From: Alexander Viro <aviro@redhat.com> Date: Wed, 21 Apr 2010 01:08:52 -0400 Subject: [audit] make sure filterkey rules are reported Message-id: <20100421010852.GE22181@shell.devel.redhat.com> Patchwork-id: 24271 O-Subject: Re: [rhel5][bz 579479] fixes (4/4) Bugzilla: 579479 RH-Acked-by: Eric Paris <eparis@redhat.com> RH-Acked-by: Rik van Riel <riel@redhat.com> [PATCH] make sure that filterkey of task,always rules is reported Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 16937dc..f3c2088 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -650,7 +650,7 @@ static int audit_filter_rules(struct task_struct *tsk, * completely disabled for this task. Since we only have the task * structure at this point, we can only check uid and gid. */ -static enum audit_state audit_filter_task(struct task_struct *tsk) +static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) { struct audit_entry *e; enum audit_state state; @@ -658,6 +658,8 @@ static enum audit_state audit_filter_task(struct task_struct *tsk) rcu_read_lock(); list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { + if (state == AUDIT_RECORD_CONTEXT) + *key = kstrdup(e->rule.filterkey, GFP_ATOMIC); rcu_read_unlock(); return state; } @@ -862,18 +864,21 @@ int audit_alloc(struct task_struct *tsk) { struct audit_context *context; enum audit_state state; + char *key = NULL; if (likely(!audit_ever_enabled)) return 0; /* Return if not auditing. */ - state = audit_filter_task(tsk); + state = audit_filter_task(tsk, &key); if (likely(state == AUDIT_DISABLED)) return 0; if (!(context = audit_alloc_context(state))) { + kfree(key); audit_log_lost("out of memory in audit_alloc"); return -ENOMEM; } + context->filterkey = key; /* Preserve login uid */ context->loginuid = -1; @@ -1634,8 +1639,10 @@ void audit_syscall_exit(int valid, long return_code) context->aux_pids = NULL; context->target_pid = 0; context->target_sid = 0; - kfree(context->filterkey); - context->filterkey = NULL; + if (context->state != AUDIT_RECORD_CONTEXT) { + kfree(context->filterkey); + context->filterkey = NULL; + } tsk->audit_context = context; } }