Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4169364imu;
        Mon, 10 Dec 2018 14:25:56 -0800 (PST)
X-Google-Smtp-Source: AFSGD/WDhg7oOlcMJGSKhrCxJDQhJCZPnCkFRITeCwqGFua/ZPJyH2qhJXh/sOxExbFWFEDEh23E
X-Received: by 2002:a17:902:298a:: with SMTP id h10mr13911176plb.312.1544480756926;
        Mon, 10 Dec 2018 14:25:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544480756; cv=none;
        d=google.com; s=arc-20160816;
        b=oihmw5SkVB6z2u4bxiEewePfrjzrETKnvtT/Lfirf0vltpa3dY8ymu7J0vew4CKSZP
         yNrKc27ichQBEzjQNbUKrLaGCqJUWLEcUhjXO3Qad5PJV/jfAx/D4OdxE8JeZ4vEp4Yp
         iwPYMY0b5uanSQlNpkaYOHAKrnY2aNePsDBxLV5yrpSNSpDPqmh+8Lz5BzNAqxD5eC+J
         uzZpv/vAZMP1HM5Xx0DXq6nUX+52K0DCTyQE2RKVfX7HtbwEst4jQrjHC67v+TjMI4LG
         aVGkfe18Sechb9YFViiuCfjdB6jCymehpsqy9AgMNQkFHoPnYYwielcuJq2IO44QWyMB
         Oyjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from;
        bh=ZcNJF7N9LQgdtJwgmD808cfho3HEjZQB3Y4s5+kJwdU=;
        b=KEwLV2PCz12kwo1d4LaLQZ4mexsDr6tuWlLS3J7PB2/t71O/sHyJPdMayRfMLoSeMC
         /bf63TbbLy+oeYFba0+p2XyXVyAt44MpxZ3TFt5hgAjrQVoLdU14Hk3mVeG7CMY1oV+d
         blU5po5oYP3+4ZhoxcDBgX+5Q9V7gBxH2kIFGyTO6bY/dmyonkOla0Xq4PcamU6w7Dx1
         W0lWHKxe6S7j2vUeOti7zoEnKkw6OIkBlTDUl34+mG7UYYPmkwCdUZ1XubpY+rIimV7p
         pKoCfxT4dLM/rgJpYjpo+sWplmXoN58sXYGr1b/IIzA/CdC1S6kdoRT5oSzbzI1t4eEm
         DVow==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h9si11288140plb.180.2018.12.10.14.25.41;
        Mon, 10 Dec 2018 14:25:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729179AbeLJWSg (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Mon, 10 Dec 2018 17:18:36 -0500
Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729036AbeLJWSe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Dec 2018 17:18:34 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 983393082E51;
        Mon, 10 Dec 2018 22:18:34 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-112-24.phx2.redhat.com [10.3.112.24])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 6FA5F60BF1;
        Mon, 10 Dec 2018 22:18:32 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     LKML <linux-kernel@vger.kernel.org>,
        Linux-Audit Mailing List <linux-audit@redhat.com>
Cc:     Eric Paris <eparis@redhat.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Steve Grubb <sgrubb@redhat.com>,
        Paul Moore <paul@paul-moore.com>,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak59 V3 1/4] audit: give a clue what CONFIG_CHANGE op was involved
Date:   Mon, 10 Dec 2018 17:17:48 -0500
Message-Id: <d4c6aae31213ad17fd82f546ab5e1ee0efc985d0.1544477629.git.rgb@redhat.com>
In-Reply-To: <cover.1544477629.git.rgb@redhat.com>
References: <cover.1544477629.git.rgb@redhat.com>
In-Reply-To: <cover.1544477629.git.rgb@redhat.com>
References: <cover.1544477629.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Mon, 10 Dec 2018 22:18:34 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The failure to add an audit rule due to audit locked gives no clue
what CONFIG_CHANGE operation failed.
Similarly the set operation is the only other operation that doesn't
give the "op=" field to indicate the action.
All other CONFIG_CHANGE records include an op= field to give a clue as
to what sort of configuration change is being executed.

Since these are the only CONFIG_CHANGE records that that do not have an
op= field, add them to bring them in line with the rest.

Old records:
type=CONFIG_CHANGE msg=audit(1519812997.781:374): pid=610 uid=0 auid=0 ses=1 subj=... audit_enabled=2 res=0
type=CONFIG_CHANGE msg=audit(2018-06-14 14:55:04.507:47) : audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes

New records:
type=CONFIG_CHANGE msg=audit(1520958477.855:100): pid=610 uid=0 auid=0 ses=1 subj=... op=add_rule audit_enabled=2 res=0

type=CONFIG_CHANGE msg=audit(2018-06-14 14:55:04.507:47) : op=set audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes

See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 779671883349..0e8026423fbd 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -400,7 +400,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
 	if (unlikely(!ab))
 		return rc;
-	audit_log_format(ab, "%s=%u old=%u ", function_name, new, old);
+	audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
 	audit_log_session_info(ab);
 	rc = audit_log_task_context(ab);
 	if (rc)
@@ -1363,7 +1363,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 			return -EINVAL;
 		if (audit_enabled == AUDIT_LOCKED) {
 			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
-			audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
+			audit_log_format(ab, " op=%s audit_enabled=%d res=0",
+					 msg_type == AUDIT_ADD_RULE ? "add_rule" : "remove_rule",
+					 audit_enabled);
 			audit_log_end(ab);
 			return -EPERM;
 		}
-- 
1.8.3.1