From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Andi Kleen <andi@firstfloor.org>, Steve Grubb <sgrubb@redhat.com>,
Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] audit: Only use the syscall slowpath when syscall audit rules exist
Date: Mon, 3 Feb 2014 19:11:44 +0100 [thread overview]
Message-ID: <20140203181144.GA29296@redhat.com> (raw)
In-Reply-To: <a8356e46aed7213128e84a888170391adb6afe30.1391449825.git.luto@amacapital.net>
On 02/03, Andy Lutomirski wrote:
>
> @@ -911,6 +918,47 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
> return context;
> }
>
> +void audit_inc_n_rules()
> +{
> + struct task_struct *p, *g;
> +
> + write_lock(&n_rules_lock);
> +
> + if (audit_n_rules++ != 0)
> + goto out; /* The overall state isn't changing. */
> +
> + read_lock(&tasklist_lock);
> + do_each_thread(g, p) {
> + if (p->audit_context)
> + set_tsk_thread_flag(p, TIF_SYSCALL_AUDIT);
> + } while_each_thread(g, p);
> + read_unlock(&tasklist_lock);
Cosmetic, but I'd suggest to use for_each_process_thread() instead
of do_each_thread/while_each_thread.
And I am not sure why n_rules_lock is rwlock_t... OK, to make
audit_alloc() more scalable, I guess. Please see below.
> @@ -942,8 +995,14 @@ int audit_alloc(struct task_struct *tsk)
> }
> context->filterkey = key;
>
> + read_lock(&n_rules_lock);
> tsk->audit_context = context;
> - set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> + if (audit_n_rules)
> + set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> + else
> + clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> + read_unlock(&n_rules_lock);
Perhaps this is fine, but n_rules_lock can't prevent the race with
audit_inc/dec_n_rules(). The problem is, this is called before the
new task is visible to for_each_process_thread().
If we want to fix this race, we need something like audit_sync_flags()
called after copy_process() drops tasklist, or from tasklist_lock
protected section (in this case it doesn't need n_rules_lock).
Or perhaps audit_alloc() should not try to clear TIF_SYSCALL_AUDIT at all.
In both cases n_rules_lock can be spinlock_t.
Oleg.
next prev parent reply other threads:[~2014-02-03 18:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-03 17:53 [PATCH] audit: Only use the syscall slowpath when syscall audit rules exist Andy Lutomirski
2014-02-03 18:11 ` Oleg Nesterov [this message]
2014-02-03 18:33 ` Andy Lutomirski
2014-02-03 18:57 ` Kodiak Furr
2014-02-03 20:23 ` Steve Grubb
2014-02-03 20:23 ` Steve Grubb
2014-02-03 22:08 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140203181144.GA29296@redhat.com \
--to=oleg@redhat.com \
--cc=andi@firstfloor.org \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.