diff --git i/init/Kconfig w/init/Kconfig index d9ed3f73..923f817 100644 --- i/init/Kconfig +++ w/init/Kconfig @@ -349,6 +349,35 @@ config AUDIT logging of avc messages output). Does not do system-call auditing without CONFIG_AUDITSYSCALL. +choice + prompt "Default auditing mode" + default AUDIT_LAZY + depends on AUDIT + help + Default mode of the auditing infrastructure. + +config AUDIT_DISABLED + bool "Disabled" + help + Auditing is disabled and cannot be enabled after boot. + Can be set by adding audit=0 to the command line. + +config AUDIT_LAZY + bool "Lazily enabled" + help + Auditing is initialized at boot but will not generate + events until enabled by userspace. + Can be set by adding audit=lazy to the command line. + +config AUDIT_ENABLED + bool "Enabled at boot" + help + Auditing is initialized at boot and will immediately + start to generate events. + Can be set by adding audit=1 to the command line. + +endchoice + config HAVE_ARCH_AUDITSYSCALL bool diff --git i/kernel/audit.c w/kernel/audit.c index c6df990..3bfec131 100644 --- i/kernel/audit.c +++ w/kernel/audit.c @@ -74,7 +74,12 @@ #define AUDIT_DISABLED -1 #define AUDIT_UNINITIALIZED 0 #define AUDIT_INITIALIZED 1 -static int audit_initialized; + +#ifdef CONFIG_AUDIT_DISABLED +static int audit_initialized = AUDIT_DISABLED; +#else +static int audit_initialized = AUDIT_UNINITIALIZED; +#endif #define AUDIT_OFF 0 #define AUDIT_ON 1 @@ -85,7 +90,11 @@ u32 audit_ever_enabled; EXPORT_SYMBOL_GPL(audit_enabled); /* Default state when kernel boots without any parameters. */ +#ifdef CONFIG_AUDIT_ENABLED +static u32 audit_default = 1; +#else static u32 audit_default; +#endif /* If auditing cannot proceed, audit_failure selects what happens. */ static u32 audit_failure = AUDIT_FAIL_PRINTK; @@ -1185,12 +1194,18 @@ static int __init audit_init(void) } __initcall(audit_init); -/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ +/* Process kernel command-line parameter at boot time. + * audit=lazy, audit=0 or audit=1. */ static int __init audit_enable(char *str) { - audit_default = !!simple_strtol(str, NULL, 0); - if (!audit_default) - audit_initialized = AUDIT_DISABLED; + if (strcmp(str, "lazy") == 0) { + audit_default = 0; + audit_initialized = AUDIT_UNINITIALIZED; + } else { + audit_default = !!simple_strtol(str, NULL, 0); + audit_initialized = audit_default ? + AUDIT_UNINITIALIZED : AUDIT_DISABLED; + } pr_info("%s\n", audit_default ? "enabled (after initialization)" : "disabled (until reboot)");