Ok, will do. I was thinking of making this a KConfig optiion, this way an ignorant userspace still works.
On Mon, May 20, 2013 at 9:20 AM, Stephen Smalley <[email protected]> wrote: > On 05/16/2013 05:08 PM, William Roberts wrote: > >> Allow the audit subsystem to send audit events to both the kernel >> message buffer and auditd at the same time. >> >> Change-Id: I53de6b121bb4d7ec0cd31fa9b7a9d**31a1ff9782f >> Signed-off-by: William Roberts <[email protected]> >> > > Looks fine to me, although you'll need to tweak it for mainline (header > split to include/uapi/linux/audit.h, change to audit_do_config_change() > arguments, change in netlink_skb_parms from pid to portid). > > You'll need to subscribe and post it to linux-audit mailing list, > https://www.redhat.com/**mailman/listinfo/linux-audit<https://www.redhat.com/mailman/listinfo/linux-audit> > > > --- >> include/linux/audit.h | 10 ++++++++++ >> kernel/audit.c | 49 ++++++++++++++++++++++++++++++** >> ++++++++++++++----- >> 2 files changed, 54 insertions(+), 5 deletions(-) >> >> diff --git a/include/linux/audit.h b/include/linux/audit.h >> index ed3ef19..cbc7582 100644 >> --- a/include/linux/audit.h >> +++ b/include/linux/audit.h >> @@ -69,6 +69,8 @@ >> #define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */ >> #define AUDIT_TTY_GET 1016 /* Get TTY auditing status */ >> #define AUDIT_TTY_SET 1017 /* Set TTY auditing status */ >> +#define AUDIT_LOGSPLIT_GET 1018 /* Get logsplit status */ >> +#define AUDIT_LOGSPLIT_SET 1019 /* Set logsplit status */ >> >> #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly >> uninteresting to kernel */ >> #define AUDIT_USER_AVC 1107 /* We filter this >> differently */ >> @@ -319,6 +321,10 @@ enum { >> #define AUDIT_FAIL_PRINTK 1 >> #define AUDIT_FAIL_PANIC 2 >> >> +/* Audit splitlog options */ >> +#define AUDIT_LOGSPLIT_OFF 0 >> +#define AUDIT_LOGSPLIT_ON 1 >> + >> /* distinguish syscall tables */ >> #define __AUDIT_ARCH_64BIT 0x80000000 >> #define __AUDIT_ARCH_LE 0x40000000 >> @@ -370,6 +376,10 @@ struct audit_tty_status { >> __u32 enabled; /* 1 = enabled, 0 = disabled */ >> }; >> >> +struct audit_logsplit_status { >> + __u32 enabled; /* AUDIT_LOGSPLIT_ON or >> AUDIT_LOGSPLIT_OFF */ >> +}; >> + >> /* audit_rule_data supports filter rules with both integer and string >> * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and >> * AUDIT_LIST_RULES requests. >> diff --git a/kernel/audit.c b/kernel/audit.c >> index 4096bcc..b970a91 100644 >> --- a/kernel/audit.c >> +++ b/kernel/audit.c >> @@ -85,6 +85,9 @@ static int audit_default; >> /* If auditing cannot proceed, audit_failure selects what happens. */ >> static int audit_failure = AUDIT_FAIL_PRINTK; >> >> +/* Whether or not logsplit is enabled */ >> +static int audit_logsplit = AUDIT_LOGSPLIT_OFF; >> + >> /* >> * If audit records are to be written to the netlink socket, audit_pid >> * contains the pid of the auditd process and audit_nlk_pid contains >> @@ -357,6 +360,16 @@ static int audit_set_failure(int state, uid_t >> loginuid, u32 sessionid, u32 sid) >> loginuid, sessionid, sid); >> } >> >> +static int audit_set_logsplit(int state, uid_t loginuid, u32 sessionid, >> u32 sid) >> +{ >> + if (state != AUDIT_LOGSPLIT_OFF >> + && state != AUDIT_LOGSPLIT_ON) >> + return -EINVAL; >> + >> + return audit_do_config_change("audit_**logsplit", >> &audit_logsplit, state, >> + loginuid, sessionid, sid); >> +} >> + >> /* >> * Queue skbs to be sent to auditd when/if it comes back. These skbs >> should >> * already have been sent via prink/syslog and so if these messages are >> dropped >> @@ -375,11 +388,8 @@ static void audit_hold_skb(struct sk_buff *skb) >> kfree_skb(skb); >> } >> >> -/* >> - * For one reason or another this nlh isn't getting delivered to the >> userspace >> - * audit daemon, just send it to printk. >> - */ >> -static void audit_printk_skb(struct sk_buff *skb) >> +/* Just printks the skb, no audit_hold or free of any kind */ >> +static void __audit_printk_skb(struct sk_buff *skb) >> { >> struct nlmsghdr *nlh = nlmsg_hdr(skb); >> char *data = NLMSG_DATA(nlh); >> @@ -387,7 +397,15 @@ static void audit_printk_skb(struct sk_buff *skb) >> if (nlh->nlmsg_type != AUDIT_EOE) { >> printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data); >> } >> +} >> >> +/* >> + * For one reason or another this nlh isn't getting delivered to the >> userspace >> + * audit daemon, just send it to printk. >> + */ >> +static void audit_printk_skb(struct sk_buff *skb) >> +{ >> + __audit_printk_skb(skb); >> audit_hold_skb(skb); >> } >> >> @@ -594,6 +612,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 >> msg_type) >> case AUDIT_SIGNAL_INFO: >> case AUDIT_TTY_GET: >> case AUDIT_TTY_SET: >> + case AUDIT_LOGSPLIT_GET: >> + case AUDIT_LOGSPLIT_SET: >> case AUDIT_TRIM: >> case AUDIT_MAKE_EQUIV: >> if (!capable(CAP_AUDIT_CONTROL)) >> @@ -909,7 +929,24 @@ static int audit_receive_msg(struct sk_buff *skb, >> struct nlmsghdr *nlh) >> rcu_read_unlock(); >> break; >> } >> + case AUDIT_LOGSPLIT_GET: { >> + struct audit_logsplit_status s; >> + s.enabled = audit_logsplit; >> + audit_send_reply(NETLINK_CB(**skb).pid, seq, >> + AUDIT_LOGSPLIT_GET, 0, 0, &s, sizeof(s)); >> + break; >> + } >> + case AUDIT_LOGSPLIT_SET: { >> + struct audit_logsplit_status *s; >> + if (nlh->nlmsg_len < sizeof(struct audit_logsplit_status)) >> + return -EINVAL; >> + s = data; >> + err = audit_set_logsplit(s->enabled, loginuid, sessionid, >> sid); >> + break; >> + } >> + >> default: >> + printk(KERN_ERR "Unknown audit command"); >> err = -EINVAL; >> break; >> } >> @@ -1464,6 +1501,8 @@ void audit_log_end(struct audit_buffer *ab) >> nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0); >> >> if (audit_pid) { >> + if (audit_logsplit == AUDIT_LOGSPLIT_ON) >> + __audit_printk_skb(ab->skb); >> skb_queue_tail(&audit_skb_**queue, ab->skb); >> wake_up_interruptible(&**kauditd_wait); >> } else { >> >> > -- Respectfully, William C Roberts
