Re: [PATCH] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV

Next message: Paolo Bonzini: "[PATCH v2] KVM: nSVM: Never use L0's PAUSE loop exiting while L2 is running"
Previous message: Valentin Schneider: "Re: [PATCH sched/core] sched/rt: Fix RT_PUSH_IPI soft lockup loop"
In reply to: Sergio Correia: "[PATCH] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Moore

Date: Tue May 12 2026 - 16:11:00 EST

On May 12, 2026 Sergio Correia <scorreia@xxxxxxxxxx> wrote:
>
> AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
> and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
> allows a process with CAP_AUDIT_CONTROL to modify directory tree
> watches and equivalence mappings even when the audit configuration
> has been locked, undermining the purpose of the lock.
>
> Add AUDIT_LOCKED checks to both commands.
>
> Reviewed-by: Ricardo Robaina <rrobaina@xxxxxxxxxx>
> Assisted-by: Claude:claude-opus-4-6
> Signed-off-by: Sergio Correia <scorreia@xxxxxxxxxx>
> ---
> kernel/audit.c | 4 ++++
> 1 file changed, 4 insertions(+)

Merged into audit/stable-7.1 with the expectation of sending it up to
Linus later this week, thanks!

--
paul-moore.com