Merge branch 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit

torvalds · torvalds · commit 51b3eae8dbe5 · 2016-03-19T17:52:49.000-07:00
Pull audit updates from Paul Moore:
 "A small set of patches for audit this time; just three in total and
  one is a spelling fix.

  The two patches with actual content are designed to help prevent new
  instances of auditd from displacing an existing, functioning auditd
  and to generate a log of the attempt.  Not to worry, dead/stuck auditd
  instances can still be replaced by a new instance without problem.

  Nothing controversial, and everything passes our regression suite"

* 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit:
  audit: Fix typo in comment
  audit: log failed attempts to change audit_pid configuration
  audit: stop an old auditd being starved out by a new auditd
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
 #define AUDIT_SECCOMP		1326	/* Secure Computing event */
 #define AUDIT_PROCTITLE		1327	/* Proctitle emit event */
 #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
+#define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
@@ -809,6 +809,16 @@ static int audit_set_feature(struct sk_buff *skb)
 	return 0;
 }
 
+static int audit_replace(pid_t pid)
+{
+	struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
+					       &pid, sizeof(pid));
+
+	if (!skb)
+		return -ENOMEM;
+	return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
+}
+
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
 	u32			seq;
@@ -870,9 +880,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		}
 		if (s.mask & AUDIT_STATUS_PID) {
 			int new_pid = s.pid;
+			pid_t requesting_pid = task_tgid_vnr(current);
 
-			if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+			if ((!new_pid) && (requesting_pid != audit_pid)) {
+				audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
 				return -EACCES;
+			}
+			if (audit_pid && new_pid &&
+			    audit_replace(requesting_pid) != -ECONNREFUSED) {
+				audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
+				return -EEXIST;
+			}
 			if (audit_enabled != AUDIT_OFF)
 				audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
 			audit_pid = new_pid;
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
@@ -185,7 +185,7 @@ static struct audit_watch *audit_init_watch(char *path)
 	return watch;
 }
 
-/* Translate a watch string to kernel respresentation. */
+/* Translate a watch string to kernel representation. */
 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
 {
 	struct audit_watch *watch;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
@@ -158,7 +158,7 @@ char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 	return str;
 }
 
-/* Translate an inode field to kernel respresentation. */
+/* Translate an inode field to kernel representation. */
 static inline int audit_to_inode(struct audit_krule *krule,
 				 struct audit_field *f)
 {
@@ -415,7 +415,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	return 0;
 }
 
-/* Translate struct audit_rule_data to kernel's rule respresentation. */
+/* Translate struct audit_rule_data to kernel's rule representation. */
 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 					       size_t datasz)
 {
@@ -593,7 +593,7 @@ static inline size_t audit_pack_string(void **bufp, const char *str)
 	return len;
 }
 
-/* Translate kernel rule respresentation to struct audit_rule_data. */
+/* Translate kernel rule representation to struct audit_rule_data. */
 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 {
 	struct audit_rule_data *data;

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ static struct audit_watch audit_init_watch(char path)`
`185`	`185`	`return watch;`
`186`	`186`	`}`
`187`	`187`
`188`		`-/* Translate a watch string to kernel respresentation. */`
	`188`	`+/* Translate a watch string to kernel representation. */`
`189`	`189`	`int audit_to_watch(struct audit_krule krule, char path, int len, u32 op)`
`190`	`190`	`{`
`191`	`191`	`struct audit_watch *watch;`
Original file line number	Diff line number	Diff line change
`@@ -158,7 +158,7 @@ char audit_unpack_string(void bufp, size_t remain, size_t len)`
`158`	`158`	`return str;`
`159`	`159`	`}`
`160`	`160`
`161`		`-/* Translate an inode field to kernel respresentation. */`
	`161`	`+/* Translate an inode field to kernel representation. */`
`162`	`162`	`static inline int audit_to_inode(struct audit_krule *krule,`
`163`	`163`	`struct audit_field *f)`
`164`	`164`	`{`
`@@ -415,7 +415,7 @@ static int audit_field_valid(struct audit_entry entry, struct audit_field f)`
`415`	`415`	`return 0;`
`416`	`416`	`}`
`417`	`417`
`418`		`-/* Translate struct audit_rule_data to kernel's rule respresentation. */`
	`418`	`+/* Translate struct audit_rule_data to kernel's rule representation. */`
`419`	`419`	`static struct audit_entry audit_data_to_entry(struct audit_rule_data data,`
`420`	`420`	`size_t datasz)`
`421`	`421`	`{`
`@@ -593,7 +593,7 @@ static inline size_t audit_pack_string(void *bufp, const char str)`
`593`	`593`	`return len;`
`594`	`594`	`}`
`595`	`595`
`596`		`-/* Translate kernel rule respresentation to struct audit_rule_data. */`
	`596`	`+/* Translate kernel rule representation to struct audit_rule_data. */`
`597`	`597`	`static struct audit_rule_data audit_krule_to_data(struct audit_krule krule)`
`598`	`598`	`{`
`599`	`599`	`struct audit_rule_data *data;`