[AUDIT] make audit=0 really stop audit messages

Some audit messages (namely configuration changes) are still emitted even if the audit subsystem has been explicitly disabled. This patch turns those messages off as well. Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2008-01-07 17:09:31 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2008-02-01 14:24:33 -0500
commit: 1a6b9f2317f18db768010252c957d99daf40678f (patch)
tree: e63199fab4ec31e05b22f3af10505bdcfcb57be8
parent: de6bbd1d30e5912620d25dd15e3f180ac7f9fcef (diff)
2 files changed, 93 insertions, 152 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 26ff925e13f2..7e29372da284 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,9 +66,9 @@
 * (Initialization happens after skb_init is called.) */
 static int      audit_initialized;
-/* 0 - no auditing
+#define AUDIT_OFF       0
- * 1 - auditing enabled
+#define AUDIT_ON        1
- * 2 - auditing enabled and configuration is locked/unchangeable. */
+#define AUDIT_LOCKED    2
 int             audit_enabled;
 /* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
        }
 }
-static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_log_config_change(char *function_name, int new, int old,
+                                   uid_t loginuid, u32 sid, int allow_changes)
 {
-        int res, rc = 0, old = audit_rate_limit;
+        struct audit_buffer *ab;
+        int rc = 0;
-        /* check if we are locked */
-        if (audit_enabled == 2)
-                res = 0;
-        else
-                res = 1;
+        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+        audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
+                         old, loginuid);
        if (sid) {
                char *ctx = NULL;
                u32 len;
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                rc = selinux_sid_to_string(sid, &ctx, &len);
-                                "audit_rate_limit=%d old=%d by auid=%u"
+                if (rc) {
-                                " subj=%s res=%d",
+                        audit_log_format(ab, " sid=%u", sid);
-                                limit, old, loginuid, ctx, res);
+                        allow_changes = 0; /* Something weird, deny request */
+                } else {
+                        audit_log_format(ab, " subj=%s", ctx);
                        kfree(ctx);
-                } else
+                }
-                        res = 0; /* Something weird, deny request */
        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        audit_log_format(ab, " res=%d", allow_changes);
-                "audit_rate_limit=%d old=%d by auid=%u res=%d",
+        audit_log_end(ab);
-                limit, old, loginuid, res);
-        /* If we are allowed, make the change */
-        if (res == 1)
-                audit_rate_limit = limit;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
        return rc;
 }
-static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_do_config_change(char *function_name, int *to_change,
+                                  int new, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_backlog_limit;
+        int allow_changes, rc = 0, old = *to_change;
        /* check if we are locked */
-        if (audit_enabled == 2)
+        if (audit_enabled == AUDIT_LOCKED)
-                res = 0;
+                allow_changes = 0;
        else
-                res = 1;
+                allow_changes = 1;
-        if (sid) {
+        if (audit_enabled != AUDIT_OFF) {
-                char *ctx = NULL;
+                rc = audit_log_config_change(function_name, new, old,
-                u32 len;
+                                             loginuid, sid, allow_changes);
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
+                if (rc)
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                        allow_changes = 0;
-                                "audit_backlog_limit=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                limit, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_backlog_limit=%d old=%d by auid=%u res=%d",
-                limit, old, loginuid, res);
        /* If we are allowed, make the change */
-        if (res == 1)
+        if (allow_changes == 1)
-                audit_backlog_limit = limit;
+                *to_change = new;
        /* Not allowed, update reason */
        else if (rc == 0)
                rc = -EPERM;
        return rc;
 }
-static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
+static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_enabled;
+        return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
+                                      limit, loginuid, sid);
-        if (state < 0 || state > 2)
+}
-                return -EINVAL;
-        /* check if we are locked */
+static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
-        if (audit_enabled == 2)
+{
-                res = 0;
+        return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
-        else
+                                      limit, loginuid, sid);
-                res = 1;
+}
-        if (sid) {
+static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
-                char *ctx = NULL;
+{
-                u32 len;
+        if (state < AUDIT_OFF || state > AUDIT_LOCKED)
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
+                return -EINVAL;
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_enabled=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                state, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
-        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_enabled=%d old=%d by auid=%u res=%d",
-                state, old, loginuid, res);
-        /* If we are allowed, make the change */
+        return audit_do_config_change("audit_enabled", &audit_enabled, state,
-        if (res == 1)
+                                      loginuid, sid);
-                audit_enabled = state;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
-        return rc;
 }
 static int audit_set_failure(int state, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_failure;
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
-        /* check if we are locked */
+        return audit_do_config_change("audit_failure", &audit_failure, state,
-        if (audit_enabled == 2)
+                                      loginuid, sid);
-                res = 0;
-        else
-                res = 1;
-        if (sid) {
-                char *ctx = NULL;
-                u32 len;
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_failure=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                state, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
-        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_failure=%d old=%d by auid=%u res=%d",
-                state, old, loginuid, res);
-        /* If we are allowed, make the change */
-        if (res == 1)
-                audit_failure = state;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
-        return rc;
 }
 static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
-                        int old   = audit_pid;
+                        int new_pid = status_get->pid;
-                        if (sid) {
-                                if ((err = selinux_sid_to_string(
+                        if (audit_enabled != AUDIT_OFF)
-                                                sid, &ctx, &len)))
+                                audit_log_config_change("audit_pid", new_pid,
-                                        return err;
+                                                        audit_pid, loginuid,
-                                else
+                                                        sid, 1);
-                                        audit_log(NULL, GFP_KERNEL,
-                                                AUDIT_CONFIG_CHANGE,
+                        audit_pid = new_pid;
-                                                "audit_pid=%d old=%d by auid=%u subj=%s",
-                                                status_get->pid, old,
-                                                loginuid, ctx);
-                                kfree(ctx);
-                        } else
-                                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                        "audit_pid=%d old=%d by auid=%u",
-                                          status_get->pid, old, loginuid);
-                        audit_pid = status_get->pid;
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
                        err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule))
                        return -EINVAL;
-                if (audit_enabled == 2) {
+                if (audit_enabled == AUDIT_LOCKED) {
                        ab = audit_log_start(NULL, GFP_KERNEL,
                                        AUDIT_CONFIG_CHANGE);
                        if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL_RULE:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
                        return -EINVAL;
-                if (audit_enabled == 2) {
+                if (audit_enabled == AUDIT_LOCKED) {
                        ab = audit_log_start(NULL, GFP_KERNEL,
                                        AUDIT_CONFIG_CHANGE);
                        if (ab) {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5d96f2cc7be8..6f19fd477aac 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
 /* Inotify events we care about. */
 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
+extern int audit_enabled;
 void audit_free_parent(struct inotify_watch *i_watch)
 {
        struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
        struct audit_watch *owatch, *nwatch, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *oentry, *nentry;
-        struct audit_buffer *ab;
        mutex_lock(&audit_filter_mutex);
        list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
                        call_rcu(&oentry->rcu, audit_free_rule_rcu);
                }
-                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+                if (audit_enabled) {
-                audit_log_format(ab, "op=updated rules specifying path=");
+                        struct audit_buffer *ab;
-                audit_log_untrustedstring(ab, owatch->path);
+                        ab = audit_log_start(NULL, GFP_KERNEL,
-                audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
+                                AUDIT_CONFIG_CHANGE);
-                audit_log_format(ab, " list=%d res=1", r->listnr);
+                        audit_log_format(ab,
-                audit_log_end(ab);
+                                "op=updated rules specifying path=");
+                        audit_log_untrustedstring(ab, owatch->path);
+                        audit_log_format(ab, " with dev=%u ino=%lu\n",
+                                 dev, ino);
+                        audit_log_format(ab, " list=%d res=1", r->listnr);
+                        audit_log_end(ab);
+                }
                audit_remove_watch(owatch);
                goto add_watch_to_parent; /* event applies to a single watch */
        }
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
        struct audit_watch *w, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *e;
-        struct audit_buffer *ab;
        mutex_lock(&audit_filter_mutex);
        parent->flags |= AUDIT_PARENT_INVALID;
        list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
                list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
                        e = container_of(r, struct audit_entry, rule);
+                        if (audit_enabled) {
-                        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+                                struct audit_buffer *ab;
-                        audit_log_format(ab, "op=remove rule path=");
+                                ab = audit_log_start(NULL, GFP_KERNEL,
-                        audit_log_untrustedstring(ab, w->path);
+                                        AUDIT_CONFIG_CHANGE);
-                        if (r->filterkey) {
+                                audit_log_format(ab, "op=remove rule path=");
-                                audit_log_format(ab, " key=");
+                                audit_log_untrustedstring(ab, w->path);
-                                audit_log_untrustedstring(ab, r->filterkey);
+                                if (r->filterkey) {
-                        } else
+                                        audit_log_format(ab, " key=");
-                                audit_log_format(ab, " key=(null)");
+                                        audit_log_untrustedstring(ab,
-                        audit_log_format(ab, " list=%d res=1", r->listnr);
+                                                        r->filterkey);
-                        audit_log_end(ab);
+                                } else
+                                        audit_log_format(ab, " key=(null)");
+                                audit_log_format(ab, " list=%d res=1",
+                                        r->listnr);
+                                audit_log_end(ab);
+                        }
                        list_del(&r->rlist);
                        list_del_rcu(&e->list);
                        call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
 {
        struct audit_buffer *ab;
+        if (!audit_enabled)
+                return;
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
        if (!ab)
                return;
author	Eric Paris <eparis@redhat.com>	2008-01-07 17:09:31 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2008-02-01 14:24:33 -0500
commit	1a6b9f2317f18db768010252c957d99daf40678f (patch)
tree	e63199fab4ec31e05b22f3af10505bdcfcb57be8
parent	de6bbd1d30e5912620d25dd15e3f180ac7f9fcef (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index 26ff925e13f2..7e29372da284 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -66,9 +66,9 @@
66	* (Initialization happens after skb_init is called.) */	66	* (Initialization happens after skb_init is called.) */
67	static int audit_initialized;	67	static int audit_initialized;
68		68
69	/* 0 - no auditing	69	#define AUDIT_OFF 0
70	* 1 - auditing enabled	70	#define AUDIT_ON 1
71	* 2 - auditing enabled and configuration is locked/unchangeable. */	71	#define AUDIT_LOCKED 2
72	int audit_enabled;	72	int audit_enabled;
73		73
74	/* Default state when kernel boots without any parameters. */	74	/* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
240	}	240	}
241	}	241	}
242		242
243	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)	243	static int audit_log_config_change(char *function_name, int new, int old,
		244	uid_t loginuid, u32 sid, int allow_changes)
244	{	245	{
245	int res, rc = 0, old = audit_rate_limit;	246	struct audit_buffer *ab;
246		247	int rc = 0;
247	/* check if we are locked */
248	if (audit_enabled == 2)
249	res = 0;
250	else
251	res = 1;
252		248
		249	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
		250	audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
		251	old, loginuid);
253	if (sid) {	252	if (sid) {
254	char *ctx = NULL;	253	char *ctx = NULL;
255	u32 len;	254	u32 len;
256	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	255
257	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	256	rc = selinux_sid_to_string(sid, &ctx, &len);
258	"audit_rate_limit=%d old=%d by auid=%u"	257	if (rc) {
259	" subj=%s res=%d",	258	audit_log_format(ab, " sid=%u", sid);
260	limit, old, loginuid, ctx, res);	259	allow_changes = 0; /* Something weird, deny request */
		260	} else {
		261	audit_log_format(ab, " subj=%s", ctx);
261	kfree(ctx);	262	kfree(ctx);
262	} else	263	}
263	res = 0; /* Something weird, deny request */
264	}	264	}
265	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	265	audit_log_format(ab, " res=%d", allow_changes);
266	"audit_rate_limit=%d old=%d by auid=%u res=%d",	266	audit_log_end(ab);
267	limit, old, loginuid, res);
268
269	/* If we are allowed, make the change */
270	if (res == 1)
271	audit_rate_limit = limit;
272	/* Not allowed, update reason */
273	else if (rc == 0)
274	rc = -EPERM;
275	return rc;	267	return rc;
276	}	268	}
277		269
278	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)	270	static int audit_do_config_change(char function_name, int to_change,
		271	int new, uid_t loginuid, u32 sid)
279	{	272	{
280	int res, rc = 0, old = audit_backlog_limit;	273	int allow_changes, rc = 0, old = *to_change;
281		274
282	/* check if we are locked */	275	/* check if we are locked */
283	if (audit_enabled == 2)	276	if (audit_enabled == AUDIT_LOCKED)
284	res = 0;	277	allow_changes = 0;
285	else	278	else
286	res = 1;	279	allow_changes = 1;
287		280
288	if (sid) {	281	if (audit_enabled != AUDIT_OFF) {
289	char *ctx = NULL;	282	rc = audit_log_config_change(function_name, new, old,
290	u32 len;	283	loginuid, sid, allow_changes);
291	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	284	if (rc)
292	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	285	allow_changes = 0;
293	"audit_backlog_limit=%d old=%d by auid=%u"
294	" subj=%s res=%d",
295	limit, old, loginuid, ctx, res);
296	kfree(ctx);
297	} else
298	res = 0; /* Something weird, deny request */
299	}	286	}
300	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301	"audit_backlog_limit=%d old=%d by auid=%u res=%d",
302	limit, old, loginuid, res);
303		287
304	/* If we are allowed, make the change */	288	/* If we are allowed, make the change */
305	if (res == 1)	289	if (allow_changes == 1)
306	audit_backlog_limit = limit;	290	*to_change = new;
307	/* Not allowed, update reason */	291	/* Not allowed, update reason */
308	else if (rc == 0)	292	else if (rc == 0)
309	rc = -EPERM;	293	rc = -EPERM;
310	return rc;	294	return rc;
311	}	295	}
312		296
313	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)	297	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
314	{	298	{
315	int res, rc = 0, old = audit_enabled;	299	return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
316		300	limit, loginuid, sid);
317	if (state < 0 \|\| state > 2)	301	}
318	return -EINVAL;
319		302
320	/* check if we are locked */	303	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
321	if (audit_enabled == 2)	304	{
322	res = 0;	305	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
323	else	306	limit, loginuid, sid);
324	res = 1;	307	}
325		308
326	if (sid) {	309	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
327	char *ctx = NULL;	310	{
328	u32 len;	311	if (state < AUDIT_OFF \|\| state > AUDIT_LOCKED)
329	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	312	return -EINVAL;
330	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331	"audit_enabled=%d old=%d by auid=%u"
332	" subj=%s res=%d",
333	state, old, loginuid, ctx, res);
334	kfree(ctx);
335	} else
336	res = 0; /* Something weird, deny request */
337	}
338	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339	"audit_enabled=%d old=%d by auid=%u res=%d",
340	state, old, loginuid, res);
341		313
342	/* If we are allowed, make the change */	314	return audit_do_config_change("audit_enabled", &audit_enabled, state,
343	if (res == 1)	315	loginuid, sid);
344	audit_enabled = state;
345	/* Not allowed, update reason */
346	else if (rc == 0)
347	rc = -EPERM;
348	return rc;
349	}	316	}
350		317
351	static int audit_set_failure(int state, uid_t loginuid, u32 sid)	318	static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352	{	319	{
353	int res, rc = 0, old = audit_failure;
354
355	if (state != AUDIT_FAIL_SILENT	320	if (state != AUDIT_FAIL_SILENT
356	&& state != AUDIT_FAIL_PRINTK	321	&& state != AUDIT_FAIL_PRINTK
357	&& state != AUDIT_FAIL_PANIC)	322	&& state != AUDIT_FAIL_PANIC)
358	return -EINVAL;	323	return -EINVAL;
359		324
360	/* check if we are locked */	325	return audit_do_config_change("audit_failure", &audit_failure, state,
361	if (audit_enabled == 2)	326	loginuid, sid);
362	res = 0;
363	else
364	res = 1;
365
366	if (sid) {
367	char *ctx = NULL;
368	u32 len;
369	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371	"audit_failure=%d old=%d by auid=%u"
372	" subj=%s res=%d",
373	state, old, loginuid, ctx, res);
374	kfree(ctx);
375	} else
376	res = 0; /* Something weird, deny request */
377	}
378	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379	"audit_failure=%d old=%d by auid=%u res=%d",
380	state, old, loginuid, res);
381
382	/* If we are allowed, make the change */
383	if (res == 1)
384	audit_failure = state;
385	/* Not allowed, update reason */
386	else if (rc == 0)
387	rc = -EPERM;
388	return rc;
389	}	327	}
390		328
391	static int kauditd_thread(void *dummy)	329	static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
634	if (err < 0) return err;	572	if (err < 0) return err;
635	}	573	}
636	if (status_get->mask & AUDIT_STATUS_PID) {	574	if (status_get->mask & AUDIT_STATUS_PID) {
637	int old = audit_pid;	575	int new_pid = status_get->pid;
638	if (sid) {	576
639	if ((err = selinux_sid_to_string(	577	if (audit_enabled != AUDIT_OFF)
640	sid, &ctx, &len)))	578	audit_log_config_change("audit_pid", new_pid,
641	return err;	579	audit_pid, loginuid,
642	else	580	sid, 1);
643	audit_log(NULL, GFP_KERNEL,	581
644	AUDIT_CONFIG_CHANGE,	582	audit_pid = new_pid;
645	"audit_pid=%d old=%d by auid=%u subj=%s",
646	status_get->pid, old,
647	loginuid, ctx);
648	kfree(ctx);
649	} else
650	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651	"audit_pid=%d old=%d by auid=%u",
652	status_get->pid, old, loginuid);
653	audit_pid = status_get->pid;
654	}	583	}
655	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	584	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656	err = audit_set_rate_limit(status_get->rate_limit,	585	err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
709	case AUDIT_DEL:	638	case AUDIT_DEL:
710	if (nlmsg_len(nlh) < sizeof(struct audit_rule))	639	if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711	return -EINVAL;	640	return -EINVAL;
712	if (audit_enabled == 2) {	641	if (audit_enabled == AUDIT_LOCKED) {
713	ab = audit_log_start(NULL, GFP_KERNEL,	642	ab = audit_log_start(NULL, GFP_KERNEL,
714	AUDIT_CONFIG_CHANGE);	643	AUDIT_CONFIG_CHANGE);
715	if (ab) {	644	if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
743	case AUDIT_DEL_RULE:	672	case AUDIT_DEL_RULE:
744	if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))	673	if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745	return -EINVAL;	674	return -EINVAL;
746	if (audit_enabled == 2) {	675	if (audit_enabled == AUDIT_LOCKED) {
747	ab = audit_log_start(NULL, GFP_KERNEL,	676	ab = audit_log_start(NULL, GFP_KERNEL,
748	AUDIT_CONFIG_CHANGE);	677	AUDIT_CONFIG_CHANGE);
749	if (ab) {	678	if (ab) {


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 5d96f2cc7be8..6f19fd477aac 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
95	/* Inotify events we care about. */	95	/* Inotify events we care about. */
96	#define AUDIT_IN_WATCH IN_MOVE\|IN_CREATE\|IN_DELETE\|IN_DELETE_SELF\|IN_MOVE_SELF	96	#define AUDIT_IN_WATCH IN_MOVE\|IN_CREATE\|IN_DELETE\|IN_DELETE_SELF\|IN_MOVE_SELF
97		97
		98	extern int audit_enabled;
		99
98	void audit_free_parent(struct inotify_watch *i_watch)	100	void audit_free_parent(struct inotify_watch *i_watch)
99	{	101	{
100	struct audit_parent *parent;	102	struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
974	struct audit_watch owatch, nwatch, *nextw;	976	struct audit_watch owatch, nwatch, *nextw;
975	struct audit_krule r, nextr;	977	struct audit_krule r, nextr;
976	struct audit_entry oentry, nentry;	978	struct audit_entry oentry, nentry;
977	struct audit_buffer *ab;
978		979
979	mutex_lock(&audit_filter_mutex);	980	mutex_lock(&audit_filter_mutex);
980	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {	981	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
1014	call_rcu(&oentry->rcu, audit_free_rule_rcu);	1015	call_rcu(&oentry->rcu, audit_free_rule_rcu);
1015	}	1016	}
1016		1017
1017	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	1018	if (audit_enabled) {
1018	audit_log_format(ab, "op=updated rules specifying path=");	1019	struct audit_buffer *ab;
1019	audit_log_untrustedstring(ab, owatch->path);	1020	ab = audit_log_start(NULL, GFP_KERNEL,
1020	audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);	1021	AUDIT_CONFIG_CHANGE);
1021	audit_log_format(ab, " list=%d res=1", r->listnr);	1022	audit_log_format(ab,
1022	audit_log_end(ab);	1023	"op=updated rules specifying path=");
1023		1024	audit_log_untrustedstring(ab, owatch->path);
		1025	audit_log_format(ab, " with dev=%u ino=%lu\n",
		1026	dev, ino);
		1027	audit_log_format(ab, " list=%d res=1", r->listnr);
		1028	audit_log_end(ab);
		1029	}
1024	audit_remove_watch(owatch);	1030	audit_remove_watch(owatch);
1025	goto add_watch_to_parent; /* event applies to a single watch */	1031	goto add_watch_to_parent; /* event applies to a single watch */
1026	}	1032	}
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
1039	struct audit_watch w, nextw;	1045	struct audit_watch w, nextw;
1040	struct audit_krule r, nextr;	1046	struct audit_krule r, nextr;
1041	struct audit_entry *e;	1047	struct audit_entry *e;
1042	struct audit_buffer *ab;
1043		1048
1044	mutex_lock(&audit_filter_mutex);	1049	mutex_lock(&audit_filter_mutex);
1045	parent->flags \|= AUDIT_PARENT_INVALID;	1050	parent->flags \|= AUDIT_PARENT_INVALID;
1046	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {	1051	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1047	list_for_each_entry_safe(r, nextr, &w->rules, rlist) {	1052	list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1048	e = container_of(r, struct audit_entry, rule);	1053	e = container_of(r, struct audit_entry, rule);
1049		1054	if (audit_enabled) {
1050	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	1055	struct audit_buffer *ab;
1051	audit_log_format(ab, "op=remove rule path=");	1056	ab = audit_log_start(NULL, GFP_KERNEL,
1052	audit_log_untrustedstring(ab, w->path);	1057	AUDIT_CONFIG_CHANGE);
1053	if (r->filterkey) {	1058	audit_log_format(ab, "op=remove rule path=");
1054	audit_log_format(ab, " key=");	1059	audit_log_untrustedstring(ab, w->path);
1055	audit_log_untrustedstring(ab, r->filterkey);	1060	if (r->filterkey) {
1056	} else	1061	audit_log_format(ab, " key=");
1057	audit_log_format(ab, " key=(null)");	1062	audit_log_untrustedstring(ab,
1058	audit_log_format(ab, " list=%d res=1", r->listnr);	1063	r->filterkey);
1059	audit_log_end(ab);	1064	} else
1060		1065	audit_log_format(ab, " key=(null)");
		1066	audit_log_format(ab, " list=%d res=1",
		1067	r->listnr);
		1068	audit_log_end(ab);
		1069	}
1061	list_del(&r->rlist);	1070	list_del(&r->rlist);
1062	list_del_rcu(&e->list);	1071	list_del_rcu(&e->list);
1063	call_rcu(&e->rcu, audit_free_rule_rcu);	1072	call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1495	{	1504	{
1496	struct audit_buffer *ab;	1505	struct audit_buffer *ab;
1497		1506
		1507	if (!audit_enabled)
		1508	return;
		1509
1498	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	1510	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1499	if (!ab)	1511	if (!ab)
1500	return;	1512	return;