Commit b593d384efcff7bdf6beb1bc1bc69927977aee26
Committed by
Al Viro
Al Viro
1 parent
50397bd1e4
Exists in
master
and in
7 other branches
[AUDIT] create context if auditing was ever enabled
Disabling audit at runtime by auditctl doesn't mean that we can stop allocating contexts for new processes; we don't want to miss them when that sucker is reenabled. (based on work from Al Viro in the RHEL kernel series) Signed-off-by: Eric Paris <eparis@redhat.com>
Showing 2 changed files with 15 additions and 4 deletions Side-by-side Diff
kernel/audit.c
| ... | ... | @@ -70,6 +70,7 @@ |
| 70 | 70 | #define AUDIT_ON 1 |
| 71 | 71 | #define AUDIT_LOCKED 2 |
| 72 | 72 | int audit_enabled; |
| 73 | +int audit_ever_enabled; | |
| 73 | 74 | |
| 74 | 75 | /* Default state when kernel boots without any parameters. */ |
| 75 | 76 | static int audit_default; |
| 76 | 77 | |
| ... | ... | @@ -310,11 +311,17 @@ |
| 310 | 311 | |
| 311 | 312 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) |
| 312 | 313 | { |
| 314 | + int rc; | |
| 313 | 315 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) |
| 314 | 316 | return -EINVAL; |
| 315 | 317 | |
| 316 | - return audit_do_config_change("audit_enabled", &audit_enabled, state, | |
| 317 | - loginuid, sid); | |
| 318 | + rc = audit_do_config_change("audit_enabled", &audit_enabled, state, | |
| 319 | + loginuid, sid); | |
| 320 | + | |
| 321 | + if (!rc) | |
| 322 | + audit_ever_enabled |= !!state; | |
| 323 | + | |
| 324 | + return rc; | |
| 318 | 325 | } |
| 319 | 326 | |
| 320 | 327 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) |
| ... | ... | @@ -857,6 +864,7 @@ |
| 857 | 864 | skb_queue_head_init(&audit_skb_queue); |
| 858 | 865 | audit_initialized = 1; |
| 859 | 866 | audit_enabled = audit_default; |
| 867 | + audit_ever_enabled |= !!audit_default; | |
| 860 | 868 | |
| 861 | 869 | /* Register the callback with selinux. This callback will be invoked |
| 862 | 870 | * when a new policy is loaded. */ |
| 863 | 871 | |
| ... | ... | @@ -884,8 +892,10 @@ |
| 884 | 892 | printk(KERN_INFO "audit: %s%s\n", |
| 885 | 893 | audit_default ? "enabled" : "disabled", |
| 886 | 894 | audit_initialized ? "" : " (after initialization)"); |
| 887 | - if (audit_initialized) | |
| 895 | + if (audit_initialized) { | |
| 888 | 896 | audit_enabled = audit_default; |
| 897 | + audit_ever_enabled |= !!audit_default; | |
| 898 | + } | |
| 889 | 899 | return 1; |
| 890 | 900 | } |
| 891 | 901 |
kernel/auditsc.c
| ... | ... | @@ -70,6 +70,7 @@ |
| 70 | 70 | #include "audit.h" |
| 71 | 71 | |
| 72 | 72 | extern struct list_head audit_filter_list[]; |
| 73 | +extern int audit_ever_enabled; | |
| 73 | 74 | |
| 74 | 75 | /* AUDIT_NAMES is the number of slots we reserve in the audit_context |
| 75 | 76 | * for saving names from getname(). */ |
| ... | ... | @@ -838,7 +839,7 @@ |
| 838 | 839 | struct audit_context *context; |
| 839 | 840 | enum audit_state state; |
| 840 | 841 | |
| 841 | - if (likely(!audit_enabled)) | |
| 842 | + if (likely(!audit_ever_enabled)) | |
| 842 | 843 | return 0; /* Return if not auditing. */ |
| 843 | 844 | |
| 844 | 845 | state = audit_filter_task(tsk); |