audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV

AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
allows a process with CAP_AUDIT_CONTROL to modify directory tree
watches and equivalence mappings even when the audit configuration
has been locked, undermining the purpose of the lock.

Add AUDIT_LOCKED checks to both commands.

Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/kernel/audit.c b/kernel/audit.c
index e1d489bc2dff99c27272106de879448b9deb7621..34dc7cb246ff27bb37c5a5a7cb9bc32e5e65b144 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1468,6 +1468,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                err = audit_list_rules_send(skb, seq);
                break;
        case AUDIT_TRIM:
+               if (audit_enabled == AUDIT_LOCKED)
+                       return -EPERM;
                audit_trim_trees();
                audit_log_common_recv_msg(audit_context(), &ab,
                                          AUDIT_CONFIG_CHANGE);
@@ -1480,6 +1482,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                size_t msglen = data_len;
                char *old, *new;
 
+               if (audit_enabled == AUDIT_LOCKED)
+                       return -EPERM;
                err = -EINVAL;
                if (msglen < 2 * sizeof(u32))
                        break;