1 files changed, 60 insertions, 131 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 26ff925e13f2..7e29372da284 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,9 +66,9 @@
 * (Initialization happens after skb_init is called.) */
 static int      audit_initialized;
-/* 0 - no auditing
+#define AUDIT_OFF       0
- * 1 - auditing enabled
+#define AUDIT_ON        1
- * 2 - auditing enabled and configuration is locked/unchangeable. */
+#define AUDIT_LOCKED    2
 int             audit_enabled;
 /* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
        }
 }
-static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_log_config_change(char *function_name, int new, int old,
+                                   uid_t loginuid, u32 sid, int allow_changes)
 {
-        int res, rc = 0, old = audit_rate_limit;
+        struct audit_buffer *ab;
+        int rc = 0;
-        /* check if we are locked */
-        if (audit_enabled == 2)
-                res = 0;
-        else
-                res = 1;
+        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+        audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
+                         old, loginuid);
        if (sid) {
                char *ctx = NULL;
                u32 len;
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                rc = selinux_sid_to_string(sid, &ctx, &len);
-                                "audit_rate_limit=%d old=%d by auid=%u"
+                if (rc) {
-                                " subj=%s res=%d",
+                        audit_log_format(ab, " sid=%u", sid);
-                                limit, old, loginuid, ctx, res);
+                        allow_changes = 0; /* Something weird, deny request */
+                } else {
+                        audit_log_format(ab, " subj=%s", ctx);
                        kfree(ctx);
-                } else
+                }
-                        res = 0; /* Something weird, deny request */
        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        audit_log_format(ab, " res=%d", allow_changes);
-                "audit_rate_limit=%d old=%d by auid=%u res=%d",
+        audit_log_end(ab);
-                limit, old, loginuid, res);
-        /* If we are allowed, make the change */
-        if (res == 1)
-                audit_rate_limit = limit;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
        return rc;
 }
-static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_do_config_change(char *function_name, int *to_change,
+                                  int new, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_backlog_limit;
+        int allow_changes, rc = 0, old = *to_change;
        /* check if we are locked */
-        if (audit_enabled == 2)
+        if (audit_enabled == AUDIT_LOCKED)
-                res = 0;
+                allow_changes = 0;
        else
-                res = 1;
+                allow_changes = 1;
-        if (sid) {
+        if (audit_enabled != AUDIT_OFF) {
-                char *ctx = NULL;
+                rc = audit_log_config_change(function_name, new, old,
-                u32 len;
+                                             loginuid, sid, allow_changes);
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
+                if (rc)
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                        allow_changes = 0;
-                                "audit_backlog_limit=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                limit, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_backlog_limit=%d old=%d by auid=%u res=%d",
-                limit, old, loginuid, res);
        /* If we are allowed, make the change */
-        if (res == 1)
+        if (allow_changes == 1)
-                audit_backlog_limit = limit;
+                *to_change = new;
        /* Not allowed, update reason */
        else if (rc == 0)
                rc = -EPERM;
        return rc;
 }
-static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
+static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_enabled;
+        return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
+                                      limit, loginuid, sid);
-        if (state < 0 || state > 2)
+}
-                return -EINVAL;
-        /* check if we are locked */
+static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
-        if (audit_enabled == 2)
+{
-                res = 0;
+        return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
-        else
+                                      limit, loginuid, sid);
-                res = 1;
+}
-        if (sid) {
+static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
-                char *ctx = NULL;
+{
-                u32 len;
+        if (state < AUDIT_OFF || state > AUDIT_LOCKED)
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
+                return -EINVAL;
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_enabled=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                state, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
-        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_enabled=%d old=%d by auid=%u res=%d",
-                state, old, loginuid, res);
-        /* If we are allowed, make the change */
+        return audit_do_config_change("audit_enabled", &audit_enabled, state,
-        if (res == 1)
+                                      loginuid, sid);
-                audit_enabled = state;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
-        return rc;
 }
 static int audit_set_failure(int state, uid_t loginuid, u32 sid)
 {
-        int res, rc = 0, old = audit_failure;
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
-        /* check if we are locked */
+        return audit_do_config_change("audit_failure", &audit_failure, state,
-        if (audit_enabled == 2)
+                                      loginuid, sid);
-                res = 0;
-        else
-                res = 1;
-        if (sid) {
-                char *ctx = NULL;
-                u32 len;
-                if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_failure=%d old=%d by auid=%u"
-                                " subj=%s res=%d",
-                                state, old, loginuid, ctx, res);
-                        kfree(ctx);
-                } else
-                        res = 0; /* Something weird, deny request */
-        }
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                "audit_failure=%d old=%d by auid=%u res=%d",
-                state, old, loginuid, res);
-        /* If we are allowed, make the change */
-        if (res == 1)
-                audit_failure = state;
-        /* Not allowed, update reason */
-        else if (rc == 0)
-                rc = -EPERM;
-        return rc;
 }
 static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
-                        int old   = audit_pid;
+                        int new_pid = status_get->pid;
-                        if (sid) {
-                                if ((err = selinux_sid_to_string(
+                        if (audit_enabled != AUDIT_OFF)
-                                                sid, &ctx, &len)))
+                                audit_log_config_change("audit_pid", new_pid,
-                                        return err;
+                                                        audit_pid, loginuid,
-                                else
+                                                        sid, 1);
-                                        audit_log(NULL, GFP_KERNEL,
-                                                AUDIT_CONFIG_CHANGE,
+                        audit_pid = new_pid;
-                                                "audit_pid=%d old=%d by auid=%u subj=%s",
-                                                status_get->pid, old,
-                                                loginuid, ctx);
-                                kfree(ctx);
-                        } else
-                                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                        "audit_pid=%d old=%d by auid=%u",
-                                          status_get->pid, old, loginuid);
-                        audit_pid = status_get->pid;
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
                        err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule))
                        return -EINVAL;
-                if (audit_enabled == 2) {
+                if (audit_enabled == AUDIT_LOCKED) {
                        ab = audit_log_start(NULL, GFP_KERNEL,
                                        AUDIT_CONFIG_CHANGE);
                        if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL_RULE:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
                        return -EINVAL;
-                if (audit_enabled == 2) {
+                if (audit_enabled == AUDIT_LOCKED) {
                        ab = audit_log_start(NULL, GFP_KERNEL,
                                        AUDIT_CONFIG_CHANGE);
                        if (ab) {

diff --git a/kernel/audit.c b/kernel/audit.c index 26ff925e13f2..7e29372da284 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -66,9 +66,9 @@
66	* (Initialization happens after skb_init is called.) */	66	* (Initialization happens after skb_init is called.) */
67	static int audit_initialized;	67	static int audit_initialized;
68		68
69	/* 0 - no auditing	69	#define AUDIT_OFF 0
70	* 1 - auditing enabled	70	#define AUDIT_ON 1
71	* 2 - auditing enabled and configuration is locked/unchangeable. */	71	#define AUDIT_LOCKED 2
72	int audit_enabled;	72	int audit_enabled;
73		73
74	/* Default state when kernel boots without any parameters. */	74	/* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
240	}	240	}
241	}	241	}
242		242
243	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)	243	static int audit_log_config_change(char *function_name, int new, int old,
		244	uid_t loginuid, u32 sid, int allow_changes)
244	{	245	{
245	int res, rc = 0, old = audit_rate_limit;	246	struct audit_buffer *ab;
246		247	int rc = 0;
247	/* check if we are locked */
248	if (audit_enabled == 2)
249	res = 0;
250	else
251	res = 1;
252		248
		249	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
		250	audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
		251	old, loginuid);
253	if (sid) {	252	if (sid) {
254	char *ctx = NULL;	253	char *ctx = NULL;
255	u32 len;	254	u32 len;
256	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	255
257	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	256	rc = selinux_sid_to_string(sid, &ctx, &len);
258	"audit_rate_limit=%d old=%d by auid=%u"	257	if (rc) {
259	" subj=%s res=%d",	258	audit_log_format(ab, " sid=%u", sid);
260	limit, old, loginuid, ctx, res);	259	allow_changes = 0; /* Something weird, deny request */
		260	} else {
		261	audit_log_format(ab, " subj=%s", ctx);
261	kfree(ctx);	262	kfree(ctx);
262	} else	263	}
263	res = 0; /* Something weird, deny request */
264	}	264	}
265	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	265	audit_log_format(ab, " res=%d", allow_changes);
266	"audit_rate_limit=%d old=%d by auid=%u res=%d",	266	audit_log_end(ab);
267	limit, old, loginuid, res);
268
269	/* If we are allowed, make the change */
270	if (res == 1)
271	audit_rate_limit = limit;
272	/* Not allowed, update reason */
273	else if (rc == 0)
274	rc = -EPERM;
275	return rc;	267	return rc;
276	}	268	}
277		269
278	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)	270	static int audit_do_config_change(char function_name, int to_change,
		271	int new, uid_t loginuid, u32 sid)
279	{	272	{
280	int res, rc = 0, old = audit_backlog_limit;	273	int allow_changes, rc = 0, old = *to_change;
281		274
282	/* check if we are locked */	275	/* check if we are locked */
283	if (audit_enabled == 2)	276	if (audit_enabled == AUDIT_LOCKED)
284	res = 0;	277	allow_changes = 0;
285	else	278	else
286	res = 1;	279	allow_changes = 1;
287		280
288	if (sid) {	281	if (audit_enabled != AUDIT_OFF) {
289	char *ctx = NULL;	282	rc = audit_log_config_change(function_name, new, old,
290	u32 len;	283	loginuid, sid, allow_changes);
291	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	284	if (rc)
292	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	285	allow_changes = 0;
293	"audit_backlog_limit=%d old=%d by auid=%u"
294	" subj=%s res=%d",
295	limit, old, loginuid, ctx, res);
296	kfree(ctx);
297	} else
298	res = 0; /* Something weird, deny request */
299	}	286	}
300	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301	"audit_backlog_limit=%d old=%d by auid=%u res=%d",
302	limit, old, loginuid, res);
303		287
304	/* If we are allowed, make the change */	288	/* If we are allowed, make the change */
305	if (res == 1)	289	if (allow_changes == 1)
306	audit_backlog_limit = limit;	290	*to_change = new;
307	/* Not allowed, update reason */	291	/* Not allowed, update reason */
308	else if (rc == 0)	292	else if (rc == 0)
309	rc = -EPERM;	293	rc = -EPERM;
310	return rc;	294	return rc;
311	}	295	}
312		296
313	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)	297	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
314	{	298	{
315	int res, rc = 0, old = audit_enabled;	299	return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
316		300	limit, loginuid, sid);
317	if (state < 0 \|\| state > 2)	301	}
318	return -EINVAL;
319		302
320	/* check if we are locked */	303	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
321	if (audit_enabled == 2)	304	{
322	res = 0;	305	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
323	else	306	limit, loginuid, sid);
324	res = 1;	307	}
325		308
326	if (sid) {	309	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
327	char *ctx = NULL;	310	{
328	u32 len;	311	if (state < AUDIT_OFF \|\| state > AUDIT_LOCKED)
329	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {	312	return -EINVAL;
330	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331	"audit_enabled=%d old=%d by auid=%u"
332	" subj=%s res=%d",
333	state, old, loginuid, ctx, res);
334	kfree(ctx);
335	} else
336	res = 0; /* Something weird, deny request */
337	}
338	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339	"audit_enabled=%d old=%d by auid=%u res=%d",
340	state, old, loginuid, res);
341		313
342	/* If we are allowed, make the change */	314	return audit_do_config_change("audit_enabled", &audit_enabled, state,
343	if (res == 1)	315	loginuid, sid);
344	audit_enabled = state;
345	/* Not allowed, update reason */
346	else if (rc == 0)
347	rc = -EPERM;
348	return rc;
349	}	316	}
350		317
351	static int audit_set_failure(int state, uid_t loginuid, u32 sid)	318	static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352	{	319	{
353	int res, rc = 0, old = audit_failure;
354
355	if (state != AUDIT_FAIL_SILENT	320	if (state != AUDIT_FAIL_SILENT
356	&& state != AUDIT_FAIL_PRINTK	321	&& state != AUDIT_FAIL_PRINTK
357	&& state != AUDIT_FAIL_PANIC)	322	&& state != AUDIT_FAIL_PANIC)
358	return -EINVAL;	323	return -EINVAL;
359		324
360	/* check if we are locked */	325	return audit_do_config_change("audit_failure", &audit_failure, state,
361	if (audit_enabled == 2)	326	loginuid, sid);
362	res = 0;
363	else
364	res = 1;
365
366	if (sid) {
367	char *ctx = NULL;
368	u32 len;
369	if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371	"audit_failure=%d old=%d by auid=%u"
372	" subj=%s res=%d",
373	state, old, loginuid, ctx, res);
374	kfree(ctx);
375	} else
376	res = 0; /* Something weird, deny request */
377	}
378	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379	"audit_failure=%d old=%d by auid=%u res=%d",
380	state, old, loginuid, res);
381
382	/* If we are allowed, make the change */
383	if (res == 1)
384	audit_failure = state;
385	/* Not allowed, update reason */
386	else if (rc == 0)
387	rc = -EPERM;
388	return rc;
389	}	327	}
390		328
391	static int kauditd_thread(void *dummy)	329	static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
634	if (err < 0) return err;	572	if (err < 0) return err;
635	}	573	}
636	if (status_get->mask & AUDIT_STATUS_PID) {	574	if (status_get->mask & AUDIT_STATUS_PID) {
637	int old = audit_pid;	575	int new_pid = status_get->pid;
638	if (sid) {	576
639	if ((err = selinux_sid_to_string(	577	if (audit_enabled != AUDIT_OFF)
640	sid, &ctx, &len)))	578	audit_log_config_change("audit_pid", new_pid,
641	return err;	579	audit_pid, loginuid,
642	else	580	sid, 1);
643	audit_log(NULL, GFP_KERNEL,	581
644	AUDIT_CONFIG_CHANGE,	582	audit_pid = new_pid;
645	"audit_pid=%d old=%d by auid=%u subj=%s",
646	status_get->pid, old,
647	loginuid, ctx);
648	kfree(ctx);
649	} else
650	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651	"audit_pid=%d old=%d by auid=%u",
652	status_get->pid, old, loginuid);
653	audit_pid = status_get->pid;
654	}	583	}
655	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	584	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656	err = audit_set_rate_limit(status_get->rate_limit,	585	err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
709	case AUDIT_DEL:	638	case AUDIT_DEL:
710	if (nlmsg_len(nlh) < sizeof(struct audit_rule))	639	if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711	return -EINVAL;	640	return -EINVAL;
712	if (audit_enabled == 2) {	641	if (audit_enabled == AUDIT_LOCKED) {
713	ab = audit_log_start(NULL, GFP_KERNEL,	642	ab = audit_log_start(NULL, GFP_KERNEL,
714	AUDIT_CONFIG_CHANGE);	643	AUDIT_CONFIG_CHANGE);
715	if (ab) {	644	if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
743	case AUDIT_DEL_RULE:	672	case AUDIT_DEL_RULE:
744	if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))	673	if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745	return -EINVAL;	674	return -EINVAL;
746	if (audit_enabled == 2) {	675	if (audit_enabled == AUDIT_LOCKED) {
747	ab = audit_log_start(NULL, GFP_KERNEL,	676	ab = audit_log_start(NULL, GFP_KERNEL,
748	AUDIT_CONFIG_CHANGE);	677	AUDIT_CONFIG_CHANGE);
749	if (ab) {	678	if (ab) {