audit: record AUDIT_ANOM_* events regardless of presence of rules

rgbriggs · pcmoore · commit 654d61b8e0e2 · 2025-04-11T14:14:41.000-04:00
When no audit rules are in place, AUDIT_ANOM_{LINK,CREAT} events reported in audit_log_path_denied() are unconditionally dropped due to an explicit check for the existence of any audit rules. Given this is a report of a security violation, allow it to be recorded regardless of the existence of any audit rules. To test, mkdir -p /root/tmp chmod 1777 /root/tmp touch /root/tmp/test.txt useradd test chown test /root/tmp/test.txt {echo C0644 12 test.txt; printf 'hello\ntest1\n'; printf \\000;} | \ scp -t /root/tmp Check with ausearch -m ANOM_CREAT -ts recent Link: https://issues.redhat.com/browse/RHEL-9065 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/kernel/audit.c b/kernel/audit.c
@@ -2285,7 +2285,7 @@ void audit_log_path_denied(int type, const char *operation)
 {
 	struct audit_buffer *ab;
 
-	if (!audit_enabled || audit_dummy_context())
+	if (!audit_enabled)
 		return;
 
 	/* Generate log with subject, operation, outcome. */

Original file line number	Diff line number	Diff line change
`@@ -2285,7 +2285,7 @@ void audit_log_path_denied(int type, const char *operation)`
`2285`	`2285`	`{`
`2286`	`2286`	`struct audit_buffer *ab;`
`2287`	`2287`
`2288`		`- if (!audit_enabled \|\| audit_dummy_context())`
	`2288`	`+ if (!audit_enabled)`
`2289`	`2289`	`return;`
`2290`	`2290`
`2291`	`2291`	`/* Generate log with subject, operation, outcome. */`