[RFC PATCH 1/5] audit: ensure that 'audit=1' actually enables audit for PID 1
Richard Guy Briggs
rgb at redhat.com
Sat Sep 2 05:55:00 UTC 2017
On 2017-09-01 09:44, Paul Moore wrote:
> From: Paul Moore <paul at paul-moore.com>
>
> Prior to this patch we enabled audit in audit_init(), which is too
> late for PID 1 as the standard initcalls are run after the PID 1 task
> is forked. This means that we never allocate an audit_context (see
> audit_alloc()) for PID 1 and therefore miss a lot of audit events
> generated by PID 1.
>
> This patch enables audit as early as possible to help ensure that when
> PID 1 is forked it can allocate an audit_context if required.
Ok, since I was certain this was working properly at some point, I
started to dig to find out why. It appears this patch restores previous
behaviour and that this wasn't all useless code that was removed in this
previous commit:
d3ca0344b21f04786219bf0f49647f24e4e17323 gaofeng 2013-10-31
("audit: remove useless code in audit_enable")
Reviewed-by: Richard Guy Briggs <rgb at redhat.com>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
> kernel/audit.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index cb744085ea8d..33b00ec2157f 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -85,13 +85,13 @@ static int audit_initialized;
> #define AUDIT_OFF 0
> #define AUDIT_ON 1
> #define AUDIT_LOCKED 2
> -u32 audit_enabled;
> -u32 audit_ever_enabled;
> +u32 audit_enabled = AUDIT_OFF;
> +u32 audit_ever_enabled = !!AUDIT_OFF;
>
> EXPORT_SYMBOL_GPL(audit_enabled);
>
> /* Default state when kernel boots without any parameters. */
> -static u32 audit_default;
> +static u32 audit_default = AUDIT_OFF;
>
> /* If auditing cannot proceed, audit_failure selects what happens. */
> static u32 audit_failure = AUDIT_FAIL_PRINTK;
> @@ -1548,8 +1548,6 @@ static int __init audit_init(void)
> register_pernet_subsys(&audit_net_ops);
>
> audit_initialized = AUDIT_INITIALIZED;
> - audit_enabled = audit_default;
> - audit_ever_enabled |= !!audit_default;
>
> kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
> if (IS_ERR(kauditd_task)) {
> @@ -1571,6 +1569,8 @@ static int __init audit_enable(char *str)
> audit_default = !!simple_strtol(str, NULL, 0);
> if (!audit_default)
> audit_initialized = AUDIT_DISABLED;
> + audit_enabled = audit_default;
> + audit_ever_enabled = !!audit_enabled;
>
> pr_info("%s\n", audit_default ?
> "enabled (after initialization)" : "disabled (until reboot)");
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list