This adds a new 'audit feature' bit which allows userspace to set it such that the audit messages will always be sent to kmsg, even in the advent of a registered userspace daemon.
Signed-off-by: William Roberts <[email protected]> --- include/uapi/linux/audit.h | 3 ++- kernel/audit.c | 20 ++++++++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 9539ea9..8464d7c 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -382,7 +382,8 @@ struct audit_features { #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0 #define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1 -#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE +#define AUDIT_FEATURE_ALWAYS_LOG_KMSG 2 +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_ALWAYS_LOG_KMSG #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ diff --git a/kernel/audit.c b/kernel/audit.c index 900d61d..e40328e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -145,9 +145,10 @@ static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, .features = 0, .lock = 0,}; -static char *audit_feature_names[2] = { +static char *audit_feature_names[3] = { "only_unset_loginuid", "loginuid_immutable", + "log_kmsg_always" }; @@ -372,11 +373,8 @@ static void audit_hold_skb(struct sk_buff *skb) kfree_skb(skb); } -/* - * For one reason or another this nlh isn't getting delivered to the userspace - * audit daemon, just send it to printk. - */ -static void audit_printk_skb(struct sk_buff *skb) +/* Just printks the skb, no audit_hold or free of any kind */ +static void __audit_printk_skb(struct sk_buff *skb) { struct nlmsghdr *nlh = nlmsg_hdr(skb); char *data = nlmsg_data(nlh); @@ -387,7 +385,15 @@ static void audit_printk_skb(struct sk_buff *skb) else audit_log_lost("printk limit exceeded\n"); } +} +/* + * For one reason or another this nlh isn't getting delivered to the userspace + * audit daemon, just send it to printk. + */ +static void audit_printk_skb(struct sk_buff *skb) +{ + __audit_printk_skb(skb); audit_hold_skb(skb); } @@ -1800,6 +1806,8 @@ void audit_log_end(struct audit_buffer *ab) nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0); if (audit_pid) { + if(is_audit_feature_set(AUDIT_FEATURE_ALWAYS_LOG_KMSG)) + __audit_printk_skb(ab->skb); skb_queue_tail(&audit_skb_queue, ab->skb); wake_up_interruptible(&kauditd_wait); } else { -- 1.8.2.3 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
