Merge branch 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit

Pull audit updates from Paul Moore:
 "A small set of patches for audit this time; just three in total and
  one is a spelling fix.

  The two patches with actual content are designed to help prevent new
  instances of auditd from displacing an existing, functioning auditd
  and to generate a log of the attempt.  Not to worry, dead/stuck auditd
  instances can still be replaced by a new instance without problem.

  Nothing controversial, and everything passes our regression suite"

* 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit:
  audit: Fix typo in comment
  audit: log failed attempts to change audit_pid configuration
  audit: stop an old auditd being starved out by a new auditd

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c398eb078d318a1a1c15d11b303a092110..d820aa979620b5f75b071dffbd73429bfc360282 100644 (file)
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
 #define AUDIT_SECCOMP          1326    /* Secure Computing event */
 #define AUDIT_PROCTITLE                1327    /* Proctitle emit event */
 #define AUDIT_FEATURE_CHANGE   1328    /* audit log listing feature changes */
+#define AUDIT_REPLACE          1329    /* Replace auditd if this packet unanswerd */
 
 #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */

diff --git a/kernel/audit.c b/kernel/audit.c
index 2651e423b2dc5450da4bc3788c2a2688cc767ff6..678c3f000191be66aed944e764209ef5c2924b98 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -809,6 +809,16 @@ static int audit_set_feature(struct sk_buff *skb)
        return 0;
 }
 
+static int audit_replace(pid_t pid)
+{
+       struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
+                                              &pid, sizeof(pid));
+
+       if (!skb)
+               return -ENOMEM;
+       return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
+}
+
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
        u32                     seq;
@@ -870,9 +880,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                }
                if (s.mask & AUDIT_STATUS_PID) {
                        int new_pid = s.pid;
+                       pid_t requesting_pid = task_tgid_vnr(current);
 
-                       if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+                       if ((!new_pid) && (requesting_pid != audit_pid)) {
+                               audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
                                return -EACCES;
+                       }
+                       if (audit_pid && new_pid &&
+                           audit_replace(requesting_pid) != -ECONNREFUSED) {
+                               audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
+                               return -EEXIST;
+                       }
                        if (audit_enabled != AUDIT_OFF)
                                audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
                        audit_pid = new_pid;

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9f194aad0adc0600ce257581315824f540eb9c0b..3cf1c5978d39e4fbc7f44826017bbdd755f6c9df 100644 (file)
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -185,7 +185,7 @@ static struct audit_watch *audit_init_watch(char *path)
        return watch;
 }
 
-/* Translate a watch string to kernel respresentation. */
+/* Translate a watch string to kernel representation. */
 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
 {
        struct audit_watch *watch;

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b8ff9e193753614072d55b98b0bb46e2a8534880..94ca7b1e5e7eadd1053f1e01185c1a36320f52df 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -158,7 +158,7 @@ char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
        return str;
 }
 
-/* Translate an inode field to kernel respresentation. */
+/* Translate an inode field to kernel representation. */
 static inline int audit_to_inode(struct audit_krule *krule,
                                 struct audit_field *f)
 {
@@ -415,7 +415,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
        return 0;
 }
 
-/* Translate struct audit_rule_data to kernel's rule respresentation. */
+/* Translate struct audit_rule_data to kernel's rule representation. */
 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                                               size_t datasz)
 {
@@ -593,7 +593,7 @@ static inline size_t audit_pack_string(void **bufp, const char *str)
        return len;
 }
 
-/* Translate kernel rule respresentation to struct audit_rule_data. */
+/* Translate kernel rule representation to struct audit_rule_data. */
 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 {
        struct audit_rule_data *data;