Commit 0868a5e1 authored Jul 25, 2013 by Tyler Hicks Committed by Eric Paris Nov 05, 2013

audit: printk USER_AVC messages when audit isn't enabled



When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.

AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").

When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.

It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.

Cc: <stable@kernel.org> # v2.6.25+
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>

parent d48d8051

kernel/audit.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -612,7 +612,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
		int rc = 0;
		uid_t uid = from_kuid(&init_user_ns, current_uid());

		if (!audit_enabled) {
		if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
		*ab = NULL;
		return rc;
		}

Admin message