aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-01-07 17:09:31 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2008-02-01 14:24:33 -0500
commit1a6b9f2317f18db768010252c957d99daf40678f (patch)
treee63199fab4ec31e05b22f3af10505bdcfcb57be8 /kernel
parentde6bbd1d30e5912620d25dd15e3f180ac7f9fcef (diff)
[AUDIT] make audit=0 really stop audit messages
Some audit messages (namely configuration changes) are still emitted even if the audit subsystem has been explicitly disabled. This patch turns those messages off as well. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.c191
-rw-r--r--kernel/auditfilter.c54
2 files changed, 93 insertions, 152 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 26ff925e13f2..7e29372da284 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,9 +66,9 @@
66 * (Initialization happens after skb_init is called.) */ 66 * (Initialization happens after skb_init is called.) */
67static int audit_initialized; 67static int audit_initialized;
68 68
69/* 0 - no auditing 69#define AUDIT_OFF 0
70 * 1 - auditing enabled 70#define AUDIT_ON 1
71 * 2 - auditing enabled and configuration is locked/unchangeable. */ 71#define AUDIT_LOCKED 2
72int audit_enabled; 72int audit_enabled;
73 73
74/* Default state when kernel boots without any parameters. */ 74/* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
240 } 240 }
241} 241}
242 242
243static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 243static int audit_log_config_change(char *function_name, int new, int old,
244 uid_t loginuid, u32 sid, int allow_changes)
244{ 245{
245 int res, rc = 0, old = audit_rate_limit; 246 struct audit_buffer *ab;
246 247 int rc = 0;
247 /* check if we are locked */
248 if (audit_enabled == 2)
249 res = 0;
250 else
251 res = 1;
252 248
249 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
250 audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
251 old, loginuid);
253 if (sid) { 252 if (sid) {
254 char *ctx = NULL; 253 char *ctx = NULL;
255 u32 len; 254 u32 len;
256 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 255
257 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 256 rc = selinux_sid_to_string(sid, &ctx, &len);
258 "audit_rate_limit=%d old=%d by auid=%u" 257 if (rc) {
259 " subj=%s res=%d", 258 audit_log_format(ab, " sid=%u", sid);
260 limit, old, loginuid, ctx, res); 259 allow_changes = 0; /* Something weird, deny request */
260 } else {
261 audit_log_format(ab, " subj=%s", ctx);
261 kfree(ctx); 262 kfree(ctx);
262 } else 263 }
263 res = 0; /* Something weird, deny request */
264 } 264 }
265 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 265 audit_log_format(ab, " res=%d", allow_changes);
266 "audit_rate_limit=%d old=%d by auid=%u res=%d", 266 audit_log_end(ab);
267 limit, old, loginuid, res);
268
269 /* If we are allowed, make the change */
270 if (res == 1)
271 audit_rate_limit = limit;
272 /* Not allowed, update reason */
273 else if (rc == 0)
274 rc = -EPERM;
275 return rc; 267 return rc;
276} 268}
277 269
278static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 270static int audit_do_config_change(char *function_name, int *to_change,
271 int new, uid_t loginuid, u32 sid)
279{ 272{
280 int res, rc = 0, old = audit_backlog_limit; 273 int allow_changes, rc = 0, old = *to_change;
281 274
282 /* check if we are locked */ 275 /* check if we are locked */
283 if (audit_enabled == 2) 276 if (audit_enabled == AUDIT_LOCKED)
284 res = 0; 277 allow_changes = 0;
285 else 278 else
286 res = 1; 279 allow_changes = 1;
287 280
288 if (sid) { 281 if (audit_enabled != AUDIT_OFF) {
289 char *ctx = NULL; 282 rc = audit_log_config_change(function_name, new, old,
290 u32 len; 283 loginuid, sid, allow_changes);
291 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 284 if (rc)
292 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 285 allow_changes = 0;
293 "audit_backlog_limit=%d old=%d by auid=%u"
294 " subj=%s res=%d",
295 limit, old, loginuid, ctx, res);
296 kfree(ctx);
297 } else
298 res = 0; /* Something weird, deny request */
299 } 286 }
300 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301 "audit_backlog_limit=%d old=%d by auid=%u res=%d",
302 limit, old, loginuid, res);
303 287
304 /* If we are allowed, make the change */ 288 /* If we are allowed, make the change */
305 if (res == 1) 289 if (allow_changes == 1)
306 audit_backlog_limit = limit; 290 *to_change = new;
307 /* Not allowed, update reason */ 291 /* Not allowed, update reason */
308 else if (rc == 0) 292 else if (rc == 0)
309 rc = -EPERM; 293 rc = -EPERM;
310 return rc; 294 return rc;
311} 295}
312 296
313static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 297static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
314{ 298{
315 int res, rc = 0, old = audit_enabled; 299 return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
316 300 limit, loginuid, sid);
317 if (state < 0 || state > 2) 301}
318 return -EINVAL;
319 302
320 /* check if we are locked */ 303static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
321 if (audit_enabled == 2) 304{
322 res = 0; 305 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
323 else 306 limit, loginuid, sid);
324 res = 1; 307}
325 308
326 if (sid) { 309static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
327 char *ctx = NULL; 310{
328 u32 len; 311 if (state < AUDIT_OFF || state > AUDIT_LOCKED)
329 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 312 return -EINVAL;
330 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331 "audit_enabled=%d old=%d by auid=%u"
332 " subj=%s res=%d",
333 state, old, loginuid, ctx, res);
334 kfree(ctx);
335 } else
336 res = 0; /* Something weird, deny request */
337 }
338 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339 "audit_enabled=%d old=%d by auid=%u res=%d",
340 state, old, loginuid, res);
341 313
342 /* If we are allowed, make the change */ 314 return audit_do_config_change("audit_enabled", &audit_enabled, state,
343 if (res == 1) 315 loginuid, sid);
344 audit_enabled = state;
345 /* Not allowed, update reason */
346 else if (rc == 0)
347 rc = -EPERM;
348 return rc;
349} 316}
350 317
351static int audit_set_failure(int state, uid_t loginuid, u32 sid) 318static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352{ 319{
353 int res, rc = 0, old = audit_failure;
354
355 if (state != AUDIT_FAIL_SILENT 320 if (state != AUDIT_FAIL_SILENT
356 && state != AUDIT_FAIL_PRINTK 321 && state != AUDIT_FAIL_PRINTK
357 && state != AUDIT_FAIL_PANIC) 322 && state != AUDIT_FAIL_PANIC)
358 return -EINVAL; 323 return -EINVAL;
359 324
360 /* check if we are locked */ 325 return audit_do_config_change("audit_failure", &audit_failure, state,
361 if (audit_enabled == 2) 326 loginuid, sid);
362 res = 0;
363 else
364 res = 1;
365
366 if (sid) {
367 char *ctx = NULL;
368 u32 len;
369 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371 "audit_failure=%d old=%d by auid=%u"
372 " subj=%s res=%d",
373 state, old, loginuid, ctx, res);
374 kfree(ctx);
375 } else
376 res = 0; /* Something weird, deny request */
377 }
378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 "audit_failure=%d old=%d by auid=%u res=%d",
380 state, old, loginuid, res);
381
382 /* If we are allowed, make the change */
383 if (res == 1)
384 audit_failure = state;
385 /* Not allowed, update reason */
386 else if (rc == 0)
387 rc = -EPERM;
388 return rc;
389} 327}
390 328
391static int kauditd_thread(void *dummy) 329static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
634 if (err < 0) return err; 572 if (err < 0) return err;
635 } 573 }
636 if (status_get->mask & AUDIT_STATUS_PID) { 574 if (status_get->mask & AUDIT_STATUS_PID) {
637 int old = audit_pid; 575 int new_pid = status_get->pid;
638 if (sid) { 576
639 if ((err = selinux_sid_to_string( 577 if (audit_enabled != AUDIT_OFF)
640 sid, &ctx, &len))) 578 audit_log_config_change("audit_pid", new_pid,
641 return err; 579 audit_pid, loginuid,
642 else 580 sid, 1);
643 audit_log(NULL, GFP_KERNEL, 581
644 AUDIT_CONFIG_CHANGE, 582 audit_pid = new_pid;
645 "audit_pid=%d old=%d by auid=%u subj=%s",
646 status_get->pid, old,
647 loginuid, ctx);
648 kfree(ctx);
649 } else
650 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651 "audit_pid=%d old=%d by auid=%u",
652 status_get->pid, old, loginuid);
653 audit_pid = status_get->pid;
654 } 583 }
655 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 584 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656 err = audit_set_rate_limit(status_get->rate_limit, 585 err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
709 case AUDIT_DEL: 638 case AUDIT_DEL:
710 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 639 if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711 return -EINVAL; 640 return -EINVAL;
712 if (audit_enabled == 2) { 641 if (audit_enabled == AUDIT_LOCKED) {
713 ab = audit_log_start(NULL, GFP_KERNEL, 642 ab = audit_log_start(NULL, GFP_KERNEL,
714 AUDIT_CONFIG_CHANGE); 643 AUDIT_CONFIG_CHANGE);
715 if (ab) { 644 if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
743 case AUDIT_DEL_RULE: 672 case AUDIT_DEL_RULE:
744 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 673 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745 return -EINVAL; 674 return -EINVAL;
746 if (audit_enabled == 2) { 675 if (audit_enabled == AUDIT_LOCKED) {
747 ab = audit_log_start(NULL, GFP_KERNEL, 676 ab = audit_log_start(NULL, GFP_KERNEL,
748 AUDIT_CONFIG_CHANGE); 677 AUDIT_CONFIG_CHANGE);
749 if (ab) { 678 if (ab) {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5d96f2cc7be8..6f19fd477aac 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
95/* Inotify events we care about. */ 95/* Inotify events we care about. */
96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
97 97
98extern int audit_enabled;
99
98void audit_free_parent(struct inotify_watch *i_watch) 100void audit_free_parent(struct inotify_watch *i_watch)
99{ 101{
100 struct audit_parent *parent; 102 struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
974 struct audit_watch *owatch, *nwatch, *nextw; 976 struct audit_watch *owatch, *nwatch, *nextw;
975 struct audit_krule *r, *nextr; 977 struct audit_krule *r, *nextr;
976 struct audit_entry *oentry, *nentry; 978 struct audit_entry *oentry, *nentry;
977 struct audit_buffer *ab;
978 979
979 mutex_lock(&audit_filter_mutex); 980 mutex_lock(&audit_filter_mutex);
980 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 981 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
1014 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1015 call_rcu(&oentry->rcu, audit_free_rule_rcu);
1015 } 1016 }
1016 1017
1017 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1018 if (audit_enabled) {
1018 audit_log_format(ab, "op=updated rules specifying path="); 1019 struct audit_buffer *ab;
1019 audit_log_untrustedstring(ab, owatch->path); 1020 ab = audit_log_start(NULL, GFP_KERNEL,
1020 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 1021 AUDIT_CONFIG_CHANGE);
1021 audit_log_format(ab, " list=%d res=1", r->listnr); 1022 audit_log_format(ab,
1022 audit_log_end(ab); 1023 "op=updated rules specifying path=");
1023 1024 audit_log_untrustedstring(ab, owatch->path);
1025 audit_log_format(ab, " with dev=%u ino=%lu\n",
1026 dev, ino);
1027 audit_log_format(ab, " list=%d res=1", r->listnr);
1028 audit_log_end(ab);
1029 }
1024 audit_remove_watch(owatch); 1030 audit_remove_watch(owatch);
1025 goto add_watch_to_parent; /* event applies to a single watch */ 1031 goto add_watch_to_parent; /* event applies to a single watch */
1026 } 1032 }
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
1039 struct audit_watch *w, *nextw; 1045 struct audit_watch *w, *nextw;
1040 struct audit_krule *r, *nextr; 1046 struct audit_krule *r, *nextr;
1041 struct audit_entry *e; 1047 struct audit_entry *e;
1042 struct audit_buffer *ab;
1043 1048
1044 mutex_lock(&audit_filter_mutex); 1049 mutex_lock(&audit_filter_mutex);
1045 parent->flags |= AUDIT_PARENT_INVALID; 1050 parent->flags |= AUDIT_PARENT_INVALID;
1046 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1051 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1047 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1052 list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1048 e = container_of(r, struct audit_entry, rule); 1053 e = container_of(r, struct audit_entry, rule);
1049 1054 if (audit_enabled) {
1050 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1055 struct audit_buffer *ab;
1051 audit_log_format(ab, "op=remove rule path="); 1056 ab = audit_log_start(NULL, GFP_KERNEL,
1052 audit_log_untrustedstring(ab, w->path); 1057 AUDIT_CONFIG_CHANGE);
1053 if (r->filterkey) { 1058 audit_log_format(ab, "op=remove rule path=");
1054 audit_log_format(ab, " key="); 1059 audit_log_untrustedstring(ab, w->path);
1055 audit_log_untrustedstring(ab, r->filterkey); 1060 if (r->filterkey) {
1056 } else 1061 audit_log_format(ab, " key=");
1057 audit_log_format(ab, " key=(null)"); 1062 audit_log_untrustedstring(ab,
1058 audit_log_format(ab, " list=%d res=1", r->listnr); 1063 r->filterkey);
1059 audit_log_end(ab); 1064 } else
1060 1065 audit_log_format(ab, " key=(null)");
1066 audit_log_format(ab, " list=%d res=1",
1067 r->listnr);
1068 audit_log_end(ab);
1069 }
1061 list_del(&r->rlist); 1070 list_del(&r->rlist);
1062 list_del_rcu(&e->list); 1071 list_del_rcu(&e->list);
1063 call_rcu(&e->rcu, audit_free_rule_rcu); 1072 call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1495{ 1504{
1496 struct audit_buffer *ab; 1505 struct audit_buffer *ab;
1497 1506
1507 if (!audit_enabled)
1508 return;
1509
1498 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1510 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1499 if (!ab) 1511 if (!ab)
1500 return; 1512 return;