AUDIT: Really exempt auditd from having its actions audited.

We were only avoiding it on syscall exit before; now stop _everything_.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

1 files changed, 8 insertions, 2 deletions

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6b4fbb1c0129..48a39579c45c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -477,6 +477,9 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
         int                word = AUDIT_WORD(ctx->major);
         int                bit  = AUDIT_BIT(ctx->major);
 
+        if (audit_pid && ctx->pid == audit_pid)
+                return AUDIT_DISABLED;
+
         rcu_read_lock();
         list_for_each_entry_rcu(e, list, list) {
                 if ((e->rule.mask[word] & bit) == bit
@@ -494,6 +497,9 @@ int audit_filter_user(struct task_struct *tsk, int type)
         struct audit_entry *e;
         enum audit_state   state;
 
+        if (audit_pid && tsk->pid == audit_pid)
+                return AUDIT_DISABLED;
+
         rcu_read_lock();
         list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
                 if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
@@ -816,7 +822,7 @@ void audit_free(struct task_struct *tsk)
 
         /* Check for system calls that do not go through the exit
          * function (e.g., exit_group), then free context block. */
-        if (context->in_syscall && context->auditable && context->pid != audit_pid)
+        if (context->in_syscall && context->auditable)
                 audit_log_exit(context);
 
         audit_free_context(context);
@@ -921,7 +927,7 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
         if (likely(!context))
                 return;
 
-        if (context->in_syscall && context->auditable && context->pid != audit_pid)
+        if (context->in_syscall && context->auditable)
                 audit_log_exit(context);
 
         context->in_syscall = 0;