[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRYkgjBvpRwb=C-GBRKqg0gLs7i=HXN_bEyh_udP6O+6Q@mail.gmail.com>
Date: Mon, 19 Nov 2018 11:32:23 -0500
From: Paul Moore <paul@...l-moore.com>
To: rgb@...hat.com
Cc: linux-audit@...hat.com, linux-kernel@...r.kernel.org,
Eric Paris <eparis@...isplace.org>, sgrubb@...hat.com,
viro@...iv.linux.org.uk
Subject: Re: [PATCH ghak59 V2 4/6] audit: hand taken context to
audit_kill_trees for syscall logging
On Fri, Jul 27, 2018 at 3:51 PM Richard Guy Briggs <rgb@...hat.com> wrote:
> Since the context is taken from the task in __audit_syscall_exit() and
> __audit_free(), hand it to audit_kill_trees() so it can be used to
> associate with a syscall record. This requires adding the context
> parameter to kill_rules() rather than using the current audit_context
> (which has been taken).
>
> The callers of trim_marked() and evict_chunk() still have their context.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
> See: https://github.com/linux-audit/audit-kernel/issues/59
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> ---
> kernel/audit.h | 4 ++--
> kernel/audit_tree.c | 18 ++++++++++--------
> kernel/auditsc.c | 4 ++--
> 3 files changed, 14 insertions(+), 12 deletions(-)
This looks okay, but see my comments in 5/6. Since you're going to
need to respin this anyway, I would suggest rebasing it on to of the
current audit/next as Jan's audit tree changes might cause some merge
fuzz.
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 214e149..f39f7aa 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -312,7 +312,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab,
> extern int audit_tag_tree(char *old, char *new);
> extern const char *audit_tree_path(struct audit_tree *tree);
> extern void audit_put_tree(struct audit_tree *tree);
> -extern void audit_kill_trees(struct list_head *list);
> +extern void audit_kill_trees(struct audit_context *context);
> #else
> #define audit_remove_tree_rule(rule) BUG()
> #define audit_add_tree_rule(rule) -EINVAL
> @@ -321,7 +321,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab,
> #define audit_put_tree(tree) (void)0
> #define audit_tag_tree(old, new) -EINVAL
> #define audit_tree_path(rule) "" /* never called */
> -#define audit_kill_trees(list) BUG()
> +#define audit_kill_trees(context) BUG()
> #endif
>
> extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index f0b7d30..c2281e3 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -493,13 +493,13 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
> return 0;
> }
>
> -static void audit_tree_log_remove_rule(struct audit_krule *rule)
> +static void audit_tree_log_remove_rule(struct audit_context *context, struct audit_krule *rule)
> {
> struct audit_buffer *ab;
>
> if (!audit_enabled)
> return;
> - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> audit_log_format(ab, "op=remove_rule");
> @@ -510,7 +510,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
> audit_log_end(ab);
> }
>
> -static void kill_rules(struct audit_tree *tree)
> +static void kill_rules(struct audit_context *context, struct audit_tree *tree)
> {
> struct audit_krule *rule, *next;
> struct audit_entry *entry;
> @@ -521,7 +521,7 @@ static void kill_rules(struct audit_tree *tree)
> list_del_init(&rule->rlist);
> if (rule->tree) {
> /* not a half-baked one */
> - audit_tree_log_remove_rule(rule);
> + audit_tree_log_remove_rule(context, rule);
> if (entry->rule.exe)
> audit_remove_mark(entry->rule.exe);
> rule->tree = NULL;
> @@ -584,7 +584,7 @@ static void trim_marked(struct audit_tree *tree)
> tree->goner = 1;
> spin_unlock(&hash_lock);
> mutex_lock(&audit_filter_mutex);
> - kill_rules(tree);
> + kill_rules(audit_context(), tree);
> list_del_init(&tree->list);
> mutex_unlock(&audit_filter_mutex);
> prune_one(tree);
> @@ -924,8 +924,10 @@ static void audit_schedule_prune(void)
> * ... and that one is done if evict_chunk() decides to delay until the end
> * of syscall. Runs synchronously.
> */
> -void audit_kill_trees(struct list_head *list)
> +void audit_kill_trees(struct audit_context *context)
> {
> + struct list_head *list = &context->killed_trees;
> +
> audit_ctl_lock();
> mutex_lock(&audit_filter_mutex);
>
> @@ -933,7 +935,7 @@ void audit_kill_trees(struct list_head *list)
> struct audit_tree *victim;
>
> victim = list_entry(list->next, struct audit_tree, list);
> - kill_rules(victim);
> + kill_rules(context, victim);
> list_del_init(&victim->list);
>
> mutex_unlock(&audit_filter_mutex);
> @@ -972,7 +974,7 @@ static void evict_chunk(struct audit_chunk *chunk)
> list_del_init(&owner->same_root);
> spin_unlock(&hash_lock);
> if (!postponed) {
> - kill_rules(owner);
> + kill_rules(audit_context(), owner);
> list_move(&owner->list, &prune_list);
> need_prune = 1;
> } else {
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index fb20746..986c5ce 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1490,7 +1490,7 @@ void __audit_free(struct task_struct *tsk)
> if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
> audit_log_exit(context, tsk);
> if (!list_empty(&context->killed_trees))
> - audit_kill_trees(&context->killed_trees);
> + audit_kill_trees(context);
>
> audit_free_context(context);
> }
> @@ -1577,7 +1577,7 @@ void __audit_syscall_exit(int success, long return_code)
> context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
>
> if (!list_empty(&context->killed_trees))
> - audit_kill_trees(&context->killed_trees);
> + audit_kill_trees(context);
>
> audit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists