From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joy Latten <latten@austin.ibm.com>
Subject: [PATCH 2/2] fix auditctl -D
Date: Fri, 28 Apr 2006 17:37:40 -0500
Message-ID: <200604282237.k3SMbef3002200@faith.austin.ibm.com>
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3SMjTHZ011895
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 18:45:29 -0400
Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.143])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k3SMjRnb030407
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 18:45:27 -0400
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236])
	by e3.ny.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k3SMjHS1020898
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 18:45:17 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215])
	by d01relay04.pok.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id
	k3SMjHxt226612
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 18:45:17 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1])
	by d01av01.pok.ibm.com (8.12.11/8.13.3) with ESMTP id k3SMjGRr016789
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 18:45:16 -0400
Received: from austin.ibm.com (netmail2.austin.ibm.com [9.41.248.176])
	by d01av01.pok.ibm.com (8.12.11/8.12.11) with ESMTP id k3SMjGAd016785
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 18:45:16 -0400
Received: from faith.austin.ibm.com (faith.austin.ibm.com [9.53.40.35])
	by austin.ibm.com (8.12.10/8.12.10) with ESMTP id k3SMjGZM041944
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 17:45:16 -0500
Received: from faith.austin.ibm.com (localhost.localdomain [127.0.0.1])
	by faith.austin.ibm.com (8.13.4/8.12.8) with ESMTP id k3SMbeQm002201
	for <linux-audit@redhat.com>; Fri, 28 Apr 2006 17:37:40 -0500
Received: (from jml@localhost)
	by faith.austin.ibm.com (8.13.4/8.13.4/Submit) id k3SMbef3002200
	for linux-audit@redhat.com; Fri, 28 Apr 2006 17:37:40 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

The fix for the problem of auditctl -D not working
consists of two patches. One is the userspace patch
and the other is for the kernel.

Below is the kernel patch. I added AUDIT_DEL_ALL flag.

Regards,
Joy


diff -urpN linux-2.6.orig/include/linux/audit.h linux-2.6.patch/include/linux/audit.h
--- linux-2.6.orig/include/linux/audit.h	2006-04-28 15:01:38.000000000 -0500
+++ linux-2.6.patch/include/linux/audit.h	2006-04-28 16:10:06.000000000 -0500
@@ -63,6 +63,7 @@
 #define AUDIT_ADD_RULE		1011	/* Add syscall filtering rule */
 #define AUDIT_DEL_RULE		1012	/* Delete syscall filtering rule */
 #define AUDIT_LIST_RULES	1013	/* List syscall filtering rules */
+#define AUDIT_DEL_ALL		1014	/* Delete all syscall filtering rules */
 
 #define AUDIT_FIRST_USER_MSG	1100	/* Userspace messages mostly uninteresting to kernel */
 #define AUDIT_USER_AVC		1107	/* We filter this differently */
diff -urpN linux-2.6.orig/kernel/audit.c linux-2.6.patch/kernel/audit.c
--- linux-2.6.orig/kernel/audit.c	2006-04-28 15:01:37.000000000 -0500
+++ linux-2.6.patch/kernel/audit.c	2006-04-28 16:09:03.000000000 -0500
@@ -451,6 +451,7 @@ static int audit_netlink_ok(kernel_cap_t
 	case AUDIT_ADD_RULE:
 	case AUDIT_DEL:
 	case AUDIT_DEL_RULE:
+	case AUDIT_DEL_ALL:
 	case AUDIT_SIGNAL_INFO:
 		if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
 			err = -EPERM;
@@ -604,6 +605,7 @@ static int audit_receive_msg(struct sk_b
 		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
 			return -EINVAL;
 		/* fallthrough */
+	case AUDIT_DEL_ALL:
 	case AUDIT_LIST_RULES:
 		err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
 					   uid, seq, data, nlmsg_len(nlh),
diff -urpN linux-2.6.orig/kernel/auditfilter.c linux-2.6.patch/kernel/auditfilter.c
--- linux-2.6.orig/kernel/auditfilter.c	2006-04-28 15:01:37.000000000 -0500
+++ linux-2.6.patch/kernel/auditfilter.c	2006-04-28 16:09:13.000000000 -0500
@@ -1063,6 +1063,21 @@ static inline int audit_del_rule(struct 
 	return -ENOENT;		/* No matching rule */
 }
 
+/* Remove all rules from all filterlists. Protected by
+ * audit_netlink_mutex. */
+static void audit_del_all_rules(void)
+{
+	struct audit_entry *e, *e2;
+	int i;
+
+	for (i=0; i<AUDIT_NR_FILTERS; i++) {
+		list_for_each_entry_safe(e, e2, &audit_filter_list[i], list) {
+			list_del_rcu(&e->list);
+			call_rcu(&e->rcu, audit_free_rule_rcu);
+		}
+	}
+}
+
 /* List rules using struct audit_rule.  Exists for backward
  * compatibility with userspace. */
 static void audit_list(int pid, int seq, struct sk_buff_head *q)
@@ -1233,6 +1248,12 @@ int audit_receive_filter(int type, int p
 
 		audit_free_rule(entry);
 		break;
+	case AUDIT_DEL_ALL:
+		audit_del_all_rules();
+		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+			"auid=%u remove all rules res=%d\n",
+			loginuid, !err);
+		break;
 	default:
 		return -EINVAL;
 	}
diff -urpN linux-2.6.orig/security/selinux/nlmsgtab.c linux-2.6.patch/security/selinux/nlmsgtab.c
--- linux-2.6.orig/security/selinux/nlmsgtab.c	2006-04-28 15:02:20.000000000 -0500
+++ linux-2.6.patch/security/selinux/nlmsgtab.c	2006-04-28 16:08:23.000000000 -0500
@@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_audit_per
 	{ AUDIT_LIST_RULES,	NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
 	{ AUDIT_ADD_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
 	{ AUDIT_DEL_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
+	{ AUDIT_DEL_ALL,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
 	{ AUDIT_USER,		NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },
 	{ AUDIT_SIGNAL_INFO,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
 };