[PATCH v2] audit: handle unknown status requests in audit_receive_msg
From: Ricardo Robaina
Date: Mon Mar 09 2026 - 09:08:15 EST
Currently, audit_receive_msg() ignores unknown status bits in AUDIT_SET
requests, incorrectly returning success to newer user space tools
querying unsupported features. This breaks forward compatibility.
Fix this by defining AUDIT_STATUS_ALL and returning -EINVAL if any
unrecognized bits are set (s.mask & ~AUDIT_STATUS_ALL).
This ensures invalid requests are safely rejected, allowing user space
to reliably test for and gracefully handle feature detection on older
kernels.
Suggested-by: Steve Grubb <sgrubb@xxxxxxxxxx>
Signed-off-by: Ricardo Robaina <rrobaina@xxxxxxxxxx>
---
v1 -> v2:
- Moved AUDIT_STATUS_ALL from include/uapi/linux/audit.h to
include/linux/audit.h.
include/linux/audit.h | 9 +++++++++
kernel/audit.c | 2 ++
2 files changed, 11 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b642b5faca65..d79218bf075a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -15,6 +15,15 @@
#include <uapi/linux/audit.h>
#include <uapi/linux/fanotify.h>
+#define AUDIT_STATUS_ALL (AUDIT_STATUS_ENABLED | \
+ AUDIT_STATUS_FAILURE | \
+ AUDIT_STATUS_PID | \
+ AUDIT_STATUS_RATE_LIMIT | \
+ AUDIT_STATUS_BACKLOG_LIMIT | \
+ AUDIT_STATUS_BACKLOG_WAIT_TIME | \
+ AUDIT_STATUS_LOST | \
+ AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL)
+
#define AUDIT_INO_UNSET ((unsigned long)-1)
#define AUDIT_DEV_UNSET ((dev_t)-1)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5a0216056524..592383dce090 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1295,6 +1295,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
memset(&s, 0, sizeof(s));
/* guard against past and future API changes */
memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
+ if (s.mask & ~AUDIT_STATUS_ALL)
+ return -EINVAL;
if (s.mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(s.enabled);
if (err < 0)
--
2.53.0