lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhSm0c-DUn_bJsv6NrZ+_NwUVzRQbNiC7rLS1Hu=7nALwg@mail.gmail.com>
Date:   Mon, 19 Nov 2018 11:32:27 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     rgb@...hat.com
Cc:     linux-audit@...hat.com, linux-kernel@...r.kernel.org,
        Eric Paris <eparis@...isplace.org>, sgrubb@...hat.com,
        viro@...iv.linux.org.uk
Subject: Re: [PATCH ghak59 V2 5/6] audit: kill trees before logging syscall
 exit for exit/free

On Fri, Jul 27, 2018 at 3:51 PM Richard Guy Briggs <rgb@...hat.com> wrote:
> The EOE record was being issued prior to the pruning of the killed_tree
> list.
>
> Move the kill_trees call before the audit_log_exit call in
> __audit_free() and __audit_syscall_exit() so that the user library
> doesn't leave out any appended pruned trees CONFIG_CHANGE records due to
> the EOE flagging the end of the event.
>
> See: https://github.com/linux-audit/audit-kernel/issues/50
> See: https://github.com/linux-audit/audit-kernel/issues/59
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> ---
>  kernel/auditsc.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)

This patch and patch 4/6 should be squashed together.

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 986c5ce..55fd2a3 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1482,6 +1482,8 @@ void __audit_free(struct task_struct *tsk)
>         if (!context)
>                 return;
>
> +       if (!list_empty(&context->killed_trees))
> +               audit_kill_trees(context);
>         /* Check for system calls that do not go through the exit
>          * function (e.g., exit_group), then free context block.
>          * We use GFP_ATOMIC here because we might be doing this
> @@ -1489,8 +1491,6 @@ void __audit_free(struct task_struct *tsk)
>         /* that can happen only if we are called from do_exit() */
>         if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
>                 audit_log_exit(context, tsk);
> -       if (!list_empty(&context->killed_trees))
> -               audit_kill_trees(context);
>
>         audit_free_context(context);
>  }
> @@ -1570,15 +1570,14 @@ void __audit_syscall_exit(int success, long return_code)
>         if (!context)
>                 return;
>
> +       if (!list_empty(&context->killed_trees))
> +               audit_kill_trees(context);
>         if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
>                 audit_log_exit(context, current);
>
>         context->in_syscall = 0;
>         context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
>
> -       if (!list_empty(&context->killed_trees))
> -               audit_kill_trees(context);
> -
>         audit_free_names(context);
>         unroll_tree_refs(context, NULL, 0);
>         audit_free_aux(context);
> --
> 1.8.3.1
>


--
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ