tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[AUDIT] make audit=0 really stop audit messages

Some audit messages (namely configuration changes) are still emitted even if
the audit subsystem has been explicitly disabled. This patch turns those
messages off as well.

Signed-off-by: Eric Paris <eparis@redhat.com>

authored by Eric Paris and committed by Al Viro 1a6b9f23 de6bbd1d

+98 -157
unified split
+65 -136
kernel/audit.c
··· 66 66 * (Initialization happens after skb_init is called.) */ 67 67 static int audit_initialized; 68 68 69 - /* 0 - no auditing 70 - * 1 - auditing enabled 71 - * 2 - auditing enabled and configuration is locked/unchangeable. */ 69 + #define AUDIT_OFF 0 70 + #define AUDIT_ON 1 71 + #define AUDIT_LOCKED 2 72 72 int audit_enabled; 73 73 74 74 /* Default state when kernel boots without any parameters. */ ··· 240 240 } 241 241 } 242 242 243 - static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 243 + static int audit_log_config_change(char *function_name, int new, int old, 244 + uid_t loginuid, u32 sid, int allow_changes) 244 245 { 245 - int res, rc = 0, old = audit_rate_limit; 246 + struct audit_buffer *ab; 247 + int rc = 0; 246 248 247 - /* check if we are locked */ 248 - if (audit_enabled == 2) 249 - res = 0; 250 - else 251 - res = 1; 252 - 249 + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 250 + audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new, 251 + old, loginuid); 253 252 if (sid) { 254 253 char *ctx = NULL; 255 254 u32 len; 256 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 257 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 258 - "audit_rate_limit=%d old=%d by auid=%u" 259 - " subj=%s res=%d", 260 - limit, old, loginuid, ctx, res); 255 + 256 + rc = selinux_sid_to_string(sid, &ctx, &len); 257 + if (rc) { 258 + audit_log_format(ab, " sid=%u", sid); 259 + allow_changes = 0; /* Something weird, deny request */ 260 + } else { 261 + audit_log_format(ab, " subj=%s", ctx); 261 262 kfree(ctx); 262 - } else 263 - res = 0; /* Something weird, deny request */ 263 + } 264 264 } 265 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 266 - "audit_rate_limit=%d old=%d by auid=%u res=%d", 267 - limit, old, loginuid, res); 265 + audit_log_format(ab, " res=%d", allow_changes); 266 + audit_log_end(ab); 267 + return rc; 268 + } 269 + 270 + static int audit_do_config_change(char *function_name, int *to_change, 271 + int new, uid_t loginuid, u32 sid) 272 + { 273 + int allow_changes, rc = 0, old = *to_change; 274 + 275 + /* check if we are locked */ 276 + if (audit_enabled == AUDIT_LOCKED) 277 + allow_changes = 0; 278 + else 279 + allow_changes = 1; 280 + 281 + if (audit_enabled != AUDIT_OFF) { 282 + rc = audit_log_config_change(function_name, new, old, 283 + loginuid, sid, allow_changes); 284 + if (rc) 285 + allow_changes = 0; 286 + } 268 287 269 288 /* If we are allowed, make the change */ 270 - if (res == 1) 271 - audit_rate_limit = limit; 289 + if (allow_changes == 1) 290 + *to_change = new; 272 291 /* Not allowed, update reason */ 273 292 else if (rc == 0) 274 293 rc = -EPERM; 275 294 return rc; 295 + } 296 + 297 + static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 298 + { 299 + return audit_do_config_change("audit_rate_limit", &audit_rate_limit, 300 + limit, loginuid, sid); 276 301 } 277 302 278 303 static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 279 304 { 280 - int res, rc = 0, old = audit_backlog_limit; 281 - 282 - /* check if we are locked */ 283 - if (audit_enabled == 2) 284 - res = 0; 285 - else 286 - res = 1; 287 - 288 - if (sid) { 289 - char *ctx = NULL; 290 - u32 len; 291 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 292 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 293 - "audit_backlog_limit=%d old=%d by auid=%u" 294 - " subj=%s res=%d", 295 - limit, old, loginuid, ctx, res); 296 - kfree(ctx); 297 - } else 298 - res = 0; /* Something weird, deny request */ 299 - } 300 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 301 - "audit_backlog_limit=%d old=%d by auid=%u res=%d", 302 - limit, old, loginuid, res); 303 - 304 - /* If we are allowed, make the change */ 305 - if (res == 1) 306 - audit_backlog_limit = limit; 307 - /* Not allowed, update reason */ 308 - else if (rc == 0) 309 - rc = -EPERM; 310 - return rc; 305 + return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, 306 + limit, loginuid, sid); 311 307 } 312 308 313 309 static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 314 310 { 315 - int res, rc = 0, old = audit_enabled; 316 - 317 - if (state < 0 || state > 2) 311 + if (state < AUDIT_OFF || state > AUDIT_LOCKED) 318 312 return -EINVAL; 319 313 320 - /* check if we are locked */ 321 - if (audit_enabled == 2) 322 - res = 0; 323 - else 324 - res = 1; 325 - 326 - if (sid) { 327 - char *ctx = NULL; 328 - u32 len; 329 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 330 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 331 - "audit_enabled=%d old=%d by auid=%u" 332 - " subj=%s res=%d", 333 - state, old, loginuid, ctx, res); 334 - kfree(ctx); 335 - } else 336 - res = 0; /* Something weird, deny request */ 337 - } 338 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 339 - "audit_enabled=%d old=%d by auid=%u res=%d", 340 - state, old, loginuid, res); 341 - 342 - /* If we are allowed, make the change */ 343 - if (res == 1) 344 - audit_enabled = state; 345 - /* Not allowed, update reason */ 346 - else if (rc == 0) 347 - rc = -EPERM; 348 - return rc; 314 + return audit_do_config_change("audit_enabled", &audit_enabled, state, 315 + loginuid, sid); 349 316 } 350 317 351 318 static int audit_set_failure(int state, uid_t loginuid, u32 sid) 352 319 { 353 - int res, rc = 0, old = audit_failure; 354 - 355 320 if (state != AUDIT_FAIL_SILENT 356 321 && state != AUDIT_FAIL_PRINTK 357 322 && state != AUDIT_FAIL_PANIC) 358 323 return -EINVAL; 359 324 360 - /* check if we are locked */ 361 - if (audit_enabled == 2) 362 - res = 0; 363 - else 364 - res = 1; 365 - 366 - if (sid) { 367 - char *ctx = NULL; 368 - u32 len; 369 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 370 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 371 - "audit_failure=%d old=%d by auid=%u" 372 - " subj=%s res=%d", 373 - state, old, loginuid, ctx, res); 374 - kfree(ctx); 375 - } else 376 - res = 0; /* Something weird, deny request */ 377 - } 378 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 379 - "audit_failure=%d old=%d by auid=%u res=%d", 380 - state, old, loginuid, res); 381 - 382 - /* If we are allowed, make the change */ 383 - if (res == 1) 384 - audit_failure = state; 385 - /* Not allowed, update reason */ 386 - else if (rc == 0) 387 - rc = -EPERM; 388 - return rc; 325 + return audit_do_config_change("audit_failure", &audit_failure, state, 326 + loginuid, sid); 389 327 } 390 328 391 329 static int kauditd_thread(void *dummy) ··· 572 634 if (err < 0) return err; 573 635 } 574 636 if (status_get->mask & AUDIT_STATUS_PID) { 575 - int old = audit_pid; 576 - if (sid) { 577 - if ((err = selinux_sid_to_string( 578 - sid, &ctx, &len))) 579 - return err; 580 - else 581 - audit_log(NULL, GFP_KERNEL, 582 - AUDIT_CONFIG_CHANGE, 583 - "audit_pid=%d old=%d by auid=%u subj=%s", 584 - status_get->pid, old, 585 - loginuid, ctx); 586 - kfree(ctx); 587 - } else 588 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 589 - "audit_pid=%d old=%d by auid=%u", 590 - status_get->pid, old, loginuid); 591 - audit_pid = status_get->pid; 637 + int new_pid = status_get->pid; 638 + 639 + if (audit_enabled != AUDIT_OFF) 640 + audit_log_config_change("audit_pid", new_pid, 641 + audit_pid, loginuid, 642 + sid, 1); 643 + 644 + audit_pid = new_pid; 592 645 } 593 646 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 594 647 err = audit_set_rate_limit(status_get->rate_limit, ··· 638 709 case AUDIT_DEL: 639 710 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 640 711 return -EINVAL; 641 - if (audit_enabled == 2) { 712 + if (audit_enabled == AUDIT_LOCKED) { 642 713 ab = audit_log_start(NULL, GFP_KERNEL, 643 714 AUDIT_CONFIG_CHANGE); 644 715 if (ab) { ··· 672 743 case AUDIT_DEL_RULE: 673 744 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 674 745 return -EINVAL; 675 - if (audit_enabled == 2) { 746 + if (audit_enabled == AUDIT_LOCKED) { 676 747 ab = audit_log_start(NULL, GFP_KERNEL, 677 748 AUDIT_CONFIG_CHANGE); 678 749 if (ab) {
+33 -21
kernel/auditfilter.c
··· 95 95 /* Inotify events we care about. */ 96 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 97 98 + extern int audit_enabled; 99 + 98 100 void audit_free_parent(struct inotify_watch *i_watch) 99 101 { 100 102 struct audit_parent *parent; ··· 976 974 struct audit_watch *owatch, *nwatch, *nextw; 977 975 struct audit_krule *r, *nextr; 978 976 struct audit_entry *oentry, *nentry; 979 - struct audit_buffer *ab; 980 977 981 978 mutex_lock(&audit_filter_mutex); 982 979 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { ··· 1015 1014 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1016 1015 } 1017 1016 1018 - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1019 - audit_log_format(ab, "op=updated rules specifying path="); 1020 - audit_log_untrustedstring(ab, owatch->path); 1021 - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 1022 - audit_log_format(ab, " list=%d res=1", r->listnr); 1023 - audit_log_end(ab); 1024 - 1017 + if (audit_enabled) { 1018 + struct audit_buffer *ab; 1019 + ab = audit_log_start(NULL, GFP_KERNEL, 1020 + AUDIT_CONFIG_CHANGE); 1021 + audit_log_format(ab, 1022 + "op=updated rules specifying path="); 1023 + audit_log_untrustedstring(ab, owatch->path); 1024 + audit_log_format(ab, " with dev=%u ino=%lu\n", 1025 + dev, ino); 1026 + audit_log_format(ab, " list=%d res=1", r->listnr); 1027 + audit_log_end(ab); 1028 + } 1025 1029 audit_remove_watch(owatch); 1026 1030 goto add_watch_to_parent; /* event applies to a single watch */ 1027 1031 } ··· 1045 1039 struct audit_watch *w, *nextw; 1046 1040 struct audit_krule *r, *nextr; 1047 1041 struct audit_entry *e; 1048 - struct audit_buffer *ab; 1049 1042 1050 1043 mutex_lock(&audit_filter_mutex); 1051 1044 parent->flags |= AUDIT_PARENT_INVALID; 1052 1045 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1053 1046 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1054 1047 e = container_of(r, struct audit_entry, rule); 1055 - 1056 - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1057 - audit_log_format(ab, "op=remove rule path="); 1058 - audit_log_untrustedstring(ab, w->path); 1059 - if (r->filterkey) { 1060 - audit_log_format(ab, " key="); 1061 - audit_log_untrustedstring(ab, r->filterkey); 1062 - } else 1063 - audit_log_format(ab, " key=(null)"); 1064 - audit_log_format(ab, " list=%d res=1", r->listnr); 1065 - audit_log_end(ab); 1066 - 1048 + if (audit_enabled) { 1049 + struct audit_buffer *ab; 1050 + ab = audit_log_start(NULL, GFP_KERNEL, 1051 + AUDIT_CONFIG_CHANGE); 1052 + audit_log_format(ab, "op=remove rule path="); 1053 + audit_log_untrustedstring(ab, w->path); 1054 + if (r->filterkey) { 1055 + audit_log_format(ab, " key="); 1056 + audit_log_untrustedstring(ab, 1057 + r->filterkey); 1058 + } else 1059 + audit_log_format(ab, " key=(null)"); 1060 + audit_log_format(ab, " list=%d res=1", 1061 + r->listnr); 1062 + audit_log_end(ab); 1063 + } 1067 1064 list_del(&r->rlist); 1068 1065 list_del_rcu(&e->list); 1069 1066 call_rcu(&e->rcu, audit_free_rule_rcu); ··· 1503 1494 struct audit_krule *rule, int res) 1504 1495 { 1505 1496 struct audit_buffer *ab; 1497 + 1498 + if (!audit_enabled) 1499 + return; 1506 1500 1507 1501 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1508 1502 if (!ab)