From: Eric Paris <eparis@redhat.com>
To: viro@ftp.linux.org.uk
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: [PATCH] audit=0 appears not to completely disable auditing
Date: Wed, 26 Sep 2007 12:52:10 -0400 [thread overview]
Message-ID: <1190825530.3453.1.camel@dhcp231-215.rdu.redhat.com> (raw)
In-Reply-To: <200703091550.11104.sgrubb@redhat.com>
Al,
What happened with this patch, it does not appear to have made it into
the audit tree. We are still outputting audit messages (through
dmesg/syslog) even when audit is turned off.
-Eric
On Fri, 2007-03-09 at 15:50 -0500, Steve Grubb wrote:
> Hi,
>
> There was a bz, 231371, reporting that current upstream kernels do not completely
> disable auditing when boot with audit=0 and the audit daemon not configured to
> run. You can reproduce the problem by:
>
> service auditd stop
> auditctl -e 0
> auditctl -w /etc/passwd
> and you'd get an event in syslog:
> Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295
> subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1
>
> The patch below solves this problem by checking audit_enabled before creating
> an audit event.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>
>
> diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c
> --- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500
> +++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500
> @@ -238,46 +238,50 @@ void audit_log_lost(const char *message)
>
> static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
> {
> - int old = audit_rate_limit;
> + if (audit_enabled) {
> + int old = audit_rate_limit;
>
> - if (sid) {
> - char *ctx = NULL;
> - u32 len;
> - int rc;
> - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> - return rc;
> - else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + if (sid) {
> + char *ctx = NULL;
> + u32 len;
> + int rc;
> + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> + return rc;
> + else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> "audit_rate_limit=%d old=%d by auid=%u subj=%s",
> - limit, old, loginuid, ctx);
> - kfree(ctx);
> - } else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> - "audit_rate_limit=%d old=%d by auid=%u",
> - limit, old, loginuid);
> + limit, old, loginuid, ctx);
> + kfree(ctx);
> + } else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + "audit_rate_limit=%d old=%d by auid=%u",
> + limit, old, loginuid);
> + }
> audit_rate_limit = limit;
> return 0;
> }
>
> static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
> {
> - int old = audit_backlog_limit;
> + if (audit_enabled) {
> + int old = audit_backlog_limit;
>
> - if (sid) {
> - char *ctx = NULL;
> - u32 len;
> - int rc;
> - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> - return rc;
> - else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + if (sid) {
> + char *ctx = NULL;
> + u32 len;
> + int rc;
> + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> + return rc;
> + else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> "audit_backlog_limit=%d old=%d by auid=%u subj=%s",
> - limit, old, loginuid, ctx);
> - kfree(ctx);
> - } else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> - "audit_backlog_limit=%d old=%d by auid=%u",
> - limit, old, loginuid);
> + limit, old, loginuid, ctx);
> + kfree(ctx);
> + } else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + "audit_backlog_limit=%d old=%d by auid=%u",
> + limit, old, loginuid);
> + }
> audit_backlog_limit = limit;
> return 0;
> }
> @@ -289,21 +293,23 @@ static int audit_set_enabled(int state,
> if (state != 0 && state != 1)
> return -EINVAL;
>
> - if (sid) {
> - char *ctx = NULL;
> - u32 len;
> - int rc;
> - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> - return rc;
> - else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + if (audit_enabled || state) {
> + if (sid) {
> + char *ctx = NULL;
> + u32 len;
> + int rc;
> + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> + return rc;
> + else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> "audit_enabled=%d old=%d by auid=%u subj=%s",
> - state, old, loginuid, ctx);
> - kfree(ctx);
> - } else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> - "audit_enabled=%d old=%d by auid=%u",
> - state, old, loginuid);
> + state, old, loginuid, ctx);
> + kfree(ctx);
> + } else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + "audit_enabled=%d old=%d by auid=%u",
> + state, old, loginuid);
> + }
> audit_enabled = state;
> return 0;
> }
> @@ -317,21 +323,23 @@ static int audit_set_failure(int state,
> && state != AUDIT_FAIL_PANIC)
> return -EINVAL;
>
> - if (sid) {
> - char *ctx = NULL;
> - u32 len;
> - int rc;
> - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> - return rc;
> - else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + if (audit_enabled) {
> + if (sid) {
> + char *ctx = NULL;
> + u32 len;
> + int rc;
> + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> + return rc;
> + else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> "audit_failure=%d old=%d by auid=%u subj=%s",
> - state, old, loginuid, ctx);
> - kfree(ctx);
> - } else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> - "audit_failure=%d old=%d by auid=%u",
> - state, old, loginuid);
> + state, old, loginuid, ctx);
> + kfree(ctx);
> + } else
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + "audit_failure=%d old=%d by auid=%u",
> + state, old, loginuid);
> + }
> audit_failure = state;
> return 0;
> }
> @@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b
> if (err < 0) return err;
> }
> if (status_get->mask & AUDIT_STATUS_PID) {
> - int old = audit_pid;
> - if (sid) {
> - if ((err = selinux_ctxid_to_string(
> - sid, &ctx, &len)))
> - return err;
> - else
> + if (audit_enabled) {
> + int old = audit_pid;
> + if (sid) {
> + if ((err = selinux_ctxid_to_string(
> + sid, &ctx, &len)))
> + return err;
> + else
> + audit_log(NULL, GFP_KERNEL,
> + AUDIT_CONFIG_CHANGE,
> + "audit_pid=%d old=%d by auid=%u subj=%s",
> + status_get->pid, old,
> + loginuid, ctx);
> + kfree(ctx);
> + } else
> audit_log(NULL, GFP_KERNEL,
> AUDIT_CONFIG_CHANGE,
> - "audit_pid=%d old=%d by auid=%u subj=%s",
> - status_get->pid, old,
> - loginuid, ctx);
> - kfree(ctx);
> - } else
> - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> "audit_pid=%d old=%d by auid=%u",
> - status_get->pid, old, loginuid);
> + status_get->pid, old,
> + loginuid);
> + }
> audit_pid = status_get->pid;
> }
> if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
> --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500
> +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500
> @@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
> /* Inotify events we care about. */
> #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
>
> +extern int audit_enabled;
> +
> void audit_free_parent(struct inotify_watch *i_watch)
> {
> struct audit_parent *parent;
> @@ -897,7 +899,6 @@ static void audit_update_watch(struct au
> struct audit_watch *owatch, *nwatch, *nextw;
> struct audit_krule *r, *nextr;
> struct audit_entry *oentry, *nentry;
> - struct audit_buffer *ab;
>
> mutex_lock(&audit_filter_mutex);
> list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
> @@ -937,13 +938,18 @@ static void audit_update_watch(struct au
> call_rcu(&oentry->rcu, audit_free_rule_rcu);
> }
>
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> - audit_log_format(ab, "op=updated rules specifying path=");
> - audit_log_untrustedstring(ab, owatch->path);
> - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
> - audit_log_format(ab, " list=%d res=1", r->listnr);
> - audit_log_end(ab);
> -
> + if (audit_enabled) {
> + struct audit_buffer *ab;
> + ab = audit_log_start(NULL, GFP_KERNEL,
> + AUDIT_CONFIG_CHANGE);
> + audit_log_format(ab,
> + "op=updated rules specifying path=");
> + audit_log_untrustedstring(ab, owatch->path);
> + audit_log_format(ab, " with dev=%u ino=%lu\n",
> + dev, ino);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> + audit_log_end(ab);
> + }
> audit_remove_watch(owatch);
> goto add_watch_to_parent; /* event applies to a single watch */
> }
> @@ -962,25 +968,28 @@ static void audit_remove_parent_watches(
> struct audit_watch *w, *nextw;
> struct audit_krule *r, *nextr;
> struct audit_entry *e;
> - struct audit_buffer *ab;
>
> mutex_lock(&audit_filter_mutex);
> parent->flags |= AUDIT_PARENT_INVALID;
> list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
> list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
> e = container_of(r, struct audit_entry, rule);
> -
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> - audit_log_format(ab, "op=remove rule path=");
> - audit_log_untrustedstring(ab, w->path);
> - if (r->filterkey) {
> - audit_log_format(ab, " key=");
> - audit_log_untrustedstring(ab, r->filterkey);
> - } else
> - audit_log_format(ab, " key=(null)");
> - audit_log_format(ab, " list=%d res=1", r->listnr);
> - audit_log_end(ab);
> -
> + if (audit_enabled) {
> + struct audit_buffer *ab;
> + ab = audit_log_start(NULL, GFP_KERNEL,
> + AUDIT_CONFIG_CHANGE);
> + audit_log_format(ab, "op=remove rule path=");
> + audit_log_untrustedstring(ab, w->path);
> + if (r->filterkey) {
> + audit_log_format(ab, " key=");
> + audit_log_untrustedstring(ab,
> + r->filterkey);
> + } else
> + audit_log_format(ab, " key=(null)");
> + audit_log_format(ab, " list=%d res=1",
> + r->listnr);
> + audit_log_end(ab);
> + }
> list_del(&r->rlist);
> list_del_rcu(&e->list);
> call_rcu(&e->rcu, audit_free_rule_rcu);
> @@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t
> {
> struct audit_buffer *ab;
>
> + if (!audit_enabled)
> + return;
> +
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2007-09-26 16:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-09 20:50 [PATCH] audit=0 appears not to completely disable auditing Steve Grubb
2007-03-22 21:45 ` Amy Griffis
2007-03-22 21:55 ` Steve Grubb
2007-04-02 18:57 ` Amy Griffis
2007-04-02 19:17 ` Valdis.Kletnieks
2007-09-26 16:52 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1190825530.3453.1.camel@dhcp231-215.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox