commit 1a6b9f2317f18db768010252c957d99daf40678f · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[AUDIT] make audit=0 really stop audit messages

Some audit messages (namely configuration changes) are still emitted even if
the audit subsystem has been explicitly disabled. This patch turns those
messages off as well.

Signed-off-by: Eric Paris <eparis@redhat.com>

authored by Eric Paris and committed by Al Viro 18 years ago 1a6b9f23 de6bbd1d

+98 -157

2 changed files

expand all

unified split

kernel

audit.c

auditfilter.c

+65 -136

kernel/audit.c

··· 66 * (Initialization happens after skb_init is called.) */ 67 static int audit_initialized; 68 69 - /* 0 - no auditing 70 - * 1 - auditing enabled 71 - * 2 - auditing enabled and configuration is locked/unchangeable. */ 72 int audit_enabled; 73 74 /* Default state when kernel boots without any parameters. */ ··· 240 } 241 } 242 243 - static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 244 { 245 - int res, rc = 0, old = audit_rate_limit; 246 247 - /* check if we are locked */ 248 - if (audit_enabled == 2) 249 - res = 0; 250 - else 251 - res = 1; 252 - 253 if (sid) { 254 char *ctx = NULL; 255 u32 len; 256 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 257 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 258 - "audit_rate_limit=%d old=%d by auid=%u" 259 - " subj=%s res=%d", 260 - limit, old, loginuid, ctx, res); 261 kfree(ctx); 262 - } else 263 - res = 0; /* Something weird, deny request */ 264 } 265 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 266 - "audit_rate_limit=%d old=%d by auid=%u res=%d", 267 - limit, old, loginuid, res); 268 269 /* If we are allowed, make the change */ 270 - if (res == 1) 271 - audit_rate_limit = limit; 272 /* Not allowed, update reason */ 273 else if (rc == 0) 274 rc = -EPERM; 275 return rc; 276 } 277 278 static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 279 { 280 - int res, rc = 0, old = audit_backlog_limit; 281 - 282 - /* check if we are locked */ 283 - if (audit_enabled == 2) 284 - res = 0; 285 - else 286 - res = 1; 287 - 288 - if (sid) { 289 - char *ctx = NULL; 290 - u32 len; 291 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 292 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 293 - "audit_backlog_limit=%d old=%d by auid=%u" 294 - " subj=%s res=%d", 295 - limit, old, loginuid, ctx, res); 296 - kfree(ctx); 297 - } else 298 - res = 0; /* Something weird, deny request */ 299 - } 300 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 301 - "audit_backlog_limit=%d old=%d by auid=%u res=%d", 302 - limit, old, loginuid, res); 303 - 304 - /* If we are allowed, make the change */ 305 - if (res == 1) 306 - audit_backlog_limit = limit; 307 - /* Not allowed, update reason */ 308 - else if (rc == 0) 309 - rc = -EPERM; 310 - return rc; 311 } 312 313 static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 314 { 315 - int res, rc = 0, old = audit_enabled; 316 - 317 - if (state < 0 || state > 2) 318 return -EINVAL; 319 320 - /* check if we are locked */ 321 - if (audit_enabled == 2) 322 - res = 0; 323 - else 324 - res = 1; 325 - 326 - if (sid) { 327 - char *ctx = NULL; 328 - u32 len; 329 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 330 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 331 - "audit_enabled=%d old=%d by auid=%u" 332 - " subj=%s res=%d", 333 - state, old, loginuid, ctx, res); 334 - kfree(ctx); 335 - } else 336 - res = 0; /* Something weird, deny request */ 337 - } 338 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 339 - "audit_enabled=%d old=%d by auid=%u res=%d", 340 - state, old, loginuid, res); 341 - 342 - /* If we are allowed, make the change */ 343 - if (res == 1) 344 - audit_enabled = state; 345 - /* Not allowed, update reason */ 346 - else if (rc == 0) 347 - rc = -EPERM; 348 - return rc; 349 } 350 351 static int audit_set_failure(int state, uid_t loginuid, u32 sid) 352 { 353 - int res, rc = 0, old = audit_failure; 354 - 355 if (state != AUDIT_FAIL_SILENT 356 && state != AUDIT_FAIL_PRINTK 357 && state != AUDIT_FAIL_PANIC) 358 return -EINVAL; 359 360 - /* check if we are locked */ 361 - if (audit_enabled == 2) 362 - res = 0; 363 - else 364 - res = 1; 365 - 366 - if (sid) { 367 - char *ctx = NULL; 368 - u32 len; 369 - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 370 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 371 - "audit_failure=%d old=%d by auid=%u" 372 - " subj=%s res=%d", 373 - state, old, loginuid, ctx, res); 374 - kfree(ctx); 375 - } else 376 - res = 0; /* Something weird, deny request */ 377 - } 378 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 379 - "audit_failure=%d old=%d by auid=%u res=%d", 380 - state, old, loginuid, res); 381 - 382 - /* If we are allowed, make the change */ 383 - if (res == 1) 384 - audit_failure = state; 385 - /* Not allowed, update reason */ 386 - else if (rc == 0) 387 - rc = -EPERM; 388 - return rc; 389 } 390 391 static int kauditd_thread(void *dummy) ··· 572 if (err < 0) return err; 573 } 574 if (status_get->mask & AUDIT_STATUS_PID) { 575 - int old = audit_pid; 576 - if (sid) { 577 - if ((err = selinux_sid_to_string( 578 - sid, &ctx, &len))) 579 - return err; 580 - else 581 - audit_log(NULL, GFP_KERNEL, 582 - AUDIT_CONFIG_CHANGE, 583 - "audit_pid=%d old=%d by auid=%u subj=%s", 584 - status_get->pid, old, 585 - loginuid, ctx); 586 - kfree(ctx); 587 - } else 588 - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 589 - "audit_pid=%d old=%d by auid=%u", 590 - status_get->pid, old, loginuid); 591 - audit_pid = status_get->pid; 592 } 593 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 594 err = audit_set_rate_limit(status_get->rate_limit, ··· 638 case AUDIT_DEL: 639 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 640 return -EINVAL; 641 - if (audit_enabled == 2) { 642 ab = audit_log_start(NULL, GFP_KERNEL, 643 AUDIT_CONFIG_CHANGE); 644 if (ab) { ··· 672 case AUDIT_DEL_RULE: 673 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 674 return -EINVAL; 675 - if (audit_enabled == 2) { 676 ab = audit_log_start(NULL, GFP_KERNEL, 677 AUDIT_CONFIG_CHANGE); 678 if (ab) {

··· 66 * (Initialization happens after skb_init is called.) */ 67 static int audit_initialized; 68 69 + #define AUDIT_OFF 0 70 + #define AUDIT_ON 1 71 + #define AUDIT_LOCKED 2 72 int audit_enabled; 73 74 /* Default state when kernel boots without any parameters. */ ··· 240 } 241 } 242 243 + static int audit_log_config_change(char *function_name, int new, int old, 244 + uid_t loginuid, u32 sid, int allow_changes) 245 { 246 + struct audit_buffer *ab; 247 + int rc = 0; 248 249 + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 250 + audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new, 251 + old, loginuid); 252 if (sid) { 253 char *ctx = NULL; 254 u32 len; 255 + 256 + rc = selinux_sid_to_string(sid, &ctx, &len); 257 + if (rc) { 258 + audit_log_format(ab, " sid=%u", sid); 259 + allow_changes = 0; /* Something weird, deny request */ 260 + } else { 261 + audit_log_format(ab, " subj=%s", ctx); 262 kfree(ctx); 263 + } 264 } 265 + audit_log_format(ab, " res=%d", allow_changes); 266 + audit_log_end(ab); 267 + return rc; 268 + } 269 + 270 + static int audit_do_config_change(char *function_name, int *to_change, 271 + int new, uid_t loginuid, u32 sid) 272 + { 273 + int allow_changes, rc = 0, old = *to_change; 274 + 275 + /* check if we are locked */ 276 + if (audit_enabled == AUDIT_LOCKED) 277 + allow_changes = 0; 278 + else 279 + allow_changes = 1; 280 + 281 + if (audit_enabled != AUDIT_OFF) { 282 + rc = audit_log_config_change(function_name, new, old, 283 + loginuid, sid, allow_changes); 284 + if (rc) 285 + allow_changes = 0; 286 + } 287 288 /* If we are allowed, make the change */ 289 + if (allow_changes == 1) 290 + *to_change = new; 291 /* Not allowed, update reason */ 292 else if (rc == 0) 293 rc = -EPERM; 294 return rc; 295 + } 296 + 297 + static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 298 + { 299 + return audit_do_config_change("audit_rate_limit", &audit_rate_limit, 300 + limit, loginuid, sid); 301 } 302 303 static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 304 { 305 + return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, 306 + limit, loginuid, sid); 307 } 308 309 static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 310 { 311 + if (state < AUDIT_OFF || state > AUDIT_LOCKED) 312 return -EINVAL; 313 314 + return audit_do_config_change("audit_enabled", &audit_enabled, state, 315 + loginuid, sid); 316 } 317 318 static int audit_set_failure(int state, uid_t loginuid, u32 sid) 319 { 320 if (state != AUDIT_FAIL_SILENT 321 && state != AUDIT_FAIL_PRINTK 322 && state != AUDIT_FAIL_PANIC) 323 return -EINVAL; 324 325 + return audit_do_config_change("audit_failure", &audit_failure, state, 326 + loginuid, sid); 327 } 328 329 static int kauditd_thread(void *dummy) ··· 634 if (err < 0) return err; 635 } 636 if (status_get->mask & AUDIT_STATUS_PID) { 637 + int new_pid = status_get->pid; 638 + 639 + if (audit_enabled != AUDIT_OFF) 640 + audit_log_config_change("audit_pid", new_pid, 641 + audit_pid, loginuid, 642 + sid, 1); 643 + 644 + audit_pid = new_pid; 645 } 646 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 647 err = audit_set_rate_limit(status_get->rate_limit, ··· 709 case AUDIT_DEL: 710 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 711 return -EINVAL; 712 + if (audit_enabled == AUDIT_LOCKED) { 713 ab = audit_log_start(NULL, GFP_KERNEL, 714 AUDIT_CONFIG_CHANGE); 715 if (ab) { ··· 743 case AUDIT_DEL_RULE: 744 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 745 return -EINVAL; 746 + if (audit_enabled == AUDIT_LOCKED) { 747 ab = audit_log_start(NULL, GFP_KERNEL, 748 AUDIT_CONFIG_CHANGE); 749 if (ab) {

+33 -21

kernel/auditfilter.c

··· 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; ··· 976 struct audit_watch *owatch, *nwatch, *nextw; 977 struct audit_krule *r, *nextr; 978 struct audit_entry *oentry, *nentry; 979 - struct audit_buffer *ab; 980 981 mutex_lock(&audit_filter_mutex); 982 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { ··· 1015 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1016 } 1017 1018 - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1019 - audit_log_format(ab, "op=updated rules specifying path="); 1020 - audit_log_untrustedstring(ab, owatch->path); 1021 - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 1022 - audit_log_format(ab, " list=%d res=1", r->listnr); 1023 - audit_log_end(ab); 1024 - 1025 audit_remove_watch(owatch); 1026 goto add_watch_to_parent; /* event applies to a single watch */ 1027 } ··· 1045 struct audit_watch *w, *nextw; 1046 struct audit_krule *r, *nextr; 1047 struct audit_entry *e; 1048 - struct audit_buffer *ab; 1049 1050 mutex_lock(&audit_filter_mutex); 1051 parent->flags |= AUDIT_PARENT_INVALID; 1052 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1053 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1054 e = container_of(r, struct audit_entry, rule); 1055 - 1056 - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1057 - audit_log_format(ab, "op=remove rule path="); 1058 - audit_log_untrustedstring(ab, w->path); 1059 - if (r->filterkey) { 1060 - audit_log_format(ab, " key="); 1061 - audit_log_untrustedstring(ab, r->filterkey); 1062 - } else 1063 - audit_log_format(ab, " key=(null)"); 1064 - audit_log_format(ab, " list=%d res=1", r->listnr); 1065 - audit_log_end(ab); 1066 - 1067 list_del(&r->rlist); 1068 list_del_rcu(&e->list); 1069 call_rcu(&e->rcu, audit_free_rule_rcu); ··· 1503 struct audit_krule *rule, int res) 1504 { 1505 struct audit_buffer *ab; 1506 1507 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1508 if (!ab)

··· 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 + extern int audit_enabled; 99 + 100 void audit_free_parent(struct inotify_watch *i_watch) 101 { 102 struct audit_parent *parent; ··· 974 struct audit_watch *owatch, *nwatch, *nextw; 975 struct audit_krule *r, *nextr; 976 struct audit_entry *oentry, *nentry; 977 978 mutex_lock(&audit_filter_mutex); 979 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { ··· 1014 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1015 } 1016 1017 + if (audit_enabled) { 1018 + struct audit_buffer *ab; 1019 + ab = audit_log_start(NULL, GFP_KERNEL, 1020 + AUDIT_CONFIG_CHANGE); 1021 + audit_log_format(ab, 1022 + "op=updated rules specifying path="); 1023 + audit_log_untrustedstring(ab, owatch->path); 1024 + audit_log_format(ab, " with dev=%u ino=%lu\n", 1025 + dev, ino); 1026 + audit_log_format(ab, " list=%d res=1", r->listnr); 1027 + audit_log_end(ab); 1028 + } 1029 audit_remove_watch(owatch); 1030 goto add_watch_to_parent; /* event applies to a single watch */ 1031 } ··· 1039 struct audit_watch *w, *nextw; 1040 struct audit_krule *r, *nextr; 1041 struct audit_entry *e; 1042 1043 mutex_lock(&audit_filter_mutex); 1044 parent->flags |= AUDIT_PARENT_INVALID; 1045 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1046 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1047 e = container_of(r, struct audit_entry, rule); 1048 + if (audit_enabled) { 1049 + struct audit_buffer *ab; 1050 + ab = audit_log_start(NULL, GFP_KERNEL, 1051 + AUDIT_CONFIG_CHANGE); 1052 + audit_log_format(ab, "op=remove rule path="); 1053 + audit_log_untrustedstring(ab, w->path); 1054 + if (r->filterkey) { 1055 + audit_log_format(ab, " key="); 1056 + audit_log_untrustedstring(ab, 1057 + r->filterkey); 1058 + } else 1059 + audit_log_format(ab, " key=(null)"); 1060 + audit_log_format(ab, " list=%d res=1", 1061 + r->listnr); 1062 + audit_log_end(ab); 1063 + } 1064 list_del(&r->rlist); 1065 list_del_rcu(&e->list); 1066 call_rcu(&e->rcu, audit_free_rule_rcu); ··· 1494 struct audit_krule *rule, int res) 1495 { 1496 struct audit_buffer *ab; 1497 + 1498 + if (!audit_enabled) 1499 + return; 1500 1501 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1502 if (!ab)