diff options
| author |   Richard Guy Briggs <rgb@redhat.com> | 2025-03-05 16:33:20 -0500 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2025-04-11 14:14:41 -0400 |
| commit | 654d61b8e0e2f8b9bdea28a9a51279ecdacafe3c (patch) | |
| tree | 8f415b70753be9926825a4ed10e4b038d2ace81d /kernel | |
| parent | audit: mark audit_log_vformat() with __printf() attribute (diff) | |
| download | wireguard-linux-654d61b8e0e2f8b9bdea28a9a51279ecdacafe3c.tar.xz wireguard-linux-654d61b8e0e2f8b9bdea28a9a51279ecdacafe3c.zip | |
audit: record AUDIT_ANOM_* events regardless of presence of rules
When no audit rules are in place, AUDIT_ANOM_{LINK,CREAT} events
reported in audit_log_path_denied() are unconditionally dropped due to
an explicit check for the existence of any audit rules. Given this is a
report of a security violation, allow it to be recorded regardless of
the existence of any audit rules.
To test,
mkdir -p /root/tmp
chmod 1777 /root/tmp
touch /root/tmp/test.txt
useradd test
chown test /root/tmp/test.txt
{echo C0644 12 test.txt; printf 'hello\ntest1\n'; printf \\000;} | \
scp -t /root/tmp
Check with
ausearch -m ANOM_CREAT -ts recent
Link: https://issues.redhat.com/browse/RHEL-9065
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index f365e1bbeac6..61b5744d0bb6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2285,7 +2285,7 @@ void audit_log_path_denied(int type, const char *operation) { struct audit_buffer *ab; - if (!audit_enabled || audit_dummy_context()) + if (!audit_enabled) return; /* Generate log with subject, operation, outcome. */ |