diff options
| author | Eric Paris <eparis@redhat.com> | 2008-01-08 17:38:31 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-02-01 14:24:45 -0500 |
| commit | b593d384efcff7bdf6beb1bc1bc69927977aee26 (patch) | |
| tree | 9055ef0decc84dcbf0da67135535f0746e602e8e | |
| parent | 50397bd1e471391d27f64efad9271459c913de87 (diff) | |
[AUDIT] create context if auditing was ever enabled
Disabling audit at runtime by auditctl doesn't mean that we can
stop allocating contexts for new processes; we don't want to miss them
when that sucker is reenabled.
(based on work from Al Viro in the RHEL kernel series)
Signed-off-by: Eric Paris <eparis@redhat.com>
| -rw-r--r-- | kernel/audit.c | 16 | ||||
| -rw-r--r-- | kernel/auditsc.c | 3 |
2 files changed, 15 insertions, 4 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 549b2f55b649..1242021c7a6d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -70,6 +70,7 @@ static int audit_initialized; | |||
| 70 | #define AUDIT_ON 1 | 70 | #define AUDIT_ON 1 |
| 71 | #define AUDIT_LOCKED 2 | 71 | #define AUDIT_LOCKED 2 |
| 72 | int audit_enabled; | 72 | int audit_enabled; |
| 73 | int audit_ever_enabled; | ||
| 73 | 74 | ||
| 74 | /* Default state when kernel boots without any parameters. */ | 75 | /* Default state when kernel boots without any parameters. */ |
| 75 | static int audit_default; | 76 | static int audit_default; |
| @@ -310,11 +311,17 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) | |||
| 310 | 311 | ||
| 311 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | 312 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) |
| 312 | { | 313 | { |
| 314 | int rc; | ||
| 313 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) | 315 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) |
| 314 | return -EINVAL; | 316 | return -EINVAL; |
| 315 | 317 | ||
| 316 | return audit_do_config_change("audit_enabled", &audit_enabled, state, | 318 | rc = audit_do_config_change("audit_enabled", &audit_enabled, state, |
| 317 | loginuid, sid); | 319 | loginuid, sid); |
| 320 | |||
| 321 | if (!rc) | ||
| 322 | audit_ever_enabled |= !!state; | ||
| 323 | |||
| 324 | return rc; | ||
| 318 | } | 325 | } |
| 319 | 326 | ||
| 320 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) | 327 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) |
| @@ -857,6 +864,7 @@ static int __init audit_init(void) | |||
| 857 | skb_queue_head_init(&audit_skb_queue); | 864 | skb_queue_head_init(&audit_skb_queue); |
| 858 | audit_initialized = 1; | 865 | audit_initialized = 1; |
| 859 | audit_enabled = audit_default; | 866 | audit_enabled = audit_default; |
| 867 | audit_ever_enabled |= !!audit_default; | ||
| 860 | 868 | ||
| 861 | /* Register the callback with selinux. This callback will be invoked | 869 | /* Register the callback with selinux. This callback will be invoked |
| 862 | * when a new policy is loaded. */ | 870 | * when a new policy is loaded. */ |
| @@ -884,8 +892,10 @@ static int __init audit_enable(char *str) | |||
| 884 | printk(KERN_INFO "audit: %s%s\n", | 892 | printk(KERN_INFO "audit: %s%s\n", |
| 885 | audit_default ? "enabled" : "disabled", | 893 | audit_default ? "enabled" : "disabled", |
| 886 | audit_initialized ? "" : " (after initialization)"); | 894 | audit_initialized ? "" : " (after initialization)"); |
| 887 | if (audit_initialized) | 895 | if (audit_initialized) { |
| 888 | audit_enabled = audit_default; | 896 | audit_enabled = audit_default; |
| 897 | audit_ever_enabled |= !!audit_default; | ||
| 898 | } | ||
| 889 | return 1; | 899 | return 1; |
| 890 | } | 900 | } |
| 891 | 901 | ||
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6e03322e155b..1c06ecf38d7b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -70,6 +70,7 @@ | |||
| 70 | #include "audit.h" | 70 | #include "audit.h" |
| 71 | 71 | ||
| 72 | extern struct list_head audit_filter_list[]; | 72 | extern struct list_head audit_filter_list[]; |
| 73 | extern int audit_ever_enabled; | ||
| 73 | 74 | ||
| 74 | /* AUDIT_NAMES is the number of slots we reserve in the audit_context | 75 | /* AUDIT_NAMES is the number of slots we reserve in the audit_context |
| 75 | * for saving names from getname(). */ | 76 | * for saving names from getname(). */ |
| @@ -838,7 +839,7 @@ int audit_alloc(struct task_struct *tsk) | |||
| 838 | struct audit_context *context; | 839 | struct audit_context *context; |
| 839 | enum audit_state state; | 840 | enum audit_state state; |
| 840 | 841 | ||
| 841 | if (likely(!audit_enabled)) | 842 | if (likely(!audit_ever_enabled)) |
| 842 | return 0; /* Return if not auditing. */ | 843 | return 0; /* Return if not auditing. */ |
| 843 | 844 | ||
| 844 | state = audit_filter_task(tsk); | 845 | state = audit_filter_task(tsk); |