summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2020-01-24 17:29:16 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-10-01 11:11:52 +0200
commitb0dd4542e17fc88ac464f5243ae2da3e84f21f27 (patch)
tree1fc56e4c68e45a197b9b7d2eba1f3721872013fe /kernel
parent862495f91f7726cd8cd9f4842c9b5fc9818e8cbd (diff)
downloadlinux-stable-b0dd4542e17fc88ac464f5243ae2da3e84f21f27.tar.gz
linux-stable-b0dd4542e17fc88ac464f5243ae2da3e84f21f27.tar.bz2
linux-stable-b0dd4542e17fc88ac464f5243ae2da3e84f21f27.zip
audit: CONFIG_CHANGE don't log internal bookkeeping as an event
[ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] Common Criteria calls out for any action that modifies the audit trail to be recorded. That usually is interpreted to mean insertion or removal of rules. It is not required to log modification of the inode information since the watch is still in effect. Additionally, if the rule is a never rule and the underlying file is one they do not want events for, they get an event for this bookkeeping update against their wishes. Since no device/inode info is logged at insertion and no device/inode information is logged on update, there is nothing meaningful being communicated to the admin by the CONFIG_CHANGE updated_rules event. One can assume that the rule was not "modified" because it is still watching the intended target. If the device or inode cannot be resolved, then audit_panic is called which is sufficient. The correct resolution is to drop logging config_update events since the watch is still in effect but just on another unknown inode. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit_watch.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index f45a9a5d3e47..af453f3c2b3d 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent,
if (oentry->rule.exe)
audit_remove_mark(oentry->rule.exe);
- audit_watch_log_rule_change(r, owatch, "updated_rules");
-
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}