Commit 1a6b9f2317f18db768010252c957d99daf40678f
Committed by
Al Viro
Al Viro
1 parent
de6bbd1d30
Exists in
master
and in
4 other branches
[AUDIT] make audit=0 really stop audit messages
Some audit messages (namely configuration changes) are still emitted even if the audit subsystem has been explicitly disabled. This patch turns those messages off as well. Signed-off-by: Eric Paris <eparis@redhat.com>
Showing 2 changed files with 93 additions and 152 deletions Side-by-side Diff
kernel/audit.c
| ... | ... | @@ -66,9 +66,9 @@ |
| 66 | 66 | * (Initialization happens after skb_init is called.) */ |
| 67 | 67 | static int audit_initialized; |
| 68 | 68 | |
| 69 | -/* 0 - no auditing | |
| 70 | - * 1 - auditing enabled | |
| 71 | - * 2 - auditing enabled and configuration is locked/unchangeable. */ | |
| 69 | +#define AUDIT_OFF 0 | |
| 70 | +#define AUDIT_ON 1 | |
| 71 | +#define AUDIT_LOCKED 2 | |
| 72 | 72 | int audit_enabled; |
| 73 | 73 | |
| 74 | 74 | /* Default state when kernel boots without any parameters. */ |
| 75 | 75 | |
| 76 | 76 | |
| 77 | 77 | |
| 78 | 78 | |
| 79 | 79 | |
| 80 | 80 | |
| 81 | 81 | |
| 82 | 82 | |
| 83 | 83 | |
| 84 | 84 | |
| 85 | 85 | |
| 86 | 86 | |
| 87 | 87 | |
| 88 | 88 | |
| 89 | 89 | |
| 90 | 90 | |
| 91 | 91 | |
| 92 | 92 | |
| ... | ... | @@ -240,152 +240,90 @@ |
| 240 | 240 | } |
| 241 | 241 | } |
| 242 | 242 | |
| 243 | -static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) | |
| 243 | +static int audit_log_config_change(char *function_name, int new, int old, | |
| 244 | + uid_t loginuid, u32 sid, int allow_changes) | |
| 244 | 245 | { |
| 245 | - int res, rc = 0, old = audit_rate_limit; | |
| 246 | + struct audit_buffer *ab; | |
| 247 | + int rc = 0; | |
| 246 | 248 | |
| 247 | - /* check if we are locked */ | |
| 248 | - if (audit_enabled == 2) | |
| 249 | - res = 0; | |
| 250 | - else | |
| 251 | - res = 1; | |
| 252 | - | |
| 249 | + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | |
| 250 | + audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new, | |
| 251 | + old, loginuid); | |
| 253 | 252 | if (sid) { |
| 254 | 253 | char *ctx = NULL; |
| 255 | 254 | u32 len; |
| 256 | - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | |
| 257 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 258 | - "audit_rate_limit=%d old=%d by auid=%u" | |
| 259 | - " subj=%s res=%d", | |
| 260 | - limit, old, loginuid, ctx, res); | |
| 255 | + | |
| 256 | + rc = selinux_sid_to_string(sid, &ctx, &len); | |
| 257 | + if (rc) { | |
| 258 | + audit_log_format(ab, " sid=%u", sid); | |
| 259 | + allow_changes = 0; /* Something weird, deny request */ | |
| 260 | + } else { | |
| 261 | + audit_log_format(ab, " subj=%s", ctx); | |
| 261 | 262 | kfree(ctx); |
| 262 | - } else | |
| 263 | - res = 0; /* Something weird, deny request */ | |
| 263 | + } | |
| 264 | 264 | } |
| 265 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 266 | - "audit_rate_limit=%d old=%d by auid=%u res=%d", | |
| 267 | - limit, old, loginuid, res); | |
| 268 | - | |
| 269 | - /* If we are allowed, make the change */ | |
| 270 | - if (res == 1) | |
| 271 | - audit_rate_limit = limit; | |
| 272 | - /* Not allowed, update reason */ | |
| 273 | - else if (rc == 0) | |
| 274 | - rc = -EPERM; | |
| 265 | + audit_log_format(ab, " res=%d", allow_changes); | |
| 266 | + audit_log_end(ab); | |
| 275 | 267 | return rc; |
| 276 | 268 | } |
| 277 | 269 | |
| 278 | -static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) | |
| 270 | +static int audit_do_config_change(char *function_name, int *to_change, | |
| 271 | + int new, uid_t loginuid, u32 sid) | |
| 279 | 272 | { |
| 280 | - int res, rc = 0, old = audit_backlog_limit; | |
| 273 | + int allow_changes, rc = 0, old = *to_change; | |
| 281 | 274 | |
| 282 | 275 | /* check if we are locked */ |
| 283 | - if (audit_enabled == 2) | |
| 284 | - res = 0; | |
| 276 | + if (audit_enabled == AUDIT_LOCKED) | |
| 277 | + allow_changes = 0; | |
| 285 | 278 | else |
| 286 | - res = 1; | |
| 279 | + allow_changes = 1; | |
| 287 | 280 | |
| 288 | - if (sid) { | |
| 289 | - char *ctx = NULL; | |
| 290 | - u32 len; | |
| 291 | - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | |
| 292 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 293 | - "audit_backlog_limit=%d old=%d by auid=%u" | |
| 294 | - " subj=%s res=%d", | |
| 295 | - limit, old, loginuid, ctx, res); | |
| 296 | - kfree(ctx); | |
| 297 | - } else | |
| 298 | - res = 0; /* Something weird, deny request */ | |
| 281 | + if (audit_enabled != AUDIT_OFF) { | |
| 282 | + rc = audit_log_config_change(function_name, new, old, | |
| 283 | + loginuid, sid, allow_changes); | |
| 284 | + if (rc) | |
| 285 | + allow_changes = 0; | |
| 299 | 286 | } |
| 300 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 301 | - "audit_backlog_limit=%d old=%d by auid=%u res=%d", | |
| 302 | - limit, old, loginuid, res); | |
| 303 | 287 | |
| 304 | 288 | /* If we are allowed, make the change */ |
| 305 | - if (res == 1) | |
| 306 | - audit_backlog_limit = limit; | |
| 289 | + if (allow_changes == 1) | |
| 290 | + *to_change = new; | |
| 307 | 291 | /* Not allowed, update reason */ |
| 308 | 292 | else if (rc == 0) |
| 309 | 293 | rc = -EPERM; |
| 310 | 294 | return rc; |
| 311 | 295 | } |
| 312 | 296 | |
| 313 | -static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | |
| 297 | +static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) | |
| 314 | 298 | { |
| 315 | - int res, rc = 0, old = audit_enabled; | |
| 299 | + return audit_do_config_change("audit_rate_limit", &audit_rate_limit, | |
| 300 | + limit, loginuid, sid); | |
| 301 | +} | |
| 316 | 302 | |
| 317 | - if (state < 0 || state > 2) | |
| 303 | +static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) | |
| 304 | +{ | |
| 305 | + return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, | |
| 306 | + limit, loginuid, sid); | |
| 307 | +} | |
| 308 | + | |
| 309 | +static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | |
| 310 | +{ | |
| 311 | + if (state < AUDIT_OFF || state > AUDIT_LOCKED) | |
| 318 | 312 | return -EINVAL; |
| 319 | 313 | |
| 320 | - /* check if we are locked */ | |
| 321 | - if (audit_enabled == 2) | |
| 322 | - res = 0; | |
| 323 | - else | |
| 324 | - res = 1; | |
| 325 | - | |
| 326 | - if (sid) { | |
| 327 | - char *ctx = NULL; | |
| 328 | - u32 len; | |
| 329 | - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | |
| 330 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 331 | - "audit_enabled=%d old=%d by auid=%u" | |
| 332 | - " subj=%s res=%d", | |
| 333 | - state, old, loginuid, ctx, res); | |
| 334 | - kfree(ctx); | |
| 335 | - } else | |
| 336 | - res = 0; /* Something weird, deny request */ | |
| 337 | - } | |
| 338 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 339 | - "audit_enabled=%d old=%d by auid=%u res=%d", | |
| 340 | - state, old, loginuid, res); | |
| 341 | - | |
| 342 | - /* If we are allowed, make the change */ | |
| 343 | - if (res == 1) | |
| 344 | - audit_enabled = state; | |
| 345 | - /* Not allowed, update reason */ | |
| 346 | - else if (rc == 0) | |
| 347 | - rc = -EPERM; | |
| 348 | - return rc; | |
| 314 | + return audit_do_config_change("audit_enabled", &audit_enabled, state, | |
| 315 | + loginuid, sid); | |
| 349 | 316 | } |
| 350 | 317 | |
| 351 | 318 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) |
| 352 | 319 | { |
| 353 | - int res, rc = 0, old = audit_failure; | |
| 354 | - | |
| 355 | 320 | if (state != AUDIT_FAIL_SILENT |
| 356 | 321 | && state != AUDIT_FAIL_PRINTK |
| 357 | 322 | && state != AUDIT_FAIL_PANIC) |
| 358 | 323 | return -EINVAL; |
| 359 | 324 | |
| 360 | - /* check if we are locked */ | |
| 361 | - if (audit_enabled == 2) | |
| 362 | - res = 0; | |
| 363 | - else | |
| 364 | - res = 1; | |
| 365 | - | |
| 366 | - if (sid) { | |
| 367 | - char *ctx = NULL; | |
| 368 | - u32 len; | |
| 369 | - if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | |
| 370 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 371 | - "audit_failure=%d old=%d by auid=%u" | |
| 372 | - " subj=%s res=%d", | |
| 373 | - state, old, loginuid, ctx, res); | |
| 374 | - kfree(ctx); | |
| 375 | - } else | |
| 376 | - res = 0; /* Something weird, deny request */ | |
| 377 | - } | |
| 378 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 379 | - "audit_failure=%d old=%d by auid=%u res=%d", | |
| 380 | - state, old, loginuid, res); | |
| 381 | - | |
| 382 | - /* If we are allowed, make the change */ | |
| 383 | - if (res == 1) | |
| 384 | - audit_failure = state; | |
| 385 | - /* Not allowed, update reason */ | |
| 386 | - else if (rc == 0) | |
| 387 | - rc = -EPERM; | |
| 388 | - return rc; | |
| 325 | + return audit_do_config_change("audit_failure", &audit_failure, state, | |
| 326 | + loginuid, sid); | |
| 389 | 327 | } |
| 390 | 328 | |
| 391 | 329 | static int kauditd_thread(void *dummy) |
| ... | ... | @@ -634,23 +572,14 @@ |
| 634 | 572 | if (err < 0) return err; |
| 635 | 573 | } |
| 636 | 574 | if (status_get->mask & AUDIT_STATUS_PID) { |
| 637 | - int old = audit_pid; | |
| 638 | - if (sid) { | |
| 639 | - if ((err = selinux_sid_to_string( | |
| 640 | - sid, &ctx, &len))) | |
| 641 | - return err; | |
| 642 | - else | |
| 643 | - audit_log(NULL, GFP_KERNEL, | |
| 644 | - AUDIT_CONFIG_CHANGE, | |
| 645 | - "audit_pid=%d old=%d by auid=%u subj=%s", | |
| 646 | - status_get->pid, old, | |
| 647 | - loginuid, ctx); | |
| 648 | - kfree(ctx); | |
| 649 | - } else | |
| 650 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
| 651 | - "audit_pid=%d old=%d by auid=%u", | |
| 652 | - status_get->pid, old, loginuid); | |
| 653 | - audit_pid = status_get->pid; | |
| 575 | + int new_pid = status_get->pid; | |
| 576 | + | |
| 577 | + if (audit_enabled != AUDIT_OFF) | |
| 578 | + audit_log_config_change("audit_pid", new_pid, | |
| 579 | + audit_pid, loginuid, | |
| 580 | + sid, 1); | |
| 581 | + | |
| 582 | + audit_pid = new_pid; | |
| 654 | 583 | } |
| 655 | 584 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
| 656 | 585 | err = audit_set_rate_limit(status_get->rate_limit, |
| ... | ... | @@ -709,7 +638,7 @@ |
| 709 | 638 | case AUDIT_DEL: |
| 710 | 639 | if (nlmsg_len(nlh) < sizeof(struct audit_rule)) |
| 711 | 640 | return -EINVAL; |
| 712 | - if (audit_enabled == 2) { | |
| 641 | + if (audit_enabled == AUDIT_LOCKED) { | |
| 713 | 642 | ab = audit_log_start(NULL, GFP_KERNEL, |
| 714 | 643 | AUDIT_CONFIG_CHANGE); |
| 715 | 644 | if (ab) { |
| ... | ... | @@ -743,7 +672,7 @@ |
| 743 | 672 | case AUDIT_DEL_RULE: |
| 744 | 673 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) |
| 745 | 674 | return -EINVAL; |
| 746 | - if (audit_enabled == 2) { | |
| 675 | + if (audit_enabled == AUDIT_LOCKED) { | |
| 747 | 676 | ab = audit_log_start(NULL, GFP_KERNEL, |
| 748 | 677 | AUDIT_CONFIG_CHANGE); |
| 749 | 678 | if (ab) { |
kernel/auditfilter.c
| ... | ... | @@ -95,6 +95,8 @@ |
| 95 | 95 | /* Inotify events we care about. */ |
| 96 | 96 | #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF |
| 97 | 97 | |
| 98 | +extern int audit_enabled; | |
| 99 | + | |
| 98 | 100 | void audit_free_parent(struct inotify_watch *i_watch) |
| 99 | 101 | { |
| 100 | 102 | struct audit_parent *parent; |
| ... | ... | @@ -974,7 +976,6 @@ |
| 974 | 976 | struct audit_watch *owatch, *nwatch, *nextw; |
| 975 | 977 | struct audit_krule *r, *nextr; |
| 976 | 978 | struct audit_entry *oentry, *nentry; |
| 977 | - struct audit_buffer *ab; | |
| 978 | 979 | |
| 979 | 980 | mutex_lock(&audit_filter_mutex); |
| 980 | 981 | list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { |
| ... | ... | @@ -1014,13 +1015,18 @@ |
| 1014 | 1015 | call_rcu(&oentry->rcu, audit_free_rule_rcu); |
| 1015 | 1016 | } |
| 1016 | 1017 | |
| 1017 | - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | |
| 1018 | - audit_log_format(ab, "op=updated rules specifying path="); | |
| 1019 | - audit_log_untrustedstring(ab, owatch->path); | |
| 1020 | - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); | |
| 1021 | - audit_log_format(ab, " list=%d res=1", r->listnr); | |
| 1022 | - audit_log_end(ab); | |
| 1023 | - | |
| 1018 | + if (audit_enabled) { | |
| 1019 | + struct audit_buffer *ab; | |
| 1020 | + ab = audit_log_start(NULL, GFP_KERNEL, | |
| 1021 | + AUDIT_CONFIG_CHANGE); | |
| 1022 | + audit_log_format(ab, | |
| 1023 | + "op=updated rules specifying path="); | |
| 1024 | + audit_log_untrustedstring(ab, owatch->path); | |
| 1025 | + audit_log_format(ab, " with dev=%u ino=%lu\n", | |
| 1026 | + dev, ino); | |
| 1027 | + audit_log_format(ab, " list=%d res=1", r->listnr); | |
| 1028 | + audit_log_end(ab); | |
| 1029 | + } | |
| 1024 | 1030 | audit_remove_watch(owatch); |
| 1025 | 1031 | goto add_watch_to_parent; /* event applies to a single watch */ |
| 1026 | 1032 | } |
| 1027 | 1033 | |
| ... | ... | @@ -1039,25 +1045,28 @@ |
| 1039 | 1045 | struct audit_watch *w, *nextw; |
| 1040 | 1046 | struct audit_krule *r, *nextr; |
| 1041 | 1047 | struct audit_entry *e; |
| 1042 | - struct audit_buffer *ab; | |
| 1043 | 1048 | |
| 1044 | 1049 | mutex_lock(&audit_filter_mutex); |
| 1045 | 1050 | parent->flags |= AUDIT_PARENT_INVALID; |
| 1046 | 1051 | list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { |
| 1047 | 1052 | list_for_each_entry_safe(r, nextr, &w->rules, rlist) { |
| 1048 | 1053 | e = container_of(r, struct audit_entry, rule); |
| 1049 | - | |
| 1050 | - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | |
| 1051 | - audit_log_format(ab, "op=remove rule path="); | |
| 1052 | - audit_log_untrustedstring(ab, w->path); | |
| 1053 | - if (r->filterkey) { | |
| 1054 | - audit_log_format(ab, " key="); | |
| 1055 | - audit_log_untrustedstring(ab, r->filterkey); | |
| 1056 | - } else | |
| 1057 | - audit_log_format(ab, " key=(null)"); | |
| 1058 | - audit_log_format(ab, " list=%d res=1", r->listnr); | |
| 1059 | - audit_log_end(ab); | |
| 1060 | - | |
| 1054 | + if (audit_enabled) { | |
| 1055 | + struct audit_buffer *ab; | |
| 1056 | + ab = audit_log_start(NULL, GFP_KERNEL, | |
| 1057 | + AUDIT_CONFIG_CHANGE); | |
| 1058 | + audit_log_format(ab, "op=remove rule path="); | |
| 1059 | + audit_log_untrustedstring(ab, w->path); | |
| 1060 | + if (r->filterkey) { | |
| 1061 | + audit_log_format(ab, " key="); | |
| 1062 | + audit_log_untrustedstring(ab, | |
| 1063 | + r->filterkey); | |
| 1064 | + } else | |
| 1065 | + audit_log_format(ab, " key=(null)"); | |
| 1066 | + audit_log_format(ab, " list=%d res=1", | |
| 1067 | + r->listnr); | |
| 1068 | + audit_log_end(ab); | |
| 1069 | + } | |
| 1061 | 1070 | list_del(&r->rlist); |
| 1062 | 1071 | list_del_rcu(&e->list); |
| 1063 | 1072 | call_rcu(&e->rcu, audit_free_rule_rcu); |
| ... | ... | @@ -1494,6 +1503,9 @@ |
| 1494 | 1503 | struct audit_krule *rule, int res) |
| 1495 | 1504 | { |
| 1496 | 1505 | struct audit_buffer *ab; |
| 1506 | + | |
| 1507 | + if (!audit_enabled) | |
| 1508 | + return; | |
| 1497 | 1509 | |
| 1498 | 1510 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
| 1499 | 1511 | if (!ab) |