From nobody Fri Jun 12 21:40:12 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA6F3399888 for ; Tue, 12 May 2026 13:29:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778592564; cv=none; b=L3Ynmsy5DM/mN+mxDY8Z56/Xtqe4eWJ3T5p3DDYThpjV1nU36xhK5V4dUR5Oq4ipp/+xj44rlOB96NwOgad3YakiVnNDqpmpzxtMZOD46jx7rkK/vk/2ZFjZcnbceYZfToEQYQO6ACUsDnt/5Uey4W/0L5RtEH7HDE7N26ADx5k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778592564; c=relaxed/simple; bh=XSO6/ehUzxMv/7XxOjtr/w6uDvN382q+w4cM50UyVto=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ebqn2+x5HYLShl3j/MGGjelmcP/NEvZ++YRTmQbwubt2QZv/ZVbdRkAOk4f+JUtieVAHexXW6pAjpxbrJR/br6bqurv6lLVicVaz2rGIUtIlkehcIG3OU+fFlj/hRnjT6+F06kJqfh5Fmw6JtwhkChj/yJGsjVmMKabWkFNvc3k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=h8M7o7Il; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=GXh26pEv; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="h8M7o7Il"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="GXh26pEv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778592563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=SUwxbpfSV6QCUEVIOKvo2a276KonpMYKzJg4k5y+Cw8=; b=h8M7o7IlMn778Vi/Dw5kvI/BbCMofmDAD3upFr9wf/S3D3F/dQxLi0pET3jGBmJzY5qH// Y0vTY2dlENfREYhOTM6K00vWRFvSwcvEBkA9QgT2YBUgR2G6t/bye01y2uuNbfXwhGZt4d vwyv3QtqeYXZu+xxVavIsm5foEfRk8M= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-79-oIU-Ub7mPai051P9pEWr6Q-1; Tue, 12 May 2026 09:29:20 -0400 X-MC-Unique: oIU-Ub7mPai051P9pEWr6Q-1 X-Mimecast-MFC-AGG-ID: oIU-Ub7mPai051P9pEWr6Q_1778592559 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-4411a2c034fso5094182f8f.3 for ; Tue, 12 May 2026 06:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778592559; x=1779197359; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=SUwxbpfSV6QCUEVIOKvo2a276KonpMYKzJg4k5y+Cw8=; b=GXh26pEvXqIpYAycrSKHqPq/OF25VOHcIx7cZ+FFewHWdhDvox/SAsIIvS3Bkfx8xH hVRarxo9hk1GRVn6bI6m7E7Zz0AUSLrnYRSWLktjOmSTVBocWaEQnJXZUU3dt7EiXpye TBhQR/Ka5OHzEC9AmnTeo/ORAyndb6YfVTnM7zhmlHA9mHET2fFND9Dz58/tadHAu7mT Gu9QgOCn5eKY6iftHLvobtdqwWmARXCPu/gqfxUAASzU7plrvKHX8NAGYVNyJpMeHYXv XRbmPrgYylzFz9GJbmKfskEu5UX/tOx8kZflf8FupjA2GzR37w4nOKu+016Gn99fsJ6x n4LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778592559; x=1779197359; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=SUwxbpfSV6QCUEVIOKvo2a276KonpMYKzJg4k5y+Cw8=; b=luanvpV/o54O4Yfckkb8rjjBpC5UVr4pKJc3BEcYg37E1YxFu1PRfTJPfjHdRtk3tm CdXIbn/0yF8hLq9+HNefpGC8AEGNSkXru1L2tcsaubPQ1xdAbpKPwxOzFT5vWEHgSRqR k0YTmArKDQ91aHK3PnosO7NhUcnAZhz92oQU96s0W0PzVm2xt6T/oO/kiE212jE/95z2 laTa/k4+uwzgbVHtR71s0Y8rojAlW25LdTgsiaR6hxx7CL0QSmgsSunYWkcawctxpt5V N2k4Lda7nx0fiWvzoKQqqmmzNOqebgu0t4DuI83KDWN/tUbvNgPjU7GWtnK+AwOvV9K4 22aQ== X-Forwarded-Encrypted: i=1; AFNElJ/FpVJJQvCxFU/PDVQNAbsTFp92gqTjaJGIVgo0g86HvgPbzXA78OwyMGBD+6rYjnrFkH6ja5XT/mE2rqU=@vger.kernel.org X-Gm-Message-State: AOJu0YxThBa+rlRJP+118Vz7kN0tAtr8bNQIPO+bClfeI0tz4P6HFiHt nbK95xWTYGc07hn+vR0JJKUiU7uPCUHbTEk1Yxqszop9Aav40a7uetXfJmK1cvBO1ypI0nErlKa imlq75yGbg7foUMg9a40DWzSmZOXHfEW36oyYa155MhynbXRJEO+lX2tm38TMnzWwFlQW98LGio 07 X-Gm-Gg: Acq92OEKVVWAWWJg1g/MOR/v8UEW254y62cvxm000hiXxjH/x4yqZ1sjDiTaFnCsGVP zlVvgFOsFgis1MCn2BT7vTfkLslW07bva9AOrf8T8eSmwyC3Ri2qrVGPmhfbKa//RaJMUAG+GXO MVdSAwUiRWI53ke0++rpvWTL/1baEEJSyGZpHTCS0h+o66ipefyOg3i/HnYkaOkGe1DYbdPdKnr cSXnJkJZe/epIFMVEWI1M2WavxS64xAx8LVTS+sHXSbf7sm5KfDJUzgdRpxm2VlUrArmMJygxWA 1r6H5cUEjEndDvZUikKerSJQdLtPPbQi5j7XtgfJpAx/Fh9TFFeJ1S1hrFtfnzBxEAmb6joLfWc WPRwndio/H5evgCrnMxz12ckPjSBT7Sf0k3P2y4EsTINnWon9Q9UBODDRsoz/q1hu94wTvneP6S w= X-Received: by 2002:a05:6000:400f:b0:454:af3:33a0 with SMTP id ffacd0b85a97d-45b12443017mr4325448f8f.17.1778592558637; Tue, 12 May 2026 06:29:18 -0700 (PDT) X-Received: by 2002:a05:6000:400f:b0:454:af3:33a0 with SMTP id ffacd0b85a97d-45b12443017mr4325399f8f.17.1778592558110; Tue, 12 May 2026 06:29:18 -0700 (PDT) Received: from localhost (bl15-153-58.dsl.telepac.pt. [188.80.153.58]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4548e6a6a64sm34093892f8f.6.2026.05.12.06.29.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:29:17 -0700 (PDT) From: Sergio Correia To: audit@vger.kernel.org, linux-kernel@vger.kernel.org Cc: paul@paul-moore.com, eparis@redhat.com, rrobaina@redhat.com, Sergio Correia Subject: [PATCH] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Date: Tue, 12 May 2026 14:28:59 +0100 Message-ID: <20260512132859.1305499-1-scorreia@redhat.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This allows a process with CAP_AUDIT_CONTROL to modify directory tree watches and equivalence mappings even when the audit configuration has been locked, undermining the purpose of the lock. Add AUDIT_LOCKED checks to both commands. Reviewed-by: Ricardo Robaina Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Sergio Correia --- kernel/audit.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index e1d489bc2dff..34dc7cb246ff 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1468,6 +1468,8 @@ static int audit_receive_msg(struct sk_buff *skb, str= uct nlmsghdr *nlh, err =3D audit_list_rules_send(skb, seq); break; case AUDIT_TRIM: + if (audit_enabled =3D=3D AUDIT_LOCKED) + return -EPERM; audit_trim_trees(); audit_log_common_recv_msg(audit_context(), &ab, AUDIT_CONFIG_CHANGE); @@ -1480,6 +1482,8 @@ static int audit_receive_msg(struct sk_buff *skb, str= uct nlmsghdr *nlh, size_t msglen =3D data_len; char *old, *new; =20 + if (audit_enabled =3D=3D AUDIT_LOCKED) + return -EPERM; err =3D -EINVAL; if (msglen < 2 * sizeof(u32)) break; --=20 2.54.0