From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: Re: [PATCH] make set_loginuid obey audit_enabled
Date: Tue, 13 Jun 2006 17:39:55 -0400
Message-ID: <20060613213955.GA30658@zk3.dec.com>
References: <200606120748.28174.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <200606120748.28174.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve Grubb wrote:     [Mon Jun 12 2006, 07:48:28AM EDT]
> I was doing some testing and noticed that when the audit system was disabled,
> I was still getting messages about the loginuid being set. The following patch
> makes audit_set_loginuid look at in_syscall to determine if it should create
> an audit event. The loginuid will continue to be set as long as there is a context.

Do we really want to do away with these records?  The loginuid is used
in several records that can be logged even with syscall auditing
disabled, e.g. AUDIT_CONFIG_CHANGE records generated by AUDIT_SET
operations.

It seems like we would want the LOGIN records for a complete trail of
what happened.

> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> 
> 
> diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
> --- linux-2.6.16.x86_64.orig/kernel/auditsc.c	2006-06-10 14:01:20.000000000 -0400
> +++ linux-2.6.16.x86_64/kernel/auditsc.c	2006-06-10 14:00:14.000000000 -0400
> @@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
>   */
>  int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
>  {
> -	if (task->audit_context) {
> -		struct audit_buffer *ab;
> +	struct audit_context *context = task->audit_context;
>  
> -		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> -		if (ab) {
> -			audit_log_format(ab, "login pid=%d uid=%u "
> -				"old auid=%u new auid=%u",
> -				task->pid, task->uid, 
> -				task->audit_context->loginuid, loginuid);
> -			audit_log_end(ab);
> +	if (context) {
> +		/* Only log if audit is enabled */
> +		if (context->in_syscall) {
> +			struct audit_buffer *ab;
> +
> +			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> +			if (ab) {
> +				audit_log_format(ab, "login pid=%d uid=%u "
> +					"old auid=%u new auid=%u",
> +					task->pid, task->uid, 
> +					context->loginuid, loginuid);
> +				audit_log_end(ab);
> +			}
>  		}
> -		task->audit_context->loginuid = loginuid;
> +		context->loginuid = loginuid;
>  	}
>  	return 0;
>  }
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>