[PATCH 2/2] fix auditctl -D

Fri Apr 28 22:37:40 UTC 2006

The fix for the problem of auditctl -D not working
consists of two patches. One is the userspace patch
and the other is for the kernel.

Below is the kernel patch. I added AUDIT_DEL_ALL flag.

Regards,
Joy


diff -urpN linux-2.6.orig/include/linux/audit.h linux-2.6.patch/include/linux/audit.h

--- linux-2.6.orig/include/linux/audit.h	2006-04-28 15:01:38.000000000 -0500
+++ linux-2.6.patch/include/linux/audit.h	2006-04-28 16:10:06.000000000 -0500
@@ -63,6 +63,7 @@
 #define AUDIT_ADD_RULE		1011	/* Add syscall filtering rule */
 #define AUDIT_DEL_RULE		1012	/* Delete syscall filtering rule */
 #define AUDIT_LIST_RULES	1013	/* List syscall filtering rules */
+#define AUDIT_DEL_ALL		1014	/* Delete all syscall filtering rules */
 
 #define AUDIT_FIRST_USER_MSG	1100	/* Userspace messages mostly uninteresting to kernel */
 #define AUDIT_USER_AVC		1107	/* We filter this differently */
diff -urpN linux-2.6.orig/kernel/audit.c linux-2.6.patch/kernel/audit.c
--- linux-2.6.orig/kernel/audit.c	2006-04-28 15:01:37.000000000 -0500
+++ linux-2.6.patch/kernel/audit.c	2006-04-28 16:09:03.000000000 -0500
@@ -451,6 +451,7 @@ static int audit_netlink_ok(kernel_cap_t
 	case AUDIT_ADD_RULE:
 	case AUDIT_DEL:
 	case AUDIT_DEL_RULE:
+	case AUDIT_DEL_ALL:
 	case AUDIT_SIGNAL_INFO:
 		if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
 			err = -EPERM;
@@ -604,6 +605,7 @@ static int audit_receive_msg(struct sk_b
 		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
 			return -EINVAL;
 		/* fallthrough */
+	case AUDIT_DEL_ALL:
 	case AUDIT_LIST_RULES:
 		err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
 					   uid, seq, data, nlmsg_len(nlh),
diff -urpN linux-2.6.orig/kernel/auditfilter.c linux-2.6.patch/kernel/auditfilter.c
--- linux-2.6.orig/kernel/auditfilter.c	2006-04-28 15:01:37.000000000 -0500
+++ linux-2.6.patch/kernel/auditfilter.c	2006-04-28 16:09:13.000000000 -0500
@@ -1063,6 +1063,21 @@ static inline int audit_del_rule(struct 
 	return -ENOENT;		/* No matching rule */
 }
 
+/* Remove all rules from all filterlists. Protected by
+ * audit_netlink_mutex. */
+static void audit_del_all_rules(void)
+{
+	struct audit_entry *e, *e2;
+	int i;
+
+	for (i=0; i<AUDIT_NR_FILTERS; i++) {
+		list_for_each_entry_safe(e, e2, &audit_filter_list[i], list) {
+			list_del_rcu(&e->list);
+			call_rcu(&e->rcu, audit_free_rule_rcu);
+		}
+	}
+}
+
 /* List rules using struct audit_rule.  Exists for backward
  * compatibility with userspace. */
 static void audit_list(int pid, int seq, struct sk_buff_head *q)
@@ -1233,6 +1248,12 @@ int audit_receive_filter(int type, int p
 
 		audit_free_rule(entry);
 		break;
+	case AUDIT_DEL_ALL:
+		audit_del_all_rules();
+		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+			"auid=%u remove all rules res=%d\n",
+			loginuid, !err);
+		break;
 	default:
 		return -EINVAL;
 	}
diff -urpN linux-2.6.orig/security/selinux/nlmsgtab.c linux-2.6.patch/security/selinux/nlmsgtab.c
--- linux-2.6.orig/security/selinux/nlmsgtab.c	2006-04-28 15:02:20.000000000 -0500
+++ linux-2.6.patch/security/selinux/nlmsgtab.c	2006-04-28 16:08:23.000000000 -0500
@@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_audit_per
 	{ AUDIT_LIST_RULES,	NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
 	{ AUDIT_ADD_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
 	{ AUDIT_DEL_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
+	{ AUDIT_DEL_ALL,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
 	{ AUDIT_USER,		NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },
 	{ AUDIT_SIGNAL_INFO,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
 };


