From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Guy Briggs <rgb@redhat.com>,
Paul Moore <paul@paul-moore.com>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.14 46/52] audit: ensure that audit=1 actually enables audit for PID 1
Date: Fri, 15 Dec 2017 10:52:23 +0100 [thread overview]
Message-ID: <20171215092311.030168676@linuxfoundation.org> (raw)
In-Reply-To: <20171215092308.500651185@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]
Prior to this patch we enabled audit in audit_init(), which is too
late for PID 1 as the standard initcalls are run after the PID 1 task
is forked. This means that we never allocate an audit_context (see
audit_alloc()) for PID 1 and therefore miss a lot of audit events
generated by PID 1.
This patch enables audit as early as possible to help ensure that when
PID 1 is forked it can allocate an audit_context if required.
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -85,13 +85,13 @@ static int audit_initialized;
#define AUDIT_OFF 0
#define AUDIT_ON 1
#define AUDIT_LOCKED 2
-u32 audit_enabled;
-u32 audit_ever_enabled;
+u32 audit_enabled = AUDIT_OFF;
+u32 audit_ever_enabled = !!AUDIT_OFF;
EXPORT_SYMBOL_GPL(audit_enabled);
/* Default state when kernel boots without any parameters. */
-static u32 audit_default;
+static u32 audit_default = AUDIT_OFF;
/* If auditing cannot proceed, audit_failure selects what happens. */
static u32 audit_failure = AUDIT_FAIL_PRINTK;
@@ -1552,8 +1552,6 @@ static int __init audit_init(void)
register_pernet_subsys(&audit_net_ops);
audit_initialized = AUDIT_INITIALIZED;
- audit_enabled = audit_default;
- audit_ever_enabled |= !!audit_default;
kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
if (IS_ERR(kauditd_task)) {
@@ -1575,6 +1573,8 @@ static int __init audit_enable(char *str
audit_default = !!simple_strtol(str, NULL, 0);
if (!audit_default)
audit_initialized = AUDIT_DISABLED;
+ audit_enabled = audit_default;
+ audit_ever_enabled = !!audit_enabled;
pr_info("%s\n", audit_default ?
"enabled (after initialization)" : "disabled (until reboot)");
next prev parent reply other threads:[~2017-12-15 9:55 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-15 9:51 [PATCH 4.14 00/52] 4.14.7-stable review Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 02/52] net: thunderx: Fix TCP/UDP checksum offload for IPv6 pkts Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 03/52] net: thunderx: Fix TCP/UDP checksum offload for IPv4 pkts Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 05/52] s390/qeth: fix early exit from error path Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 06/52] tipc: fix memory leak in tipc_accept_from_sock() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 07/52] vhost: fix skb leak in handle_rx() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 09/52] sit: update frag_off info Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 10/52] tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 11/52] packet: fix crash in fanout_demux_rollover() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 12/52] net/packet: fix a race in packet_bind() and packet_notifier() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 13/52] tcp: remove buggy call to tcp_v6_restore_cb() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 16/52] stmmac: reset last TSO segment size after device open Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 18/52] s390/qeth: build max size GSO skbs on L2 devices Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 19/52] s390/qeth: fix thinko in IPv4 multicast address tracking Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 20/52] s390/qeth: fix GSO throughput regression Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 21/52] tcp: use IPCB instead of TCP_SKB_CB in inet_exact_dif_match() Greg Kroah-Hartman
2017-12-15 9:51 ` [PATCH 4.14 22/52] tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv() Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 23/52] tcp: use current time in tcp_rcv_space_adjust() Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 24/52] net: sched: cbq: create block for q->link.block Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 25/52] tap: free skb if flags error Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 26/52] tcp: when scheduling TLP, time of RTO should account for current ACK Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 27/52] tun: free skb in early errors Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 28/52] net: ipv6: Fixup device for anycast routes during copy Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 29/52] tun: fix rcu_read_lock imbalance in tun_build_skb Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 30/52] net: accept UFO datagrams from tuntap and packet Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 31/52] net: openvswitch: datapath: fix data type in queue_gso_packets Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 32/52] cls_bpf: dont decrement nets refcount when offload fails Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 33/52] sctp: use right member as the param of list_for_each_entry Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 34/52] ipmi: Stop timers before cleaning up the module Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 35/52] usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 36/52] fcntl: dont cap l_start and l_end values for F_GETLK64 in compat syscall Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 37/52] fix kcm_clone() Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 38/52] KVM: arm/arm64: vgic-its: Preserve the revious read from the pending table Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 39/52] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 40/52] powerpc/powernv/idle: Round up latency and residency values Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 41/52] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 42/52] ide: ide-atapi: fix compile error with defining macro DEBUG Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 43/52] blk-mq: Avoid that request queue removal can trigger list corruption Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 44/52] nvmet-rdma: update queue list during ib_device removal Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 45/52] audit: Allow auditd to set pid to 0 to end auditing Greg Kroah-Hartman
2017-12-15 9:52 ` Greg Kroah-Hartman [this message]
2017-12-15 9:52 ` [PATCH 4.14 47/52] dm raid: fix panic when attempting to force a raid to sync Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 48/52] md: free unused memory after bitmap resize Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 49/52] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 50/52] x86/intel_rdt: Fix potential deadlock during resctrl unmount Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 51/52] media: dvb-core: always call invoke_release() in fe_free() Greg Kroah-Hartman
2017-12-15 9:52 ` [PATCH 4.14 52/52] dvb_frontend: dont use-after-free the frontend struct Greg Kroah-Hartman
2017-12-15 10:09 ` [PATCH 4.14 00/52] 4.14.7-stable review Nikola Ciprich
2017-12-15 10:09 ` Nikola Ciprich
2017-12-15 13:07 ` Greg Kroah-Hartman
2017-12-15 17:41 ` Guenter Roeck
2017-12-15 18:27 ` Greg Kroah-Hartman
2017-12-15 21:12 ` Shuah Khan
2017-12-15 21:32 ` Greg Kroah-Hartman
2017-12-16 5:28 ` Naresh Kamboju
2017-12-16 8:23 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171215092311.030168676@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.