[RFC PATCH 1/5] audit: ensure that 'audit=1' actually enables audit for PID 1

Richard Guy Briggs rgb at redhat.com
Sat Sep 2 05:55:00 UTC 2017 

On 2017-09-01 09:44, Paul Moore wrote:
> From: Paul Moore <paul at paul-moore.com>
> 
> Prior to this patch we enabled audit in audit_init(), which is too
> late for PID 1 as the standard initcalls are run after the PID 1 task
> is forked.  This means that we never allocate an audit_context (see
> audit_alloc()) for PID 1 and therefore miss a lot of audit events
> generated by PID 1.
> 
> This patch enables audit as early as possible to help ensure that when
> PID 1 is forked it can allocate an audit_context if required.

Ok, since I was certain this was working properly at some point, I
started to dig to find out why.  It appears this patch restores previous
behaviour and that this wasn't all useless code that was removed in this
previous commit:
	d3ca0344b21f04786219bf0f49647f24e4e17323 gaofeng 2013-10-31 
	("audit: remove useless code in audit_enable")

Reviewed-by: Richard Guy Briggs <rgb at redhat.com>

> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  kernel/audit.c |   10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index cb744085ea8d..33b00ec2157f 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -85,13 +85,13 @@ static int	audit_initialized;
>  #define AUDIT_OFF	0
>  #define AUDIT_ON	1
>  #define AUDIT_LOCKED	2
> -u32		audit_enabled;
> -u32		audit_ever_enabled;
> +u32		audit_enabled = AUDIT_OFF;
> +u32		audit_ever_enabled = !!AUDIT_OFF;
>  
>  EXPORT_SYMBOL_GPL(audit_enabled);
>  
>  /* Default state when kernel boots without any parameters. */
> -static u32	audit_default;
> +static u32	audit_default = AUDIT_OFF;
>  
>  /* If auditing cannot proceed, audit_failure selects what happens. */
>  static u32	audit_failure = AUDIT_FAIL_PRINTK;
> @@ -1548,8 +1548,6 @@ static int __init audit_init(void)
>  	register_pernet_subsys(&audit_net_ops);
>  
>  	audit_initialized = AUDIT_INITIALIZED;
> -	audit_enabled = audit_default;
> -	audit_ever_enabled |= !!audit_default;
>  
>  	kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
>  	if (IS_ERR(kauditd_task)) {
> @@ -1571,6 +1569,8 @@ static int __init audit_enable(char *str)
>  	audit_default = !!simple_strtol(str, NULL, 0);
>  	if (!audit_default)
>  		audit_initialized = AUDIT_DISABLED;
> +	audit_enabled = audit_default;
> +	audit_ever_enabled = !!audit_enabled;
>  
>  	pr_info("%s\n", audit_default ?
>  		"enabled (after initialization)" : "disabled (until reboot)");
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list