2 files changed, 93 insertions, 152 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 26ff925e13f2..7e29372da284 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,9 +66,9 @@
 * (Initialization happens after skb_init is called.) */
 static int      audit_initialized;
-/* 0 - no auditing
+#define AUDIT_OFF       0
- * 1 - auditing enabled
+#define AUDIT_ON        1
- * 2 - auditing enabled and configuration is locked/unchangeable. */
+#define AUDIT_LOCKED    2
 int             audit_enabled;
 /* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
        }
 }
-static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_log_config_change(char *function_name, int new, int old,
+                                   uid_t loginuid, u32 sid, int allow_changes)
 {
-        int res, rc = 0, old = audit_rate_limit;
+        struct audit_buffer *ab;
+        int rc = 0;
-        /* check if we are locked */
-        if (audit_enabled == 2)
-                res = 0;
-        else
-                res = 1;
+        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+        audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
+                         old, loginuid);
        if (sid) {
                char *ctx = NULL;
                u32 len;
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                rc = selinux_sid_to_string(sid, &ctx, &len);
-                                "audit_rate_limit=%d old=%d by auid=%u"
+                if (rc) {
-                                " subj=%s res=%d",
+                        audit_log_format(ab, " sid=%u", sid);
-                                limit, old, loginuid, ctx, res);
+                        allow_changes = 0; /* Something weird, deny request */
+                } else {
+                        audit_log_format(ab, " subj=%s", ctx);
                        kfree(ctx);
-                } else
+                }
-                        res = 0; /* Something weird, deny request */
        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        audit_log_format(ab, " res=%d", allow_changes);
-                "audit_rate_limit=%d old=%d by auid=%u res=%d",
+        audit_log_end(ab);
-                limit, old, loginuid, res);
-        /* If we are allowed, make the change */
-        if (res == 1)
-                audit_rate_limit = limit;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
        return rc;
 }
-static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_do_config_change(char *function_name, int *to_change,
+                                  int new, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_backlog_limit;
+        int allow_changes, rc = 0, old = *to_change;
        /* check if we are locked */
-        if (audit_enabled == 2)
+        if (audit_enabled == AUDIT_LOCKED)
-                res = 0;
+                allow_changes = 0;
        else
-                res = 1;
+                allow_changes = 1;
-        if (sid) {
+        if (audit_enabled != AUDIT_OFF) {
-                char *ctx = NULL;
+                rc = audit_log_config_change(function_name, new, old,
-                u32 len;
+                                             loginuid, sid, allow_changes);
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
+                if (rc)
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                        allow_changes = 0;
-                                "audit_backlog_limit=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                limit, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_backlog_limit=%d old=%d by auid=%u res=%d",
-                limit, old, loginuid, res);
        /* If we are allowed, make the change */
-        if (res == 1)
+        if (allow_changes == 1)
-                audit_backlog_limit = limit;
+                *to_change = new;
        /* Not allowed, update reason */
        else if (rc == 0)
                rc = -EPERM;
        return rc;
 }
-static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
+static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_enabled;
+        return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
+                                      limit, loginuid, sid);
-        if (state < 0 || state > 2)
+}
-                return -EINVAL;
-        /* check if we are locked */
+static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
-        if (audit_enabled == 2)
+{
-                res = 0;
+        return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
-        else
+                                      limit, loginuid, sid);
-                res = 1;
+}
-        if (sid) {
+static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
-                char *ctx = NULL;
+{
-                u32 len;
+        if (state < AUDIT_OFF || state > AUDIT_LOCKED)
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
+                return -EINVAL;
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_enabled=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                state, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
-        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_enabled=%d old=%d by auid=%u res=%d",
-                state, old, loginuid, res);
-        /* If we are allowed, make the change */
+        return audit_do_config_change("audit_enabled", &audit_enabled, state,
-        if (res == 1)
+                                      loginuid, sid);
-                audit_enabled = state;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
-        return rc;
 }
 static int audit_set_failure(int state, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_failure;
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
-        /* check if we are locked */
+        return audit_do_config_change("audit_failure", &audit_failure, state,
-        if (audit_enabled == 2)
+                                      loginuid, sid);
-                res = 0;
-        else
-                res = 1;
-        if (sid) {
-                char *ctx = NULL;
-                u32 len;
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_failure=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                state, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
-        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_failure=%d old=%d by auid=%u res=%d",
-                state, old, loginuid, res);
-        /* If we are allowed, make the change */
-        if (res == 1)
-                audit_failure = state;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
-        return rc;
 }
 static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
-                        int old   = audit_pid;
+                        int new_pid = status_get->pid;
-                        if (sid) {
-                                if ((err = selinux_sid_to_string(
+                        if (audit_enabled != AUDIT_OFF)
-                                                sid, &ctx, &len)))
+                                audit_log_config_change("audit_pid", new_pid,
-                                        return err;
+                                                        audit_pid, loginuid,
-                                else
+                                                        sid, 1);
-                                        audit_log(NULL, GFP_KERNEL,
-                                                AUDIT_CONFIG_CHANGE,
+                        audit_pid = new_pid;
-                                                "audit_pid=%d old=%d by auid=%u subj=%s",
-                                                status_get->pid, old,
-                                                loginuid, ctx);
-                                kfree(ctx);
-                        } else
-                                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                        "audit_pid=%d old=%d by auid=%u",
-                                          status_get->pid, old, loginuid);
-                        audit_pid = status_get->pid;
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
                        err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule))
                        return -EINVAL;
-                if (audit_enabled == 2) {
+                if (audit_enabled == AUDIT_LOCKED) {
                        ab = audit_log_start(NULL, GFP_KERNEL,
                                        AUDIT_CONFIG_CHANGE);
                        if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL_RULE:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
                        return -EINVAL;
-                if (audit_enabled == 2) {
+                if (audit_enabled == AUDIT_LOCKED) {
                        ab = audit_log_start(NULL, GFP_KERNEL,
                                        AUDIT_CONFIG_CHANGE);
                        if (ab) {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5d96f2cc7be8..6f19fd477aac 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
 /* Inotify events we care about. */
 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
+extern int audit_enabled;
 void audit_free_parent(struct inotify_watch *i_watch)
 {
        struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
        struct audit_watch *owatch, *nwatch, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *oentry, *nentry;
-        struct audit_buffer *ab;
        mutex_lock(&audit_filter_mutex);
        list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
                        call_rcu(&oentry->rcu, audit_free_rule_rcu);
                }
-                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+                if (audit_enabled) {
-                audit_log_format(ab, "op=updated rules specifying path=");
+                        struct audit_buffer *ab;
-                audit_log_untrustedstring(ab, owatch->path);
+                        ab = audit_log_start(NULL, GFP_KERNEL,
-                audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
+                                AUDIT_CONFIG_CHANGE);
-                audit_log_format(ab, " list=%d res=1", r->listnr);
+                        audit_log_format(ab,
-                audit_log_end(ab);
+                                "op=updated rules specifying path=");
+                        audit_log_untrustedstring(ab, owatch->path);
+                        audit_log_format(ab, " with dev=%u ino=%lu\n",
+                                 dev, ino);
+                        audit_log_format(ab, " list=%d res=1", r->listnr);
+                        audit_log_end(ab);
+                }
                audit_remove_watch(owatch);
                goto add_watch_to_parent; /* event applies to a single watch */
        }
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
        struct audit_watch *w, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *e;
-        struct audit_buffer *ab;
        mutex_lock(&audit_filter_mutex);
        parent->flags |= AUDIT_PARENT_INVALID;
        list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
                list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
                        e = container_of(r, struct audit_entry, rule);
+                        if (audit_enabled) {
-                        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+                                struct audit_buffer *ab;
-                        audit_log_format(ab, "op=remove rule path=");
+                                ab = audit_log_start(NULL, GFP_KERNEL,
-                        audit_log_untrustedstring(ab, w->path);
+                                        AUDIT_CONFIG_CHANGE);
-                        if (r->filterkey) {
+                                audit_log_format(ab, "op=remove rule path=");
-                                audit_log_format(ab, " key=");
+                                audit_log_untrustedstring(ab, w->path);
-                                audit_log_untrustedstring(ab, r->filterkey);
+                                if (r->filterkey) {
-                        } else
+                                        audit_log_format(ab, " key=");
-                                audit_log_format(ab, " key=(null)");
+                                        audit_log_untrustedstring(ab,
-                        audit_log_format(ab, " list=%d res=1", r->listnr);
+                                                        r->filterkey);
-                        audit_log_end(ab);
+                                } else
+                                        audit_log_format(ab, " key=(null)");
+                                audit_log_format(ab, " list=%d res=1",
+                                        r->listnr);
+                                audit_log_end(ab);
+                        }
                        list_del(&r->rlist);
                        list_del_rcu(&e->list);
                        call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
 {
        struct audit_buffer *ab;
+        if (!audit_enabled)
+                return;
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
        if (!ab)
                return;

diff --git a/kernel/audit.c b/kernel/audit.c index 26ff925e13f2..7e29372da284 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -66,9 +66,9 @@
66	* (Initialization happens after skb_init is called.) */	66	* (Initialization happens after skb_init is called.) */
67	static int audit_initialized;	67	static int audit_initialized;
68		68
69	/* 0 - no auditing	69	#define AUDIT_OFF 0
70	* 1 - auditing enabled	70	#define AUDIT_ON 1
71	* 2 - auditing enabled and configuration is locked/unchangeable. */	71	#define AUDIT_LOCKED 2
72	int audit_enabled;	72	int audit_enabled;
73		73
74	/* Default state when kernel boots without any parameters. */	74	/* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
240	}	240	}
241	}	241	}
242		242
243	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)	243	static int audit_log_config_change(char *function_name, int new, int old,
		244	uid_t loginuid, u32 sid, int allow_changes)
244	{	245	{
245	int res, rc = 0, old = audit_rate_limit;	246	struct audit_buffer *ab;
246		247	int rc = 0;
247	/* check if we are locked */
248	if (audit_enabled == 2)
249	res = 0;
250	else
251	res = 1;
252		248
		249	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
		250	audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
		251	old, loginuid);
253	if (sid) {	252	if (sid) {
254	char *ctx = NULL;	253	char *ctx = NULL;
255	u32 len;	254	u32 len;
256	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	255
257	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	256	rc = selinux_sid_to_string(sid, &ctx, &len);
258	"audit_rate_limit=%d old=%d by auid=%u"	257	if (rc) {
259	" subj=%s res=%d",	258	audit_log_format(ab, " sid=%u", sid);
260	limit, old, loginuid, ctx, res);	259	allow_changes = 0; /* Something weird, deny request */
		260	} else {
		261	audit_log_format(ab, " subj=%s", ctx);
261	kfree(ctx);	262	kfree(ctx);
262	} else	263	}
263	res = 0; /* Something weird, deny request */
264	}	264	}
265	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	265	audit_log_format(ab, " res=%d", allow_changes);
266	"audit_rate_limit=%d old=%d by auid=%u res=%d",	266	audit_log_end(ab);
267	limit, old, loginuid, res);
268
269	/* If we are allowed, make the change */
270	if (res == 1)
271	audit_rate_limit = limit;
272	/* Not allowed, update reason */
273	else if (rc == 0)
274	rc = -EPERM;
275	return rc;	267	return rc;
276	}	268	}
277		269
278	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)	270	static int audit_do_config_change(char function_name, int to_change,
		271	int new, uid_t loginuid, u32 sid)
279	{	272	{
280	int res, rc = 0, old = audit_backlog_limit;	273	int allow_changes, rc = 0, old = *to_change;
281		274
282	/* check if we are locked */	275	/* check if we are locked */
283	if (audit_enabled == 2)	276	if (audit_enabled == AUDIT_LOCKED)
284	res = 0;	277	allow_changes = 0;
285	else	278	else
286	res = 1;	279	allow_changes = 1;
287		280
288	if (sid) {	281	if (audit_enabled != AUDIT_OFF) {
289	char *ctx = NULL;	282	rc = audit_log_config_change(function_name, new, old,
290	u32 len;	283	loginuid, sid, allow_changes);
291	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	284	if (rc)
292	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	285	allow_changes = 0;
293	"audit_backlog_limit=%d old=%d by auid=%u"
294	" subj=%s res=%d",
295	limit, old, loginuid, ctx, res);
296	kfree(ctx);
297	} else
298	res = 0; /* Something weird, deny request */
299	}	286	}
300	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301	"audit_backlog_limit=%d old=%d by auid=%u res=%d",
302	limit, old, loginuid, res);
303		287
304	/* If we are allowed, make the change */	288	/* If we are allowed, make the change */
305	if (res == 1)	289	if (allow_changes == 1)
306	audit_backlog_limit = limit;	290	*to_change = new;
307	/* Not allowed, update reason */	291	/* Not allowed, update reason */
308	else if (rc == 0)	292	else if (rc == 0)
309	rc = -EPERM;	293	rc = -EPERM;
310	return rc;	294	return rc;
311	}	295	}
312		296
313	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)	297	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
314	{	298	{
315	int res, rc = 0, old = audit_enabled;	299	return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
316		300	limit, loginuid, sid);
317	if (state < 0 \|\| state > 2)	301	}
318	return -EINVAL;
319		302
320	/* check if we are locked */	303	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
321	if (audit_enabled == 2)	304	{
322	res = 0;	305	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
323	else	306	limit, loginuid, sid);
324	res = 1;	307	}
325		308
326	if (sid) {	309	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
327	char *ctx = NULL;	310	{
328	u32 len;	311	if (state < AUDIT_OFF \|\| state > AUDIT_LOCKED)
329	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	312	return -EINVAL;
330	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331	"audit_enabled=%d old=%d by auid=%u"
332	" subj=%s res=%d",
333	state, old, loginuid, ctx, res);
334	kfree(ctx);
335	} else
336	res = 0; /* Something weird, deny request */
337	}
338	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339	"audit_enabled=%d old=%d by auid=%u res=%d",
340	state, old, loginuid, res);
341		313
342	/* If we are allowed, make the change */	314	return audit_do_config_change("audit_enabled", &audit_enabled, state,
343	if (res == 1)	315	loginuid, sid);
344	audit_enabled = state;
345	/* Not allowed, update reason */
346	else if (rc == 0)
347	rc = -EPERM;
348	return rc;
349	}	316	}
350		317
351	static int audit_set_failure(int state, uid_t loginuid, u32 sid)	318	static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352	{	319	{
353	int res, rc = 0, old = audit_failure;
354
355	if (state != AUDIT_FAIL_SILENT	320	if (state != AUDIT_FAIL_SILENT
356	&& state != AUDIT_FAIL_PRINTK	321	&& state != AUDIT_FAIL_PRINTK
357	&& state != AUDIT_FAIL_PANIC)	322	&& state != AUDIT_FAIL_PANIC)
358	return -EINVAL;	323	return -EINVAL;
359		324
360	/* check if we are locked */	325	return audit_do_config_change("audit_failure", &audit_failure, state,
361	if (audit_enabled == 2)	326	loginuid, sid);
362	res = 0;
363	else
364	res = 1;
365
366	if (sid) {
367	char *ctx = NULL;
368	u32 len;
369	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371	"audit_failure=%d old=%d by auid=%u"
372	" subj=%s res=%d",
373	state, old, loginuid, ctx, res);
374	kfree(ctx);
375	} else
376	res = 0; /* Something weird, deny request */
377	}
378	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379	"audit_failure=%d old=%d by auid=%u res=%d",
380	state, old, loginuid, res);
381
382	/* If we are allowed, make the change */
383	if (res == 1)
384	audit_failure = state;
385	/* Not allowed, update reason */
386	else if (rc == 0)
387	rc = -EPERM;
388	return rc;
389	}	327	}
390		328
391	static int kauditd_thread(void *dummy)	329	static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
634	if (err < 0) return err;	572	if (err < 0) return err;
635	}	573	}
636	if (status_get->mask & AUDIT_STATUS_PID) {	574	if (status_get->mask & AUDIT_STATUS_PID) {
637	int old = audit_pid;	575	int new_pid = status_get->pid;
638	if (sid) {	576
639	if ((err = selinux_sid_to_string(	577	if (audit_enabled != AUDIT_OFF)
640	sid, &ctx, &len)))	578	audit_log_config_change("audit_pid", new_pid,
641	return err;	579	audit_pid, loginuid,
642	else	580	sid, 1);
643	audit_log(NULL, GFP_KERNEL,	581
644	AUDIT_CONFIG_CHANGE,	582	audit_pid = new_pid;
645	"audit_pid=%d old=%d by auid=%u subj=%s",
646	status_get->pid, old,
647	loginuid, ctx);
648	kfree(ctx);
649	} else
650	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651	"audit_pid=%d old=%d by auid=%u",
652	status_get->pid, old, loginuid);
653	audit_pid = status_get->pid;
654	}	583	}
655	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	584	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656	err = audit_set_rate_limit(status_get->rate_limit,	585	err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
709	case AUDIT_DEL:	638	case AUDIT_DEL:
710	if (nlmsg_len(nlh) < sizeof(struct audit_rule))	639	if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711	return -EINVAL;	640	return -EINVAL;
712	if (audit_enabled == 2) {	641	if (audit_enabled == AUDIT_LOCKED) {
713	ab = audit_log_start(NULL, GFP_KERNEL,	642	ab = audit_log_start(NULL, GFP_KERNEL,
714	AUDIT_CONFIG_CHANGE);	643	AUDIT_CONFIG_CHANGE);
715	if (ab) {	644	if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
743	case AUDIT_DEL_RULE:	672	case AUDIT_DEL_RULE:
744	if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))	673	if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745	return -EINVAL;	674	return -EINVAL;
746	if (audit_enabled == 2) {	675	if (audit_enabled == AUDIT_LOCKED) {
747	ab = audit_log_start(NULL, GFP_KERNEL,	676	ab = audit_log_start(NULL, GFP_KERNEL,
748	AUDIT_CONFIG_CHANGE);	677	AUDIT_CONFIG_CHANGE);
749	if (ab) {	678	if (ab) {


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 5d96f2cc7be8..6f19fd477aac 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
95	/* Inotify events we care about. */	95	/* Inotify events we care about. */
96	#define AUDIT_IN_WATCH IN_MOVE\|IN_CREATE\|IN_DELETE\|IN_DELETE_SELF\|IN_MOVE_SELF	96	#define AUDIT_IN_WATCH IN_MOVE\|IN_CREATE\|IN_DELETE\|IN_DELETE_SELF\|IN_MOVE_SELF
97		97
		98	extern int audit_enabled;
		99
98	void audit_free_parent(struct inotify_watch *i_watch)	100	void audit_free_parent(struct inotify_watch *i_watch)
99	{	101	{
100	struct audit_parent *parent;	102	struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
974	struct audit_watch owatch, nwatch, *nextw;	976	struct audit_watch owatch, nwatch, *nextw;
975	struct audit_krule r, nextr;	977	struct audit_krule r, nextr;
976	struct audit_entry oentry, nentry;	978	struct audit_entry oentry, nentry;
977	struct audit_buffer *ab;
978		979
979	mutex_lock(&audit_filter_mutex);	980	mutex_lock(&audit_filter_mutex);
980	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {	981	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
1014	call_rcu(&oentry->rcu, audit_free_rule_rcu);	1015	call_rcu(&oentry->rcu, audit_free_rule_rcu);
1015	}	1016	}
1016		1017
1017	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	1018	if (audit_enabled) {
1018	audit_log_format(ab, "op=updated rules specifying path=");	1019	struct audit_buffer *ab;
1019	audit_log_untrustedstring(ab, owatch->path);	1020	ab = audit_log_start(NULL, GFP_KERNEL,
1020	audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);	1021	AUDIT_CONFIG_CHANGE);
1021	audit_log_format(ab, " list=%d res=1", r->listnr);	1022	audit_log_format(ab,
1022	audit_log_end(ab);	1023	"op=updated rules specifying path=");
1023		1024	audit_log_untrustedstring(ab, owatch->path);
		1025	audit_log_format(ab, " with dev=%u ino=%lu\n",
		1026	dev, ino);
		1027	audit_log_format(ab, " list=%d res=1", r->listnr);
		1028	audit_log_end(ab);
		1029	}
1024	audit_remove_watch(owatch);	1030	audit_remove_watch(owatch);
1025	goto add_watch_to_parent; /* event applies to a single watch */	1031	goto add_watch_to_parent; /* event applies to a single watch */
1026	}	1032	}
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
1039	struct audit_watch w, nextw;	1045	struct audit_watch w, nextw;
1040	struct audit_krule r, nextr;	1046	struct audit_krule r, nextr;
1041	struct audit_entry *e;	1047	struct audit_entry *e;
1042	struct audit_buffer *ab;
1043		1048
1044	mutex_lock(&audit_filter_mutex);	1049	mutex_lock(&audit_filter_mutex);
1045	parent->flags \|= AUDIT_PARENT_INVALID;	1050	parent->flags \|= AUDIT_PARENT_INVALID;
1046	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {	1051	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1047	list_for_each_entry_safe(r, nextr, &w->rules, rlist) {	1052	list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1048	e = container_of(r, struct audit_entry, rule);	1053	e = container_of(r, struct audit_entry, rule);
1049		1054	if (audit_enabled) {
1050	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	1055	struct audit_buffer *ab;
1051	audit_log_format(ab, "op=remove rule path=");	1056	ab = audit_log_start(NULL, GFP_KERNEL,
1052	audit_log_untrustedstring(ab, w->path);	1057	AUDIT_CONFIG_CHANGE);
1053	if (r->filterkey) {	1058	audit_log_format(ab, "op=remove rule path=");
1054	audit_log_format(ab, " key=");	1059	audit_log_untrustedstring(ab, w->path);
1055	audit_log_untrustedstring(ab, r->filterkey);	1060	if (r->filterkey) {
1056	} else	1061	audit_log_format(ab, " key=");
1057	audit_log_format(ab, " key=(null)");	1062	audit_log_untrustedstring(ab,
1058	audit_log_format(ab, " list=%d res=1", r->listnr);	1063	r->filterkey);
1059	audit_log_end(ab);	1064	} else
1060		1065	audit_log_format(ab, " key=(null)");
		1066	audit_log_format(ab, " list=%d res=1",
		1067	r->listnr);
		1068	audit_log_end(ab);
		1069	}
1061	list_del(&r->rlist);	1070	list_del(&r->rlist);
1062	list_del_rcu(&e->list);	1071	list_del_rcu(&e->list);
1063	call_rcu(&e->rcu, audit_free_rule_rcu);	1072	call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1495	{	1504	{
1496	struct audit_buffer *ab;	1505	struct audit_buffer *ab;
1497		1506
		1507	if (!audit_enabled)
		1508	return;
		1509
1498	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	1510	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1499	if (!ab)	1511	if (!ab)
1500	return;	1512	return;