audit: force seccomp event logging to honor the audit_enabled flag
Previously we were emitting seccomp audit records regardless of the audit_enabled setting, a deparature from the rest of audit. This patch makes seccomp auditing consistent with the rest of the audit record generation code in that when audit_enabled=0 nothing is logged by the audit subsystem. The bulk of this patch is moving the CONFIG_AUDIT block ahead of the CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real code change was in the audit_seccomp() definition. Signed-off-by: Tony Jones <tonyj@suse.de> Signed-off-by: Paul Moore <pmoore@redhat.com>
This commit is contained in:
Paul Moore
Paul Moore
parent
d865e573b8
commit
96368701e1
1 changed files with 104 additions and 100 deletions
|
|
@ -113,6 +113,107 @@ struct filename;
|
|||
|
||||
extern void audit_log_session_info(struct audit_buffer *ab);
|
||||
|
||||
#ifdef CONFIG_AUDIT
|
||||
/* These are defined in audit.c */
|
||||
/* Public API */
|
||||
extern __printf(4, 5)
|
||||
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
|
||||
const char *fmt, ...);
|
||||
|
||||
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
|
||||
extern __printf(2, 3)
|
||||
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
|
||||
extern void audit_log_end(struct audit_buffer *ab);
|
||||
extern bool audit_string_contains_control(const char *string,
|
||||
size_t len);
|
||||
extern void audit_log_n_hex(struct audit_buffer *ab,
|
||||
const unsigned char *buf,
|
||||
size_t len);
|
||||
extern void audit_log_n_string(struct audit_buffer *ab,
|
||||
const char *buf,
|
||||
size_t n);
|
||||
extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string,
|
||||
size_t n);
|
||||
extern void audit_log_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string);
|
||||
extern void audit_log_d_path(struct audit_buffer *ab,
|
||||
const char *prefix,
|
||||
const struct path *path);
|
||||
extern void audit_log_key(struct audit_buffer *ab,
|
||||
char *key);
|
||||
extern void audit_log_link_denied(const char *operation,
|
||||
struct path *link);
|
||||
extern void audit_log_lost(const char *message);
|
||||
#ifdef CONFIG_SECURITY
|
||||
extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
|
||||
#else
|
||||
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
|
||||
{ }
|
||||
#endif
|
||||
|
||||
extern int audit_log_task_context(struct audit_buffer *ab);
|
||||
extern void audit_log_task_info(struct audit_buffer *ab,
|
||||
struct task_struct *tsk);
|
||||
|
||||
extern int audit_update_lsm_rules(void);
|
||||
|
||||
/* Private API (for audit.c only) */
|
||||
extern int audit_filter_user(int type);
|
||||
extern int audit_filter_type(int type);
|
||||
extern int audit_rule_change(int type, __u32 portid, int seq,
|
||||
void *data, size_t datasz);
|
||||
extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
|
||||
|
||||
extern u32 audit_enabled;
|
||||
#else /* CONFIG_AUDIT */
|
||||
static inline __printf(4, 5)
|
||||
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
|
||||
const char *fmt, ...)
|
||||
{ }
|
||||
static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
|
||||
gfp_t gfp_mask, int type)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
static inline __printf(2, 3)
|
||||
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
|
||||
{ }
|
||||
static inline void audit_log_end(struct audit_buffer *ab)
|
||||
{ }
|
||||
static inline void audit_log_n_hex(struct audit_buffer *ab,
|
||||
const unsigned char *buf, size_t len)
|
||||
{ }
|
||||
static inline void audit_log_n_string(struct audit_buffer *ab,
|
||||
const char *buf, size_t n)
|
||||
{ }
|
||||
static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string, size_t n)
|
||||
{ }
|
||||
static inline void audit_log_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string)
|
||||
{ }
|
||||
static inline void audit_log_d_path(struct audit_buffer *ab,
|
||||
const char *prefix,
|
||||
const struct path *path)
|
||||
{ }
|
||||
static inline void audit_log_key(struct audit_buffer *ab, char *key)
|
||||
{ }
|
||||
static inline void audit_log_link_denied(const char *string,
|
||||
const struct path *link)
|
||||
{ }
|
||||
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
|
||||
{ }
|
||||
static inline int audit_log_task_context(struct audit_buffer *ab)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
static inline void audit_log_task_info(struct audit_buffer *ab,
|
||||
struct task_struct *tsk)
|
||||
{ }
|
||||
#define audit_enabled 0
|
||||
#endif /* CONFIG_AUDIT */
|
||||
|
||||
#ifdef CONFIG_AUDIT_COMPAT_GENERIC
|
||||
#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
|
||||
#else
|
||||
|
|
@ -212,6 +313,9 @@ void audit_core_dumps(long signr);
|
|||
|
||||
static inline void audit_seccomp(unsigned long syscall, long signr, int code)
|
||||
{
|
||||
if (!audit_enabled)
|
||||
return;
|
||||
|
||||
/* Force a record to be reported if a signal was delivered. */
|
||||
if (signr || unlikely(!audit_dummy_context()))
|
||||
__audit_seccomp(syscall, signr, code);
|
||||
|
|
@ -446,106 +550,6 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
|
|||
return uid_valid(audit_get_loginuid(tsk));
|
||||
}
|
||||
|
||||
#ifdef CONFIG_AUDIT
|
||||
/* These are defined in audit.c */
|
||||
/* Public API */
|
||||
extern __printf(4, 5)
|
||||
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
|
||||
const char *fmt, ...);
|
||||
|
||||
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
|
||||
extern __printf(2, 3)
|
||||
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
|
||||
extern void audit_log_end(struct audit_buffer *ab);
|
||||
extern bool audit_string_contains_control(const char *string,
|
||||
size_t len);
|
||||
extern void audit_log_n_hex(struct audit_buffer *ab,
|
||||
const unsigned char *buf,
|
||||
size_t len);
|
||||
extern void audit_log_n_string(struct audit_buffer *ab,
|
||||
const char *buf,
|
||||
size_t n);
|
||||
extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string,
|
||||
size_t n);
|
||||
extern void audit_log_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string);
|
||||
extern void audit_log_d_path(struct audit_buffer *ab,
|
||||
const char *prefix,
|
||||
const struct path *path);
|
||||
extern void audit_log_key(struct audit_buffer *ab,
|
||||
char *key);
|
||||
extern void audit_log_link_denied(const char *operation,
|
||||
struct path *link);
|
||||
extern void audit_log_lost(const char *message);
|
||||
#ifdef CONFIG_SECURITY
|
||||
extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
|
||||
#else
|
||||
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
|
||||
{ }
|
||||
#endif
|
||||
|
||||
extern int audit_log_task_context(struct audit_buffer *ab);
|
||||
extern void audit_log_task_info(struct audit_buffer *ab,
|
||||
struct task_struct *tsk);
|
||||
|
||||
extern int audit_update_lsm_rules(void);
|
||||
|
||||
/* Private API (for audit.c only) */
|
||||
extern int audit_filter_user(int type);
|
||||
extern int audit_filter_type(int type);
|
||||
extern int audit_rule_change(int type, __u32 portid, int seq,
|
||||
void *data, size_t datasz);
|
||||
extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
|
||||
|
||||
extern u32 audit_enabled;
|
||||
#else /* CONFIG_AUDIT */
|
||||
static inline __printf(4, 5)
|
||||
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
|
||||
const char *fmt, ...)
|
||||
{ }
|
||||
static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
|
||||
gfp_t gfp_mask, int type)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
static inline __printf(2, 3)
|
||||
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
|
||||
{ }
|
||||
static inline void audit_log_end(struct audit_buffer *ab)
|
||||
{ }
|
||||
static inline void audit_log_n_hex(struct audit_buffer *ab,
|
||||
const unsigned char *buf, size_t len)
|
||||
{ }
|
||||
static inline void audit_log_n_string(struct audit_buffer *ab,
|
||||
const char *buf, size_t n)
|
||||
{ }
|
||||
static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string, size_t n)
|
||||
{ }
|
||||
static inline void audit_log_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string)
|
||||
{ }
|
||||
static inline void audit_log_d_path(struct audit_buffer *ab,
|
||||
const char *prefix,
|
||||
const struct path *path)
|
||||
{ }
|
||||
static inline void audit_log_key(struct audit_buffer *ab, char *key)
|
||||
{ }
|
||||
static inline void audit_log_link_denied(const char *string,
|
||||
const struct path *link)
|
||||
{ }
|
||||
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
|
||||
{ }
|
||||
static inline int audit_log_task_context(struct audit_buffer *ab)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
static inline void audit_log_task_info(struct audit_buffer *ab,
|
||||
struct task_struct *tsk)
|
||||
{ }
|
||||
#define audit_enabled 0
|
||||
#endif /* CONFIG_AUDIT */
|
||||
static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
|
||||
{
|
||||
audit_log_n_string(ab, buf, strlen(buf));
|
||||
|
|
|
|||
Loading…
Reference in a new issue