linux-stable.git/kernel/audit.c, branch v6.12.91 Linux kernel stable tree audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV 2026-05-23T11:04:59+00:00 Sergio Correia scorreia@redhat.com 2026-05-12T13:28:59+00:00 d8505a318769e611ab9254ad602a83036d9e4eb0 commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream. AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This allows a process with CAP_AUDIT_CONTROL to modify directory tree watches and equivalence mappings even when the audit configuration has been locked, undermining the purpose of the lock. Add AUDIT_LOCKED checks to both commands. Cc: stable@vger.kernel.org Reviewed-by: Ricardo Robaina <rrobaina@redhat.com> Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Sergio Correia <scorreia@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.

AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
allows a process with CAP_AUDIT_CONTROL to modify directory tree
watches and equivalence mappings even when the audit configuration
has been locked, undermining the purpose of the lock.

Add AUDIT_LOCKED checks to both commands.

Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
audit: Make use of str_enabled_disabled() helper 2024-09-03T20:35:16+00:00 Hongbo Li lihongbo22@huawei.com 2024-08-31T09:52:51+00:00 8c1867a2f0fd4235b84da6b204519e830b551988 Use str_enabled_disabled() helper instead of open coding the same. Signed-off-by: Hongbo Li <lihongbo22@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Use str_enabled_disabled() helper instead of open
coding the same.

Signed-off-by: Hongbo Li <lihongbo22@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: use task_tgid_nr() instead of task_pid_nr() 2024-08-28T20:48:28+00:00 Ricardo Robaina rrobaina@redhat.com 2024-08-28T11:25:06+00:00 61c60977926e15716f469577797cd86d0369cbaa In a few audit records, PIDs were being recorded with task_pid_nr() instead of task_tgid_nr(). $ grep "task_pid_nr" kernel/audit*.c audit.c: task_pid_nr(current), auditfilter.c: pid = task_pid_nr(current); auditsc.c: audit_log_format(ab, " pid=%u", task_pid_nr(current)); For single-thread applications, the process id (pid) and the thread group id (tgid) are the same. However, on multi-thread applications, task_pid_nr() returns the current thread id (user-space's TID), while task_tgid_nr() returns the main thread id (user-space's PID). Since the users are more interested in the process id (pid), rather than the thread id (tid), this patch converts these callers to the correct method. Link: https://github.com/linux-audit/audit-kernel/issues/126 Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
In a few audit records, PIDs were being recorded with task_pid_nr()
instead of task_tgid_nr().

$ grep "task_pid_nr" kernel/audit*.c
audit.c:       task_pid_nr(current),
auditfilter.c: pid = task_pid_nr(current);
auditsc.c:     audit_log_format(ab, " pid=%u", task_pid_nr(current));

For single-thread applications, the process id (pid) and the thread
group id (tgid) are the same. However, on multi-thread applications,
task_pid_nr() returns the current thread id (user-space's TID), while
task_tgid_nr() returns the main thread id (user-space's PID). Since
the users are more interested in the process id (pid), rather than the
thread id (tid), this patch converts these callers to the correct method.

Link: https://github.com/linux-audit/audit-kernel/issues/126

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: use KMEM_CACHE() instead of kmem_cache_create() 2024-01-25T15:12:22+00:00 Kunwu Chan chentao@kylinos.cn 2024-01-24T06:02:24+00:00 aa13b709084a0287ef250a9fbde5993e4dfc3078 Use the new KMEM_CACHE() macro instead of direct kmem_cache_create to simplify the creation of SLAB caches. Signed-off-by: Kunwu Chan <chentao@kylinos.cn> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com> 
Use the new KMEM_CACHE() macro instead of direct kmem_cache_create
to simplify the creation of SLAB caches.

Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: Send netlink ACK before setting connection in auditd_set 2023-11-13T03:33:49+00:00 Chris Riches chris.riches@nutanix.com 2023-10-18T09:23:51+00:00 022732e3d846e197539712e51ecada90ded0572a When auditd_set sets the auditd_conn pointer, audit messages can immediately be put on the socket by other kernel threads. If the backlog is large or the rate is high, this can immediately fill the socket buffer. If the audit daemon requested an ACK for this operation, a full socket buffer causes the ACK to get dropped, also setting ENOBUFS on the socket. To avoid this race and ensure ACKs get through, fast-track the ACK in this specific case to ensure it is sent before auditd_conn is set. Signed-off-by: Chris Riches <chris.riches@nutanix.com> [PM: fix some tab vs space damage] Signed-off-by: Paul Moore <paul@paul-moore.com> 
When auditd_set sets the auditd_conn pointer, audit messages can
immediately be put on the socket by other kernel threads. If the backlog
is large or the rate is high, this can immediately fill the socket
buffer. If the audit daemon requested an ACK for this operation, a full
socket buffer causes the ACK to get dropped, also setting ENOBUFS on the
socket.

To avoid this race and ensure ACKs get through, fast-track the ACK in
this specific case to ensure it is sent before auditd_conn is set.

Signed-off-by: Chris Riches <chris.riches@nutanix.com>
[PM: fix some tab vs space damage]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: move trailing statements to next line 2023-08-15T22:16:14+00:00 Atul Kumar Pant atulpant.linux@gmail.com 2023-08-15T20:47:51+00:00 b1a0f64cc65ea2ebfaae9e0ce623e993a7d24257 Fixes following checkpatch.pl issue: ERROR: trailing statements should be on next line Signed-off-by: Atul Kumar Pant <atulpant.linux@gmail.com> [PM: subject line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 
Fixes following checkpatch.pl issue:
ERROR: trailing statements should be on next line

Signed-off-by: Atul Kumar Pant <atulpant.linux@gmail.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: include security.h unconditionally 2023-07-20T19:06:58+00:00 Xiu Jianfeng xiujianfeng@huawei.com 2023-07-20T01:50:32+00:00 be4187faa8a48cfef572eba9e3882fb2134bdf67 The ifdef-else logic is already in the header file, so include it unconditionally, no functional changes here. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> [PM: fixed misspelling in the subject] Signed-off-by: Paul Moore <paul@paul-moore.com> 
The ifdef-else logic is already in the header file, so include it
unconditionally, no functional changes here.

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
[PM: fixed misspelling in the subject]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: use time_after to compare time 2022-08-29T23:47:03+00:00 wuchi wuchi.zero@gmail.com 2022-08-29T16:26:09+00:00 501e4bb102ee2f380ab94abbf3d35dff9d4719a2 Using time_{*} macro to compare time is better Signed-off-by: wuchi <wuchi.zero@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Using time_{*} macro to compare time is better

Signed-off-by: wuchi <wuchi.zero@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: make is_audit_feature_set() static 2022-06-13T18:08:57+00:00 Xiu Jianfeng xiujianfeng@huawei.com 2022-06-11T09:23:04+00:00 546093206ba16623c18e344630dbfdd71a4327e0 Currently nobody use is_audit_feature_set() outside this file, so make it static. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Currently nobody use is_audit_feature_set() outside this file, so make
it static.

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: remove redundant data_len check 2022-06-07T19:41:34+00:00 Shreenidhi Shedi yesshedi@gmail.com 2022-05-15T07:31:09+00:00 5ee6cfdd11aaf5aee5cd48baf35b1710caa68a5c data_len is already getting checked if it's less than 2 earlier in this function. Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
data_len is already getting checked if it's less than 2 earlier in this
function.

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>