| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1367893269-9308-7-git-send-email-gaofeng@cn.fujitsu.com>
Date: Tue, 7 May 2013 10:20:27 +0800
From: Gao feng <gaofeng@...fujitsu.com>
To: viro@...iv.linux.org.uk, eparis@...hat.com, ebiederm@...ssion.com,
sgrubb@...hat.com, akpm@...ux-foundation.org,
serge.hallyn@...ntu.com, davem@...emloft.net
Cc: netdev@...r.kernel.org, containers@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org, linux-audit@...hat.com,
Gao feng <gaofeng@...fujitsu.com>
Subject: [PATCH RFC 06/48] Audit: make kauditd_task per user namespace
This patch makes kauditd_task per user namespace,
Since right now we only allow user in init user
namesapce to send audit netlink message to kernel,
so actually the kauditd_task belongs to other user
namespace will still not run.
Signed-off-by: Gao feng <gaofeng@...fujitsu.com>
---
include/linux/user_namespace.h | 1 +
kernel/audit.c | 25 +++++++++++++++----------
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 53420a4..24f7c2f 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -23,6 +23,7 @@ struct audit_ctrl {
struct sock *sock;
struct sk_buff_head queue;
struct sk_buff_head hold_queue;
+ struct task_struct *kauditd_task;
};
#endif
diff --git a/kernel/audit.c b/kernel/audit.c
index 61562c5..839c4c0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -129,7 +129,6 @@ static DEFINE_SPINLOCK(audit_freelist_lock);
static int audit_freelist_count;
static LIST_HEAD(audit_freelist);
-static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
@@ -418,8 +417,9 @@ static void kauditd_send_skb(struct sk_buff *skb)
static int kauditd_thread(void *dummy)
{
struct sk_buff *skb;
- struct sk_buff_head *queue = &init_user_ns.audit.queue;
- struct sk_buff_head *hold_queue = &init_user_ns.audit.hold_queue;
+ struct user_namespace *ns = dummy;
+ struct sk_buff_head *queue = &ns->audit.queue;
+ struct sk_buff_head *hold_queue = &ns->audit.hold_queue;
set_freezable();
while (!kthread_should_stop()) {
@@ -663,14 +663,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
ns = current_user_ns();
/* As soon as there's any sign of userspace auditd,
* start kauditd to talk to it */
- if (!kauditd_task) {
- kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
- if (IS_ERR(kauditd_task)) {
- err = PTR_ERR(kauditd_task);
- kauditd_task = NULL;
- return err;
- }
+ if (!ns->audit.kauditd_task) {
+ struct task_struct *tsk;
+
+ tsk = kthread_run(kauditd_thread, ns, "kauditd");
+ if (IS_ERR(tsk))
+ return PTR_ERR(tsk);
+
+ ns->audit.kauditd_task = tsk;
}
+
loginuid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &sid);
@@ -1615,6 +1617,9 @@ void audit_free_user_ns(struct user_namespace *ns)
skb_queue_purge(&ns->audit.queue);
skb_queue_purge(&ns->audit.hold_queue);
+
+ if (ns->audit.kauditd_task)
+ kthread_stop(ns->audit.kauditd_task);
}
EXPORT_SYMBOL(audit_log_start);
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists