diff options
| author | Sergio Correia <scorreia@redhat.com> | 2026-05-12 14:28:59 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2026-05-12 16:10:38 -0400 |
| commit | f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 (patch) | |
| tree | f277375398036b8ed80313ac08bb76eea3c8082a /kernel | |
| parent | e4a640475e43f406fdfd56d370b1f34b0cbbc18d (diff) | |
| download | linux-f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2.tar.gz linux-f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2.zip | |
audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
allows a process with CAP_AUDIT_CONTROL to modify directory tree
watches and equivalence mappings even when the audit configuration
has been locked, undermining the purpose of the lock.
Add AUDIT_LOCKED checks to both commands.
Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index e1d489bc2dff..34dc7cb246ff 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1468,6 +1468,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, err = audit_list_rules_send(skb, seq); break; case AUDIT_TRIM: + if (audit_enabled == AUDIT_LOCKED) + return -EPERM; audit_trim_trees(); audit_log_common_recv_msg(audit_context(), &ab, AUDIT_CONFIG_CHANGE); @@ -1480,6 +1482,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, size_t msglen = data_len; char *old, *new; + if (audit_enabled == AUDIT_LOCKED) + return -EPERM; err = -EINVAL; if (msglen < 2 * sizeof(u32)) break; |