AUDIT: Optimise the audit-disabled case for discarding user messages
Also exempt USER_AVC message from being discarded to preserve existing behaviour for SE Linux. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
Родитель
f6a789d198
Коммит
4a4cd633b5
|
@ -51,7 +51,8 @@
|
||||||
#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
|
#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
|
||||||
#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
|
#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
|
||||||
|
|
||||||
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages uninteresting to kernel */
|
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
|
||||||
|
#define AUDIT_USER_AVC 1107 /* We filter this differently */
|
||||||
#define AUDIT_LAST_USER_MSG 1199
|
#define AUDIT_LAST_USER_MSG 1199
|
||||||
|
|
||||||
#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
|
#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
|
||||||
|
@ -235,7 +236,7 @@ extern int audit_socketcall(int nargs, unsigned long *args);
|
||||||
extern int audit_sockaddr(int len, void *addr);
|
extern int audit_sockaddr(int len, void *addr);
|
||||||
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
|
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
|
||||||
extern void audit_signal_info(int sig, struct task_struct *t);
|
extern void audit_signal_info(int sig, struct task_struct *t);
|
||||||
extern int audit_filter_user(struct task_struct *tsk, int type);
|
extern int audit_filter_user(int pid, int type);
|
||||||
#else
|
#else
|
||||||
#define audit_alloc(t) ({ 0; })
|
#define audit_alloc(t) ({ 0; })
|
||||||
#define audit_free(t) do { ; } while (0)
|
#define audit_free(t) do { ; } while (0)
|
||||||
|
@ -252,7 +253,7 @@ extern int audit_filter_user(struct task_struct *tsk, int type);
|
||||||
#define audit_sockaddr(len, addr) ({ 0; })
|
#define audit_sockaddr(len, addr) ({ 0; })
|
||||||
#define audit_avc_path(dentry, mnt) ({ 0; })
|
#define audit_avc_path(dentry, mnt) ({ 0; })
|
||||||
#define audit_signal_info(s,t) do { ; } while (0)
|
#define audit_signal_info(s,t) do { ; } while (0)
|
||||||
#define audit_filter_user(struct ({ 1; })
|
#define audit_filter_user(p,t) ({ 1; })
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef CONFIG_AUDIT
|
#ifdef CONFIG_AUDIT
|
||||||
|
|
|
@ -429,15 +429,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||||
break;
|
break;
|
||||||
case AUDIT_USER:
|
case AUDIT_USER:
|
||||||
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
|
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
|
||||||
read_lock(&tasklist_lock);
|
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
|
||||||
tsk = find_task_by_pid(pid);
|
return 0;
|
||||||
if (tsk)
|
|
||||||
get_task_struct(tsk);
|
|
||||||
read_unlock(&tasklist_lock);
|
|
||||||
if (!tsk)
|
|
||||||
return -ESRCH;
|
|
||||||
|
|
||||||
if (audit_enabled && audit_filter_user(tsk, msg_type)) {
|
err = audit_filter_user(pid, msg_type);
|
||||||
|
if (err == 1) {
|
||||||
|
err = 0;
|
||||||
ab = audit_log_start(NULL, msg_type);
|
ab = audit_log_start(NULL, msg_type);
|
||||||
if (ab) {
|
if (ab) {
|
||||||
audit_log_format(ab,
|
audit_log_format(ab,
|
||||||
|
@ -447,7 +444,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||||
audit_log_end(ab);
|
audit_log_end(ab);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
put_task_struct(tsk);
|
|
||||||
break;
|
break;
|
||||||
case AUDIT_ADD:
|
case AUDIT_ADD:
|
||||||
case AUDIT_DEL:
|
case AUDIT_DEL:
|
||||||
|
|
|
@ -530,22 +530,33 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
|
||||||
return AUDIT_BUILD_CONTEXT;
|
return AUDIT_BUILD_CONTEXT;
|
||||||
}
|
}
|
||||||
|
|
||||||
int audit_filter_user(struct task_struct *tsk, int type)
|
int audit_filter_user(int pid, int type)
|
||||||
{
|
{
|
||||||
|
struct task_struct *tsk;
|
||||||
struct audit_entry *e;
|
struct audit_entry *e;
|
||||||
enum audit_state state;
|
enum audit_state state;
|
||||||
|
int ret = 1;
|
||||||
|
|
||||||
if (audit_pid && tsk->pid == audit_pid)
|
read_lock(&tasklist_lock);
|
||||||
return AUDIT_DISABLED;
|
tsk = find_task_by_pid(pid);
|
||||||
|
if (tsk)
|
||||||
|
get_task_struct(tsk);
|
||||||
|
read_unlock(&tasklist_lock);
|
||||||
|
|
||||||
|
if (!tsk)
|
||||||
|
return -ESRCH;
|
||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
|
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
|
||||||
if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
|
if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
|
||||||
rcu_read_unlock();
|
if (state == AUDIT_DISABLED)
|
||||||
return state != AUDIT_DISABLED;
|
ret = 0;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
put_task_struct(tsk);
|
||||||
|
|
||||||
return 1; /* Audit by default */
|
return 1; /* Audit by default */
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Загрузка…
Ссылка в новой задаче