Commit eb544151 authored May 14, 2026 by Linus Torvalds

Merge tag 'audit-pr-20260513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit fixes from Paul Moore:

 - Correctly log the inheritable capabilities

 - Honor AUDIT_LOCKED in the AUDIT_TRIM and AUDIT_MAKE_EQUIV commands

* tag 'audit-pr-20260513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
  audit: fix incorrect inheritable capability in CAPSET records

parents 31e62c2e f9e1c132

kernel/audit.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1468,6 +1468,8 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh,
		err = audit_list_rules_send(skb, seq);
		break;
		case AUDIT_TRIM:
		if (audit_enabled == AUDIT_LOCKED)
		return -EPERM;
		audit_trim_trees();
		audit_log_common_recv_msg(audit_context(), &ab,
		AUDIT_CONFIG_CHANGE);
		@@ -1480,6 +1482,8 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh,
		size_t msglen = data_len;
		char old, new;

		if (audit_enabled == AUDIT_LOCKED)
		return -EPERM;
		err = -EINVAL;
		if (msglen < 2 * sizeof(u32))
		break;

kernel/auditsc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2786,7 +2786,7 @@ void __audit_log_capset(const struct cred new, const struct cred old)

		context->capset.pid = task_tgid_nr(current);
		context->capset.cap.effective = new->cap_effective;
		context->capset.cap.inheritable = new->cap_effective;
		context->capset.cap.inheritable = new->cap_inheritable;
		context->capset.cap.permitted = new->cap_permitted;
		context->capset.cap.ambient = new->cap_ambient;
		context->type = AUDIT_CAPSET;