From: Amy Griffis <amy.griffis@hp.com>
To: Joy Latten <latten@austin.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 2/2] fix auditctl -D
Date: Mon, 1 May 2006 11:18:24 -0400 [thread overview]
Message-ID: <20060501151824.GA22037@zk3.dec.com> (raw)
In-Reply-To: <200604282237.k3SMbef3002200@faith.austin.ibm.com>
Joy Latten wrote: [Fri Apr 28 2006, 06:37:40PM EDT]
> The fix for the problem of auditctl -D not working
> consists of two patches. One is the userspace patch
> and the other is for the kernel.
>
> Below is the kernel patch. I added AUDIT_DEL_ALL flag.
>
> Regards,
> Joy
>
>
> diff -urpN linux-2.6.orig/include/linux/audit.h linux-2.6.patch/include/linux/audit.h
> --- linux-2.6.orig/include/linux/audit.h 2006-04-28 15:01:38.000000000 -0500
> +++ linux-2.6.patch/include/linux/audit.h 2006-04-28 16:10:06.000000000 -0500
> @@ -63,6 +63,7 @@
> #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
> #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
> #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
> +#define AUDIT_DEL_ALL 1014 /* Delete all syscall filtering rules */
>
> #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
> #define AUDIT_USER_AVC 1107 /* We filter this differently */
> diff -urpN linux-2.6.orig/kernel/audit.c linux-2.6.patch/kernel/audit.c
> --- linux-2.6.orig/kernel/audit.c 2006-04-28 15:01:37.000000000 -0500
> +++ linux-2.6.patch/kernel/audit.c 2006-04-28 16:09:03.000000000 -0500
> @@ -451,6 +451,7 @@ static int audit_netlink_ok(kernel_cap_t
> case AUDIT_ADD_RULE:
> case AUDIT_DEL:
> case AUDIT_DEL_RULE:
> + case AUDIT_DEL_ALL:
> case AUDIT_SIGNAL_INFO:
> if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
> err = -EPERM;
> @@ -604,6 +605,7 @@ static int audit_receive_msg(struct sk_b
> if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
> return -EINVAL;
> /* fallthrough */
> + case AUDIT_DEL_ALL:
> case AUDIT_LIST_RULES:
> err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
> uid, seq, data, nlmsg_len(nlh),
> diff -urpN linux-2.6.orig/kernel/auditfilter.c linux-2.6.patch/kernel/auditfilter.c
> --- linux-2.6.orig/kernel/auditfilter.c 2006-04-28 15:01:37.000000000 -0500
> +++ linux-2.6.patch/kernel/auditfilter.c 2006-04-28 16:09:13.000000000 -0500
> @@ -1063,6 +1063,21 @@ static inline int audit_del_rule(struct
> return -ENOENT; /* No matching rule */
> }
>
> +/* Remove all rules from all filterlists. Protected by
> + * audit_netlink_mutex. */
Just a heads up...
As long as this patch stays in front of the filesystem auditing
patches in the queue (likely), this locking is okay. Otherwise the
removal needs to be protected by audit_filter_mutex.
> +static void audit_del_all_rules(void)
> +{
> + struct audit_entry *e, *e2;
> + int i;
> +
> + for (i=0; i<AUDIT_NR_FILTERS; i++) {
> + list_for_each_entry_safe(e, e2, &audit_filter_list[i], list) {
> + list_del_rcu(&e->list);
> + call_rcu(&e->rcu, audit_free_rule_rcu);
> + }
> + }
> +}
> +
> /* List rules using struct audit_rule. Exists for backward
> * compatibility with userspace. */
> static void audit_list(int pid, int seq, struct sk_buff_head *q)
> @@ -1233,6 +1248,12 @@ int audit_receive_filter(int type, int p
>
> audit_free_rule(entry);
> break;
> + case AUDIT_DEL_ALL:
> + audit_del_all_rules();
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + "auid=%u remove all rules res=%d\n",
> + loginuid, !err);
> + break;
> default:
> return -EINVAL;
> }
> diff -urpN linux-2.6.orig/security/selinux/nlmsgtab.c linux-2.6.patch/security/selinux/nlmsgtab.c
> --- linux-2.6.orig/security/selinux/nlmsgtab.c 2006-04-28 15:02:20.000000000 -0500
> +++ linux-2.6.patch/security/selinux/nlmsgtab.c 2006-04-28 16:08:23.000000000 -0500
> @@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_audit_per
> { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
> { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
> { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
> + { AUDIT_DEL_ALL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
> { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
> { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
> };
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
prev parent reply other threads:[~2006-05-01 15:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-28 22:37 [PATCH 2/2] fix auditctl -D Joy Latten
2006-05-01 15:18 ` Amy Griffis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060501151824.GA22037@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=latten@austin.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox