audit: log on errors from filter user rules
authorRichard Guy Briggs <rgb@redhat.com>
Tue, 26 Nov 2013 02:57:51 +0000 (21:57 -0500)
committerEric Paris <eparis@redhat.com>
Tue, 14 Jan 2014 03:32:31 +0000 (22:32 -0500)
An error on an AUDIT_NEVER rule disabled logging on that rule.
On error on AUDIT_NEVER rules, log.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
kernel/audit.c
kernel/auditfilter.c

index 9c4ec29a707bdb057cb8c0e8326643e2676582a4..15661ef8bece0e633342df02bc4151224cf620de 100644 (file)
@@ -869,7 +869,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        return 0;
 
                err = audit_filter_user(msg_type);
-               if (err == 1) {
+               if (err == 1) { /* match or error */
                        err = 0;
                        if (msg_type == AUDIT_USER_TTY) {
                                err = tty_audit_push_current();
index 629834aa4ca400019684bb2bf2f6c2104c486578..14a78cca384edb9cf8f36dc3f7fb5340c267c623 100644 (file)
@@ -1290,19 +1290,22 @@ int audit_filter_user(int type)
 {
        enum audit_state state = AUDIT_DISABLED;
        struct audit_entry *e;
-       int ret = 1;
+       int rc, ret;
+
+       ret = 1; /* Audit by default */
 
        rcu_read_lock();
        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
-               if (audit_filter_user_rules(&e->rule, type, &state)) {
-                       if (state == AUDIT_DISABLED)
+               rc = audit_filter_user_rules(&e->rule, type, &state);
+               if (rc) {
+                       if (rc > 0 && state == AUDIT_DISABLED)
                                ret = 0;
                        break;
                }
        }
        rcu_read_unlock();
 
-       return ret; /* Audit by default */
+       return ret;
 }
 
 int audit_filter_type(int type)