[PATCH 2/2] fix auditctl -D
Amy Griffis
amy.griffis at hp.com
Mon May 1 15:18:24 UTC 2006
Joy Latten wrote: [Fri Apr 28 2006, 06:37:40PM EDT]
> The fix for the problem of auditctl -D not working
> consists of two patches. One is the userspace patch
> and the other is for the kernel.
>
> Below is the kernel patch. I added AUDIT_DEL_ALL flag.
>
> Regards,
> Joy
>
>
> diff -urpN linux-2.6.orig/include/linux/audit.h linux-2.6.patch/include/linux/audit.h
> --- linux-2.6.orig/include/linux/audit.h 2006-04-28 15:01:38.000000000 -0500
> +++ linux-2.6.patch/include/linux/audit.h 2006-04-28 16:10:06.000000000 -0500
> @@ -63,6 +63,7 @@
> #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
> #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
> #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
> +#define AUDIT_DEL_ALL 1014 /* Delete all syscall filtering rules */
>
> #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
> #define AUDIT_USER_AVC 1107 /* We filter this differently */
> diff -urpN linux-2.6.orig/kernel/audit.c linux-2.6.patch/kernel/audit.c
> --- linux-2.6.orig/kernel/audit.c 2006-04-28 15:01:37.000000000 -0500
> +++ linux-2.6.patch/kernel/audit.c 2006-04-28 16:09:03.000000000 -0500
> @@ -451,6 +451,7 @@ static int audit_netlink_ok(kernel_cap_t
> case AUDIT_ADD_RULE:
> case AUDIT_DEL:
> case AUDIT_DEL_RULE:
> + case AUDIT_DEL_ALL:
> case AUDIT_SIGNAL_INFO:
> if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
> err = -EPERM;
> @@ -604,6 +605,7 @@ static int audit_receive_msg(struct sk_b
> if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
> return -EINVAL;
> /* fallthrough */
> + case AUDIT_DEL_ALL:
> case AUDIT_LIST_RULES:
> err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
> uid, seq, data, nlmsg_len(nlh),
> diff -urpN linux-2.6.orig/kernel/auditfilter.c linux-2.6.patch/kernel/auditfilter.c
> --- linux-2.6.orig/kernel/auditfilter.c 2006-04-28 15:01:37.000000000 -0500
> +++ linux-2.6.patch/kernel/auditfilter.c 2006-04-28 16:09:13.000000000 -0500
> @@ -1063,6 +1063,21 @@ static inline int audit_del_rule(struct
> return -ENOENT; /* No matching rule */
> }
>
> +/* Remove all rules from all filterlists. Protected by
> + * audit_netlink_mutex. */
Just a heads up...
As long as this patch stays in front of the filesystem auditing
patches in the queue (likely), this locking is okay. Otherwise the
removal needs to be protected by audit_filter_mutex.
> +static void audit_del_all_rules(void)
> +{
> + struct audit_entry *e, *e2;
> + int i;
> +
> + for (i=0; i<AUDIT_NR_FILTERS; i++) {
> + list_for_each_entry_safe(e, e2, &audit_filter_list[i], list) {
> + list_del_rcu(&e->list);
> + call_rcu(&e->rcu, audit_free_rule_rcu);
> + }
> + }
> +}
> +
> /* List rules using struct audit_rule. Exists for backward
> * compatibility with userspace. */
> static void audit_list(int pid, int seq, struct sk_buff_head *q)
> @@ -1233,6 +1248,12 @@ int audit_receive_filter(int type, int p
>
> audit_free_rule(entry);
> break;
> + case AUDIT_DEL_ALL:
> + audit_del_all_rules();
> + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> + "auid=%u remove all rules res=%d\n",
> + loginuid, !err);
> + break;
> default:
> return -EINVAL;
> }
> diff -urpN linux-2.6.orig/security/selinux/nlmsgtab.c linux-2.6.patch/security/selinux/nlmsgtab.c
> --- linux-2.6.orig/security/selinux/nlmsgtab.c 2006-04-28 15:02:20.000000000 -0500
> +++ linux-2.6.patch/security/selinux/nlmsgtab.c 2006-04-28 16:08:23.000000000 -0500
> @@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_audit_per
> { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
> { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
> { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
> + { AUDIT_DEL_ALL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
> { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
> { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
> };
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list