Skip to content

Commit

Permalink
[AUDIT] create context if auditing was ever enabled
Browse files Browse the repository at this point in the history 
Disabling audit at runtime by auditctl doesn't mean that we can
stop allocating contexts for new processes; we don't want to miss them
when that sucker is reenabled.

(based on work from Al Viro in the RHEL kernel series)

Signed-off-by: Eric Paris <eparis@redhat.com>
  • Loading branch information
Eric Paris authored and Al Viro committed Feb 1, 2008
1 parent 50397bd commit b593d38
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 4 deletions.
16 changes: 13 additions & 3 deletions kernel/audit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ static int audit_initialized;
#define AUDIT_ON 1
#define AUDIT_LOCKED 2
int audit_enabled;
int audit_ever_enabled;

/* Default state when kernel boots without any parameters. */
static int audit_default;
Expand Down Expand Up @@ -310,11 +311,17 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)

static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
{
int rc;
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
return -EINVAL;

return audit_do_config_change("audit_enabled", &audit_enabled, state,
loginuid, sid);
rc = audit_do_config_change("audit_enabled", &audit_enabled, state,
loginuid, sid);

if (!rc)
audit_ever_enabled |= !!state;

return rc;
}

static int audit_set_failure(int state, uid_t loginuid, u32 sid)
Expand Down Expand Up @@ -857,6 +864,7 @@ static int __init audit_init(void)
skb_queue_head_init(&audit_skb_queue);
audit_initialized = 1;
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;

/* Register the callback with selinux. This callback will be invoked
* when a new policy is loaded. */
Expand Down Expand Up @@ -884,8 +892,10 @@ static int __init audit_enable(char *str)
printk(KERN_INFO "audit: %s%s\n",
audit_default ? "enabled" : "disabled",
audit_initialized ? "" : " (after initialization)");
if (audit_initialized)
if (audit_initialized) {
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
}
return 1;
}

Expand Down
3 changes: 2 additions & 1 deletion kernel/auditsc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@
#include "audit.h"

extern struct list_head audit_filter_list[];
extern int audit_ever_enabled;

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
* for saving names from getname(). */
Expand Down Expand Up @@ -838,7 +839,7 @@ int audit_alloc(struct task_struct *tsk)
struct audit_context *context;
enum audit_state state;

if (likely(!audit_enabled))
if (likely(!audit_ever_enabled))
return 0; /* Return if not auditing. */

state = audit_filter_task(tsk);
Expand Down

0 comments on commit b593d38

Please sign in to comment.