AUDIT: Optimise the audit-disabled case for discarding user messages
Also exempt USER_AVC message from being discarded to preserve existing behaviour for SE Linux. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
David Woodhouse
@@ -429,25 +429,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||
break;
|
||||
case AUDIT_USER:
|
||||
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
|
||||
read_lock(&tasklist_lock);
|
||||
tsk = find_task_by_pid(pid);
|
||||
if (tsk)
|
||||
get_task_struct(tsk);
|
||||
read_unlock(&tasklist_lock);
|
||||
if (!tsk)
|
||||
return -ESRCH;
|
||||
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
|
||||
return 0;
|
||||
|
||||
if (audit_enabled && audit_filter_user(tsk, msg_type)) {
|
||||
ab = audit_log_start(NULL, msg_type);
|
||||
if (ab) {
|
||||
audit_log_format(ab,
|
||||
"user pid=%d uid=%u auid=%u msg='%.1024s'",
|
||||
pid, uid, loginuid, (char *)data);
|
||||
audit_set_pid(ab, pid);
|
||||
audit_log_end(ab);
|
||||
}
|
||||
err = audit_filter_user(pid, msg_type);
|
||||
if (err == 1) {
|
||||
err = 0;
|
||||
ab = audit_log_start(NULL, msg_type);
|
||||
if (ab) {
|
||||
audit_log_format(ab,
|
||||
"user pid=%d uid=%u auid=%u msg='%.1024s'",
|
||||
pid, uid, loginuid, (char *)data);
|
||||
audit_set_pid(ab, pid);
|
||||
audit_log_end(ab);
|
||||
}
|
||||
}
|
||||
put_task_struct(tsk);
|
||||
break;
|
||||
case AUDIT_ADD:
|
||||
case AUDIT_DEL:
|
||||
|
||||
@@ -530,22 +530,33 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
|
||||
return AUDIT_BUILD_CONTEXT;
|
||||
}
|
||||
|
||||
int audit_filter_user(struct task_struct *tsk, int type)
|
||||
int audit_filter_user(int pid, int type)
|
||||
{
|
||||
struct task_struct *tsk;
|
||||
struct audit_entry *e;
|
||||
enum audit_state state;
|
||||
int ret = 1;
|
||||
|
||||
if (audit_pid && tsk->pid == audit_pid)
|
||||
return AUDIT_DISABLED;
|
||||
read_lock(&tasklist_lock);
|
||||
tsk = find_task_by_pid(pid);
|
||||
if (tsk)
|
||||
get_task_struct(tsk);
|
||||
read_unlock(&tasklist_lock);
|
||||
|
||||
if (!tsk)
|
||||
return -ESRCH;
|
||||
|
||||
rcu_read_lock();
|
||||
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
|
||||
if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
|
||||
rcu_read_unlock();
|
||||
return state != AUDIT_DISABLED;
|
||||
if (state == AUDIT_DISABLED)
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
}
|
||||
rcu_read_unlock();
|
||||
put_task_struct(tsk);
|
||||
|
||||
return 1; /* Audit by default */
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user