Commit 674d85eb authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'audit-pr-20200330' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:
 "We've got two audit patches for the v5.7 merge window with a stellar
  14 lines changed between the two patches. The patch descriptions are
  far more lengthy than the patches themselves, which is a very good
  thing for patches this size IMHO. The patches pass our test suites and
  a quick summary is below:

   - Stop logging inode information when updating an audit file watch.

     Since we are not changing the inode, or the fact that we are
     watching the associated file, the inode information is just noise
     that we can do without.

   - Fix a problem where mandatory audit records were missing their
     accompanying audit records (e.g. SYSCALL records were missing).

     The missing records often meant that we didn't have the necessary
     context to understand what was going on when the event occurred"

* tag 'audit-pr-20200330' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: trigger accompanying records when no rules present
  audit: CONFIG_CHANGE don't log internal bookkeeping as an event
parents 645c248d 1320a405
...@@ -1800,6 +1800,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, ...@@ -1800,6 +1800,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
} }
audit_get_stamp(ab->ctx, &t, &serial); audit_get_stamp(ab->ctx, &t, &serial);
audit_clear_dummy(ab->ctx);
audit_log_format(ab, "audit(%llu.%03lu:%u): ", audit_log_format(ab, "audit(%llu.%03lu:%u): ",
(unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
......
...@@ -290,6 +290,13 @@ extern int audit_signal_info_syscall(struct task_struct *t); ...@@ -290,6 +290,13 @@ extern int audit_signal_info_syscall(struct task_struct *t);
extern void audit_filter_inodes(struct task_struct *tsk, extern void audit_filter_inodes(struct task_struct *tsk,
struct audit_context *ctx); struct audit_context *ctx);
extern struct list_head *audit_killed_trees(void); extern struct list_head *audit_killed_trees(void);
static inline void audit_clear_dummy(struct audit_context *ctx)
{
if (ctx)
ctx->dummy = 0;
}
#else /* CONFIG_AUDITSYSCALL */ #else /* CONFIG_AUDITSYSCALL */
#define auditsc_get_stamp(c, t, s) 0 #define auditsc_get_stamp(c, t, s) 0
#define audit_put_watch(w) {} #define audit_put_watch(w) {}
...@@ -323,6 +330,7 @@ static inline int audit_signal_info_syscall(struct task_struct *t) ...@@ -323,6 +330,7 @@ static inline int audit_signal_info_syscall(struct task_struct *t)
} }
#define audit_filter_inodes(t, c) AUDIT_DISABLED #define audit_filter_inodes(t, c) AUDIT_DISABLED
#define audit_clear_dummy(c) {}
#endif /* CONFIG_AUDITSYSCALL */ #endif /* CONFIG_AUDITSYSCALL */
extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
......
...@@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent *parent, ...@@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent *parent,
if (oentry->rule.exe) if (oentry->rule.exe)
audit_remove_mark(oentry->rule.exe); audit_remove_mark(oentry->rule.exe);
audit_watch_log_rule_change(r, owatch, "updated_rules");
call_rcu(&oentry->rcu, audit_free_rule_rcu); call_rcu(&oentry->rcu, audit_free_rule_rcu);
} }
......
...@@ -1406,9 +1406,6 @@ static void audit_log_proctitle(void) ...@@ -1406,9 +1406,6 @@ static void audit_log_proctitle(void)
struct audit_context *context = audit_context(); struct audit_context *context = audit_context();
struct audit_buffer *ab; struct audit_buffer *ab;
if (!context || context->dummy)
return;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE); ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
if (!ab) if (!ab)
return; /* audit_panic or being filtered */ return; /* audit_panic or being filtered */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment