The fix for the problem of auditctl -D not working
consists of two patches. One is the userspace patch
and the other is for the kernel.
Below is the kernel patch. I added AUDIT_DEL_ALL flag.
Regards,
Joy
diff -urpN linux-2.6.orig/include/linux/audit.h
linux-2.6.patch/include/linux/audit.h
--- linux-2.6.orig/include/linux/audit.h 2006-04-28 15:01:38.000000000
-0500
+++ linux-2.6.patch/include/linux/audit.h 2006-04-28 16:10:06.000000000
-0500
@@ -63,6 +63,7 @@
#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
#define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
#define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
+#define AUDIT_DEL_ALL 1014 /* Delete all syscall filtering rules */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly
uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
diff -urpN linux-2.6.orig/kernel/audit.c linux-2.6.patch/kernel/audit.c
--- linux-2.6.orig/kernel/audit.c 2006-04-28 15:01:37.000000000 -0500
+++ linux-2.6.patch/kernel/audit.c 2006-04-28 16:09:03.000000000 -0500
@@ -451,6 +451,7 @@ static int audit_netlink_ok(kernel_cap_t
case AUDIT_ADD_RULE:
case AUDIT_DEL:
case AUDIT_DEL_RULE:
+ case AUDIT_DEL_ALL:
case AUDIT_SIGNAL_INFO:
if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
err = -EPERM;
@@ -604,6 +605,7 @@ static int audit_receive_msg(struct sk_b
if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
return -EINVAL;
/* fallthrough */
+ case AUDIT_DEL_ALL:
case AUDIT_LIST_RULES:
err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
diff -urpN linux-2.6.orig/kernel/auditfilter.c
linux-2.6.patch/kernel/auditfilter.c
--- linux-2.6.orig/kernel/auditfilter.c 2006-04-28 15:01:37.000000000 -0500
+++ linux-2.6.patch/kernel/auditfilter.c 2006-04-28 16:09:13.000000000
-0500
@@ -1063,6 +1063,21 @@ static inline int audit_del_rule(struct
return -ENOENT; /* No matching rule */
}
+/* Remove all rules from all filterlists. Protected by
+ * audit_netlink_mutex. */
+static void audit_del_all_rules(void)
+{
+ struct audit_entry *e, *e2;
+ int i;
+
+ for (i=0; i<AUDIT_NR_FILTERS; i++) {
+ list_for_each_entry_safe(e, e2, &audit_filter_list[i], list) {
+ list_del_rcu(&e->list);
+ call_rcu(&e->rcu, audit_free_rule_rcu);
+ }
+ }
+}
+
/* List rules using struct audit_rule. Exists for backward
* compatibility with userspace. */
static void audit_list(int pid, int seq, struct sk_buff_head *q)
@@ -1233,6 +1248,12 @@ int audit_receive_filter(int type, int p
audit_free_rule(entry);
break;
+ case AUDIT_DEL_ALL:
+ audit_del_all_rules();
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "auid=%u remove all rules res=%d\n",
+ loginuid, !err);
+ break;
default:
return -EINVAL;
}
diff -urpN linux-2.6.orig/security/selinux/nlmsgtab.c
linux-2.6.patch/security/selinux/nlmsgtab.c
--- linux-2.6.orig/security/selinux/nlmsgtab.c 2006-04-28 15:02:20.000000000
-0500
+++ linux-2.6.patch/security/selinux/nlmsgtab.c 2006-04-28 16:08:23.000000000
-0500
@@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_audit_per
{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
{ AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
+ { AUDIT_DEL_ALL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
};
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
