audit: log on errors from filter user rules

An error on an AUDIT_NEVER rule disabled logging on that rule.
On error on AUDIT_NEVER rules, log.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>

2 files changed, 8 insertions, 5 deletions

diff --git a/kernel/audit.c b/kernel/audit.c
index 9c4ec29a707b..15661ef8bece 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -869,7 +869,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                         return 0;
 
                 err = audit_filter_user(msg_type);
-                if (err == 1) {
+                if (err == 1) { /* match or error */
                         err = 0;
                         if (msg_type == AUDIT_USER_TTY) {
                                 err = tty_audit_push_current();
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 629834aa4ca4..14a78cca384e 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1290,19 +1290,22 @@ int audit_filter_user(int type)
 {
         enum audit_state state = AUDIT_DISABLED;
         struct audit_entry *e;
-        int ret = 1;
+        int rc, ret;
+
+        ret = 1; /* Audit by default */
 
         rcu_read_lock();
         list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
-                if (audit_filter_user_rules(&e->rule, type, &state)) {
-                        if (state == AUDIT_DISABLED)
+                rc = audit_filter_user_rules(&e->rule, type, &state);
+                if (rc) {
+                        if (rc > 0 && state == AUDIT_DISABLED)
                                 ret = 0;
                         break;
                 }
         }
         rcu_read_unlock();
 
-        return ret; /* Audit by default */
+        return ret;
 }
 
 int audit_filter_type(int type)