Commit b593d384efcff7bdf6beb1bc1bc69927977aee26
Committed by
Al Viro
1 parent
50397bd1e4
Exists in
master
and in
7 other branches
[AUDIT] create context if auditing was ever enabled
Disabling audit at runtime by auditctl doesn't mean that we can stop allocating contexts for new processes; we don't want to miss them when that sucker is reenabled. (based on work from Al Viro in the RHEL kernel series) Signed-off-by: Eric Paris <eparis@redhat.com>
Showing 2 changed files with 15 additions and 4 deletions Side-by-side Diff
kernel/audit.c
... | ... | @@ -70,6 +70,7 @@ |
70 | 70 | #define AUDIT_ON 1 |
71 | 71 | #define AUDIT_LOCKED 2 |
72 | 72 | int audit_enabled; |
73 | +int audit_ever_enabled; | |
73 | 74 | |
74 | 75 | /* Default state when kernel boots without any parameters. */ |
75 | 76 | static int audit_default; |
76 | 77 | |
... | ... | @@ -310,11 +311,17 @@ |
310 | 311 | |
311 | 312 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) |
312 | 313 | { |
314 | + int rc; | |
313 | 315 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) |
314 | 316 | return -EINVAL; |
315 | 317 | |
316 | - return audit_do_config_change("audit_enabled", &audit_enabled, state, | |
317 | - loginuid, sid); | |
318 | + rc = audit_do_config_change("audit_enabled", &audit_enabled, state, | |
319 | + loginuid, sid); | |
320 | + | |
321 | + if (!rc) | |
322 | + audit_ever_enabled |= !!state; | |
323 | + | |
324 | + return rc; | |
318 | 325 | } |
319 | 326 | |
320 | 327 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) |
... | ... | @@ -857,6 +864,7 @@ |
857 | 864 | skb_queue_head_init(&audit_skb_queue); |
858 | 865 | audit_initialized = 1; |
859 | 866 | audit_enabled = audit_default; |
867 | + audit_ever_enabled |= !!audit_default; | |
860 | 868 | |
861 | 869 | /* Register the callback with selinux. This callback will be invoked |
862 | 870 | * when a new policy is loaded. */ |
863 | 871 | |
... | ... | @@ -884,8 +892,10 @@ |
884 | 892 | printk(KERN_INFO "audit: %s%s\n", |
885 | 893 | audit_default ? "enabled" : "disabled", |
886 | 894 | audit_initialized ? "" : " (after initialization)"); |
887 | - if (audit_initialized) | |
895 | + if (audit_initialized) { | |
888 | 896 | audit_enabled = audit_default; |
897 | + audit_ever_enabled |= !!audit_default; | |
898 | + } | |
889 | 899 | return 1; |
890 | 900 | } |
891 | 901 |
kernel/auditsc.c
... | ... | @@ -70,6 +70,7 @@ |
70 | 70 | #include "audit.h" |
71 | 71 | |
72 | 72 | extern struct list_head audit_filter_list[]; |
73 | +extern int audit_ever_enabled; | |
73 | 74 | |
74 | 75 | /* AUDIT_NAMES is the number of slots we reserve in the audit_context |
75 | 76 | * for saving names from getname(). */ |
... | ... | @@ -838,7 +839,7 @@ |
838 | 839 | struct audit_context *context; |
839 | 840 | enum audit_state state; |
840 | 841 | |
841 | - if (likely(!audit_enabled)) | |
842 | + if (likely(!audit_ever_enabled)) | |
842 | 843 | return 0; /* Return if not auditing. */ |
843 | 844 | |
844 | 845 | state = audit_filter_task(tsk); |