' actually enables audit for PID 1
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-11-15 16:28:48 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-11-15 16:28:48 -0500
commit: f9bab2677ac77622618686b199073978ba263c12 (patch)
tree: 0396a87240a0e00cc0fcae5a1f46c38b819ede1a /kernel
parent: 373c4557d2aa362702c4c2d41288fb1e54990b7c (diff)
parent: 42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8 (diff)
4 files changed, 85 insertions, 55 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index be1c28fd4d57..227db99b0f19 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -85,13 +85,13 @@ static int	audit_initialized;
 #define AUDIT_OFF       0
 #define AUDIT_ON        1
 #define AUDIT_LOCKED    2
-u32             audit_enabled;
+u32             audit_enabled = AUDIT_OFF;
-u32             audit_ever_enabled;
+bool            audit_ever_enabled = !!AUDIT_OFF;
 EXPORT_SYMBOL_GPL(audit_enabled);
 /* Default state when kernel boots without any parameters. */
-static u32      audit_default;
+static u32      audit_default = AUDIT_OFF;
 /* If auditing cannot proceed, audit_failure selects what happens. */
 static u32      audit_failure = AUDIT_FAIL_PRINTK;
@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        pid_t auditd_pid;
                        struct pid *req_pid = task_tgid(current);
-                        /* sanity check - PID values must match */
+                        /* Sanity check - PID values must match. Setting
-                        if (new_pid != pid_vnr(req_pid))
+                         * pid to 0 is how auditd ends auditing. */
+                        if (new_pid && (new_pid != pid_vnr(req_pid)))
                                return -EINVAL;
                        /* test the auditd connection */
                        audit_replace(req_pid);
                        auditd_pid = auditd_pid_vnr();
-                        /* only the current auditd can unregister itself */
+                        if (auditd_pid) {
-                        if ((!new_pid) && (new_pid != auditd_pid)) {
+                                /* replacing a healthy auditd is not allowed */
-                                audit_log_config_change("audit_pid", new_pid,
+                                if (new_pid) {
-                                                        auditd_pid, 0);
+                                        audit_log_config_change("audit_pid",
-                                return -EACCES;
+                                                        new_pid, auditd_pid, 0);
-                        }
+                                        return -EEXIST;
-                        /* replacing a healthy auditd is not allowed */
+                                }
-                        if (auditd_pid && new_pid) {
+                                /* only current auditd can unregister itself */
-                                audit_log_config_change("audit_pid", new_pid,
+                                if (pid_vnr(req_pid) != auditd_pid) {
-                                                        auditd_pid, 0);
+                                        audit_log_config_change("audit_pid",
-                                return -EEXIST;
+                                                        new_pid, auditd_pid, 0);
+                                        return -EACCES;
+                                }
                        }
                        if (new_pid) {
@@ -1549,8 +1552,6 @@ static int __init audit_init(void)
        register_pernet_subsys(&audit_net_ops);
        audit_initialized = AUDIT_INITIALIZED;
-        audit_enabled = audit_default;
-        audit_ever_enabled |= !!audit_default;
        kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
        if (IS_ERR(kauditd_task)) {
@@ -1564,14 +1565,21 @@ static int __init audit_init(void)
        return 0;
 }
-__initcall(audit_init);
+postcore_initcall(audit_init);
 /* Process kernel command-line parameter at boot time.  audit=0 or audit=1. */
 static int __init audit_enable(char *str)
 {
-        audit_default = !!simple_strtol(str, NULL, 0);
+        long val;
-        if (!audit_default)
+        if (kstrtol(str, 0, &val))
+                panic("audit: invalid 'audit' parameter value (%s)\n", str);
+        audit_default = (val ? AUDIT_ON : AUDIT_OFF);
+        if (audit_default == AUDIT_OFF)
                audit_initialized = AUDIT_DISABLED;
+        if (audit_set_enabled(audit_default))
+                panic("audit: error setting audit state (%d)\n", audit_default);
        pr_info("%s\n", audit_default ?
                "enabled (after initialization)" : "disabled (until reboot)");
@@ -2337,32 +2345,6 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
        }
 }
-#ifdef CONFIG_SECURITY
-/**
- * audit_log_secctx - Converts and logs SELinux context
- * @ab: audit_buffer
- * @secid: security number
- *
- * This is a helper function that calls security_secid_to_secctx to convert
- * secid to secctx and then adds the (converted) SELinux context to the audit
- * log by calling audit_log_format, thus also preventing leak of internal secid
- * to userspace. If secid cannot be converted audit_panic is called.
- */
-void audit_log_secctx(struct audit_buffer *ab, u32 secid)
-{
-        u32 len;
-        char *secctx;
-        if (security_secid_to_secctx(secid, &secctx, &len)) {
-                audit_panic("Cannot convert secid to context");
-        } else {
-                audit_log_format(ab, " obj=%s", secctx);
-                security_release_secctx(secctx, len);
-        }
-}
-EXPORT_SYMBOL(audit_log_secctx);
-#endif
 EXPORT_SYMBOL(audit_log_start);
 EXPORT_SYMBOL(audit_log_end);
 EXPORT_SYMBOL(audit_log_format);
diff --git a/kernel/audit.h b/kernel/audit.h
index 9b110ae17ee3..af5bc59487ed 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -208,7 +208,7 @@ struct audit_context {
        struct audit_proctitle proctitle;
 };
-extern u32 audit_ever_enabled;
+extern bool audit_ever_enabled;
 extern void audit_copy_inode(struct audit_names *name,
                             const struct dentry *dentry,
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 0b0aa5854dac..4a1758adb222 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -56,7 +56,8 @@ struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
        LIST_HEAD_INIT(audit_filter_list[3]),
        LIST_HEAD_INIT(audit_filter_list[4]),
        LIST_HEAD_INIT(audit_filter_list[5]),
-#if AUDIT_NR_FILTERS != 6
+        LIST_HEAD_INIT(audit_filter_list[6]),
+#if AUDIT_NR_FILTERS != 7
 #error Fix audit_filter_list initialiser
 #endif
 };
@@ -67,6 +68,7 @@ static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
        LIST_HEAD_INIT(audit_rules_list[3]),
        LIST_HEAD_INIT(audit_rules_list[4]),
        LIST_HEAD_INIT(audit_rules_list[5]),
+        LIST_HEAD_INIT(audit_rules_list[6]),
 };
 DEFINE_MUTEX(audit_filter_mutex);
@@ -263,6 +265,7 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
 #endif
        case AUDIT_FILTER_USER:
        case AUDIT_FILTER_TYPE:
+        case AUDIT_FILTER_FS:
                ;
        }
        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
@@ -338,6 +341,21 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
                    entry->rule.listnr != AUDIT_FILTER_USER)
                        return -EINVAL;
                break;
+        case AUDIT_FSTYPE:
+                if (entry->rule.listnr != AUDIT_FILTER_FS)
+                        return -EINVAL;
+                break;
+        }
+        switch(entry->rule.listnr) {
+        case AUDIT_FILTER_FS:
+                switch(f->type) {
+                case AUDIT_FSTYPE:
+                case AUDIT_FILTERKEY:
+                        break;
+                default:
+                        return -EINVAL;
+                }
        }
        switch(f->type) {
@@ -391,6 +409,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
                        return -EINVAL;
        /* FALL THROUGH */
        case AUDIT_ARCH:
+        case AUDIT_FSTYPE:
                if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
                break;
@@ -910,10 +929,13 @@ static inline int audit_add_rule(struct audit_entry *entry)
 #ifdef CONFIG_AUDITSYSCALL
        int dont_count = 0;
-        /* If either of these, don't count towards total */
+        /* If any of these, don't count towards total */
-        if (entry->rule.listnr == AUDIT_FILTER_USER ||
+        switch(entry->rule.listnr) {
-                entry->rule.listnr == AUDIT_FILTER_TYPE)
+        case AUDIT_FILTER_USER:
+        case AUDIT_FILTER_TYPE:
+        case AUDIT_FILTER_FS:
                dont_count = 1;
+        }
 #endif
        mutex_lock(&audit_filter_mutex);
@@ -989,10 +1011,13 @@ int audit_del_rule(struct audit_entry *entry)
 #ifdef CONFIG_AUDITSYSCALL
        int dont_count = 0;
-        /* If either of these, don't count towards total */
+        /* If any of these, don't count towards total */
-        if (entry->rule.listnr == AUDIT_FILTER_USER ||
+        switch(entry->rule.listnr) {
-                entry->rule.listnr == AUDIT_FILTER_TYPE)
+        case AUDIT_FILTER_USER:
+        case AUDIT_FILTER_TYPE:
+        case AUDIT_FILTER_FS:
                dont_count = 1;
+        }
 #endif
        mutex_lock(&audit_filter_mutex);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9c723e978245..e80459f7e132 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1869,10 +1869,33 @@ void __audit_inode_child(struct inode *parent,
        struct inode *inode = d_backing_inode(dentry);
        const char *dname = dentry->d_name.name;
        struct audit_names *n, *found_parent = NULL, *found_child = NULL;
+        struct audit_entry *e;
+        struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
+        int i;
        if (!context->in_syscall)
                return;
+        rcu_read_lock();
+        if (!list_empty(list)) {
+                list_for_each_entry_rcu(e, list, list) {
+                        for (i = 0; i < e->rule.field_count; i++) {
+                                struct audit_field *f = &e->rule.fields[i];
+                                if (f->type == AUDIT_FSTYPE) {
+                                        if (audit_comparator(parent->i_sb->s_magic,
+                                            f->op, f->val)) {
+                                                if (e->rule.action == AUDIT_NEVER) {
+                                                        rcu_read_unlock();
+                                                        return;
+                                                }
+                                        }
+                                }
+                        }
+                }
+        }
+        rcu_read_unlock();
        if (inode)
                handle_one(inode);
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-11-15 16:28:48 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-11-15 16:28:48 -0500
commit	f9bab2677ac77622618686b199073978ba263c12 (patch)
tree	0396a87240a0e00cc0fcae5a1f46c38b819ede1a /kernel
parent	373c4557d2aa362702c4c2d41288fb1e54990b7c (diff)
parent	42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8 (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index be1c28fd4d57..227db99b0f19 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -85,13 +85,13 @@ static int audit_initialized;
85	#define AUDIT_OFF 0	85	#define AUDIT_OFF 0
86	#define AUDIT_ON 1	86	#define AUDIT_ON 1
87	#define AUDIT_LOCKED 2	87	#define AUDIT_LOCKED 2
88	u32 audit_enabled;	88	u32 audit_enabled = AUDIT_OFF;
89	u32 audit_ever_enabled;	89	bool audit_ever_enabled = !!AUDIT_OFF;
90		90
91	EXPORT_SYMBOL_GPL(audit_enabled);	91	EXPORT_SYMBOL_GPL(audit_enabled);
92		92
93	/* Default state when kernel boots without any parameters. */	93	/* Default state when kernel boots without any parameters. */
94	static u32 audit_default;	94	static u32 audit_default = AUDIT_OFF;
95		95
96	/* If auditing cannot proceed, audit_failure selects what happens. */	96	/* If auditing cannot proceed, audit_failure selects what happens. */
97	static u32 audit_failure = AUDIT_FAIL_PRINTK;	97	static u32 audit_failure = AUDIT_FAIL_PRINTK;
@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
1197	pid_t auditd_pid;	1197	pid_t auditd_pid;
1198	struct pid *req_pid = task_tgid(current);	1198	struct pid *req_pid = task_tgid(current);
1199		1199
1200	/* sanity check - PID values must match */	1200	/* Sanity check - PID values must match. Setting
1201	if (new_pid != pid_vnr(req_pid))	1201	* pid to 0 is how auditd ends auditing. */
		1202	if (new_pid && (new_pid != pid_vnr(req_pid)))
1202	return -EINVAL;	1203	return -EINVAL;
1203		1204
1204	/* test the auditd connection */	1205	/* test the auditd connection */
1205	audit_replace(req_pid);	1206	audit_replace(req_pid);
1206		1207
1207	auditd_pid = auditd_pid_vnr();	1208	auditd_pid = auditd_pid_vnr();
1208	/* only the current auditd can unregister itself */	1209	if (auditd_pid) {
1209	if ((!new_pid) && (new_pid != auditd_pid)) {	1210	/* replacing a healthy auditd is not allowed */
1210	audit_log_config_change("audit_pid", new_pid,	1211	if (new_pid) {
1211	auditd_pid, 0);	1212	audit_log_config_change("audit_pid",
1212	return -EACCES;	1213	new_pid, auditd_pid, 0);
1213	}	1214	return -EEXIST;
1214	/* replacing a healthy auditd is not allowed */	1215	}
1215	if (auditd_pid && new_pid) {	1216	/* only current auditd can unregister itself */
1216	audit_log_config_change("audit_pid", new_pid,	1217	if (pid_vnr(req_pid) != auditd_pid) {
1217	auditd_pid, 0);	1218	audit_log_config_change("audit_pid",
1218	return -EEXIST;	1219	new_pid, auditd_pid, 0);
		1220	return -EACCES;
		1221	}
1219	}	1222	}
1220		1223
1221	if (new_pid) {	1224	if (new_pid) {
@@ -1549,8 +1552,6 @@ static int __init audit_init(void)
1549	register_pernet_subsys(&audit_net_ops);	1552	register_pernet_subsys(&audit_net_ops);
1550		1553
1551	audit_initialized = AUDIT_INITIALIZED;	1554	audit_initialized = AUDIT_INITIALIZED;
1552	audit_enabled = audit_default;
1553	audit_ever_enabled \|= !!audit_default;
1554		1555
1555	kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");	1556	kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
1556	if (IS_ERR(kauditd_task)) {	1557	if (IS_ERR(kauditd_task)) {
@@ -1564,14 +1565,21 @@ static int __init audit_init(void)
1564		1565
1565	return 0;	1566	return 0;
1566	}	1567	}
1567	__initcall(audit_init);	1568	postcore_initcall(audit_init);
1568		1569
1569	/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */	1570	/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */
1570	static int __init audit_enable(char *str)	1571	static int __init audit_enable(char *str)
1571	{	1572	{
1572	audit_default = !!simple_strtol(str, NULL, 0);	1573	long val;
1573	if (!audit_default)	1574
		1575	if (kstrtol(str, 0, &val))
		1576	panic("audit: invalid 'audit' parameter value (%s)\n", str);
		1577	audit_default = (val ? AUDIT_ON : AUDIT_OFF);
		1578
		1579	if (audit_default == AUDIT_OFF)
1574	audit_initialized = AUDIT_DISABLED;	1580	audit_initialized = AUDIT_DISABLED;
		1581	if (audit_set_enabled(audit_default))
		1582	panic("audit: error setting audit state (%d)\n", audit_default);
1575		1583
1576	pr_info("%s\n", audit_default ?	1584	pr_info("%s\n", audit_default ?
1577	"enabled (after initialization)" : "disabled (until reboot)");	1585	"enabled (after initialization)" : "disabled (until reboot)");
@@ -2337,32 +2345,6 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
2337	}	2345	}
2338	}	2346	}
2339		2347
2340	#ifdef CONFIG_SECURITY
2341	/**
2342	* audit_log_secctx - Converts and logs SELinux context
2343	* @ab: audit_buffer
2344	* @secid: security number
2345	*
2346	* This is a helper function that calls security_secid_to_secctx to convert
2347	* secid to secctx and then adds the (converted) SELinux context to the audit
2348	* log by calling audit_log_format, thus also preventing leak of internal secid
2349	* to userspace. If secid cannot be converted audit_panic is called.
2350	*/
2351	void audit_log_secctx(struct audit_buffer *ab, u32 secid)
2352	{
2353	u32 len;
2354	char *secctx;
2355
2356	if (security_secid_to_secctx(secid, &secctx, &len)) {
2357	audit_panic("Cannot convert secid to context");
2358	} else {
2359	audit_log_format(ab, " obj=%s", secctx);
2360	security_release_secctx(secctx, len);
2361	}
2362	}
2363	EXPORT_SYMBOL(audit_log_secctx);
2364	#endif
2365
2366	EXPORT_SYMBOL(audit_log_start);	2348	EXPORT_SYMBOL(audit_log_start);
2367	EXPORT_SYMBOL(audit_log_end);	2349	EXPORT_SYMBOL(audit_log_end);
2368	EXPORT_SYMBOL(audit_log_format);	2350	EXPORT_SYMBOL(audit_log_format);


diff --git a/kernel/audit.h b/kernel/audit.h index 9b110ae17ee3..af5bc59487ed 100644 --- a/kernel/audit.h +++ b/kernel/audit.h
@@ -208,7 +208,7 @@ struct audit_context {
208	struct audit_proctitle proctitle;	208	struct audit_proctitle proctitle;
209	};	209	};
210		210
211	extern u32 audit_ever_enabled;	211	extern bool audit_ever_enabled;
212		212
213	extern void audit_copy_inode(struct audit_names *name,	213	extern void audit_copy_inode(struct audit_names *name,
214	const struct dentry *dentry,	214	const struct dentry *dentry,


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 0b0aa5854dac..4a1758adb222 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -56,7 +56,8 @@ struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
56	LIST_HEAD_INIT(audit_filter_list[3]),	56	LIST_HEAD_INIT(audit_filter_list[3]),
57	LIST_HEAD_INIT(audit_filter_list[4]),	57	LIST_HEAD_INIT(audit_filter_list[4]),
58	LIST_HEAD_INIT(audit_filter_list[5]),	58	LIST_HEAD_INIT(audit_filter_list[5]),
59	#if AUDIT_NR_FILTERS != 6	59	LIST_HEAD_INIT(audit_filter_list[6]),
		60	#if AUDIT_NR_FILTERS != 7
60	#error Fix audit_filter_list initialiser	61	#error Fix audit_filter_list initialiser
61	#endif	62	#endif
62	};	63	};
@@ -67,6 +68,7 @@ static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
67	LIST_HEAD_INIT(audit_rules_list[3]),	68	LIST_HEAD_INIT(audit_rules_list[3]),
68	LIST_HEAD_INIT(audit_rules_list[4]),	69	LIST_HEAD_INIT(audit_rules_list[4]),
69	LIST_HEAD_INIT(audit_rules_list[5]),	70	LIST_HEAD_INIT(audit_rules_list[5]),
		71	LIST_HEAD_INIT(audit_rules_list[6]),
70	};	72	};
71		73
72	DEFINE_MUTEX(audit_filter_mutex);	74	DEFINE_MUTEX(audit_filter_mutex);
@@ -263,6 +265,7 @@ static inline struct audit_entry audit_to_entry_common(struct audit_rule_data
263	#endif	265	#endif
264	case AUDIT_FILTER_USER:	266	case AUDIT_FILTER_USER:
265	case AUDIT_FILTER_TYPE:	267	case AUDIT_FILTER_TYPE:
		268	case AUDIT_FILTER_FS:
266	;	269	;
267	}	270	}
268	if (unlikely(rule->action == AUDIT_POSSIBLE)) {	271	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
@@ -338,6 +341,21 @@ static int audit_field_valid(struct audit_entry entry, struct audit_field f)
338	entry->rule.listnr != AUDIT_FILTER_USER)	341	entry->rule.listnr != AUDIT_FILTER_USER)
339	return -EINVAL;	342	return -EINVAL;
340	break;	343	break;
		344	case AUDIT_FSTYPE:
		345	if (entry->rule.listnr != AUDIT_FILTER_FS)
		346	return -EINVAL;
		347	break;
		348	}
		349
		350	switch(entry->rule.listnr) {
		351	case AUDIT_FILTER_FS:
		352	switch(f->type) {
		353	case AUDIT_FSTYPE:
		354	case AUDIT_FILTERKEY:
		355	break;
		356	default:
		357	return -EINVAL;
		358	}
341	}	359	}
342		360
343	switch(f->type) {	361	switch(f->type) {
@@ -391,6 +409,7 @@ static int audit_field_valid(struct audit_entry entry, struct audit_field f)
391	return -EINVAL;	409	return -EINVAL;
392	/* FALL THROUGH */	410	/* FALL THROUGH */
393	case AUDIT_ARCH:	411	case AUDIT_ARCH:
		412	case AUDIT_FSTYPE:
394	if (f->op != Audit_not_equal && f->op != Audit_equal)	413	if (f->op != Audit_not_equal && f->op != Audit_equal)
395	return -EINVAL;	414	return -EINVAL;
396	break;	415	break;
@@ -910,10 +929,13 @@ static inline int audit_add_rule(struct audit_entry *entry)
910	#ifdef CONFIG_AUDITSYSCALL	929	#ifdef CONFIG_AUDITSYSCALL
911	int dont_count = 0;	930	int dont_count = 0;
912		931
913	/* If either of these, don't count towards total */	932	/* If any of these, don't count towards total */
914	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|	933	switch(entry->rule.listnr) {
915	entry->rule.listnr == AUDIT_FILTER_TYPE)	934	case AUDIT_FILTER_USER:
		935	case AUDIT_FILTER_TYPE:
		936	case AUDIT_FILTER_FS:
916	dont_count = 1;	937	dont_count = 1;
		938	}
917	#endif	939	#endif
918		940
919	mutex_lock(&audit_filter_mutex);	941	mutex_lock(&audit_filter_mutex);
@@ -989,10 +1011,13 @@ int audit_del_rule(struct audit_entry *entry)
989	#ifdef CONFIG_AUDITSYSCALL	1011	#ifdef CONFIG_AUDITSYSCALL
990	int dont_count = 0;	1012	int dont_count = 0;
991		1013
992	/* If either of these, don't count towards total */	1014	/* If any of these, don't count towards total */
993	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|	1015	switch(entry->rule.listnr) {
994	entry->rule.listnr == AUDIT_FILTER_TYPE)	1016	case AUDIT_FILTER_USER:
		1017	case AUDIT_FILTER_TYPE:
		1018	case AUDIT_FILTER_FS:
995	dont_count = 1;	1019	dont_count = 1;
		1020	}
996	#endif	1021	#endif
997		1022
998	mutex_lock(&audit_filter_mutex);	1023	mutex_lock(&audit_filter_mutex);


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9c723e978245..e80459f7e132 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -1869,10 +1869,33 @@ void __audit_inode_child(struct inode *parent,
1869	struct inode *inode = d_backing_inode(dentry);	1869	struct inode *inode = d_backing_inode(dentry);
1870	const char *dname = dentry->d_name.name;	1870	const char *dname = dentry->d_name.name;
1871	struct audit_names n, found_parent = NULL, *found_child = NULL;	1871	struct audit_names n, found_parent = NULL, *found_child = NULL;
		1872	struct audit_entry *e;
		1873	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
		1874	int i;
1872		1875
1873	if (!context->in_syscall)	1876	if (!context->in_syscall)
1874	return;	1877	return;
1875		1878
		1879	rcu_read_lock();
		1880	if (!list_empty(list)) {
		1881	list_for_each_entry_rcu(e, list, list) {
		1882	for (i = 0; i < e->rule.field_count; i++) {
		1883	struct audit_field *f = &e->rule.fields[i];
		1884
		1885	if (f->type == AUDIT_FSTYPE) {
		1886	if (audit_comparator(parent->i_sb->s_magic,
		1887	f->op, f->val)) {
		1888	if (e->rule.action == AUDIT_NEVER) {
		1889	rcu_read_unlock();
		1890	return;
		1891	}
		1892	}
		1893	}
		1894	}
		1895	}
		1896	}
		1897	rcu_read_unlock();
		1898
1876	if (inode)	1899	if (inode)
1877	handle_one(inode);	1900	handle_one(inode);
1878		1901