Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
To: Eric Paris <eparis@redhat.com>
Cc: toshi.okajima@jp.fujitsu.com, Richard Guy Briggs <rgb@redhat.com>,
	linux-audit@redhat.com, linux-kernel@vger.kernel.org,
	Gao feng <gaofeng@cn.fujitsu.com>
Subject: Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop
Date: Mon, 28 Oct 2013 18:20:25 +0900	[thread overview]
Message-ID: <526E2C59.5070907@jp.fujitsu.com> (raw)
In-Reply-To: <1382713941.2954.19.camel@flatline.rdu.redhat.com>

Hi.

(2013/10/26 0:12), Eric Paris wrote:
> On Fri, 2013-10-25 at 10:36 +0900, Toshiyuki Okajima wrote:
> 
>> systemd                                    |auditd
>> -------------------------------------------+-----------------------------------
>> ...                                        |
>> -> audit_receive                           |...
>>    -> mutex_lock(&audit_cmd_mutex)         |-> audit_receive
>>       ... -> audit_log_start               |   -> mutex_lock(&audit_cmd_mutex)
>>              -> wait_for_auditd            |      // wait for systemd
>>                 -> schedule_timeout(60*HZ) |
> 

> Ugggh, definitely a problem.  Adding a similar hack to systemd really
> does not seem like an acceptable answer.  It seems to me that in
I think so, too. We should fix it against the various cases.

> audit_receive_msg()
> 
> case AUDIT_USER:
> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> 
> we do not need to hold the audit_cmd_mutex.  So a quick and dirty patch
> should be to just drop the mutex there (and we need to verify there
> aren't issues running the audit_filter_user() without the lock).  That
> will take care of systemd and anything USING audit.  It still means that
> you could race with something configuring audit and auditd shutting
> down.  Seems like a good quick and dirty 'fix' while we work on a better
> fix...
> 
> To take care of that I think maybe we could drop the cmd_mutex every
> time we call audit_log_start.  That's not necessarily going to be
> pretty.  Maybe make a new switch at the top of the function which knows
> which operations we are going to have to allocate an audit_buffer.  Drop
> the lock, allocate the buffer, then retake the lock to finish running
> audit_receive_msg()....
> 

> Maybe that second option isn't so hard and we can go directly after that
> instead of just dealing with userspace audit messages?
> 
> Thoughts?
Does it mean that we can also fix the problem only in the userspace? 

Even if we fix userspace process (auditd, readahead-collector and systemd) only, 
the problem would happen again if a new userspace audit process is implemented.
Therefore, I think we should fix only in the kernel.
Sorry, but I don't have clear method to fix it.

Regards,
Toshiyuki Okajima

> 
> 
>

next prev parent reply	other threads:[~2013-10-28  9:20 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-11  1:36 [BUG][PATCH][RFC] audit: hang up in audit_log_start executed on auditd Toshiyuki Okajima
2013-10-11  1:36 ` Toshiyuki Okajima
2013-10-11  9:33 ` Gao feng
2013-10-11 12:29   ` Toshiyuki Okajima (smtp-b.css)
2013-10-15  4:43     ` [BUG][PATCH] audit: audit_log_start running on auditd should not stop Toshiyuki Okajima
2013-10-15  6:30       ` Gao feng
2013-10-15  7:07         ` Toshiyuki Okajima
2013-10-15  7:58           ` [BUG][PATCH V3] " Toshiyuki Okajima
2013-10-15  9:41             ` Gao feng
2013-10-23 19:55         ` [BUG][PATCH] " Richard Guy Briggs
2013-10-24  5:55           ` Gao feng
2013-10-24 19:35             ` Richard Guy Briggs
2013-10-25  1:36           ` Toshiyuki Okajima
2013-10-25 15:12             ` Eric Paris
2013-10-28  9:20               ` Toshiyuki Okajima [this message]
2013-12-05  2:45               ` [PATCH 0/3] audit: remove audit_log_start() contention in AUDIT_USER type calls Richard Guy Briggs
2013-12-05  2:45                 ` [PATCH 1/3] selinux: call WARN_ONCE() instead of calling audit_log_start() Richard Guy Briggs
2013-12-05  2:45                 ` [PATCH 2/3] smack: " Richard Guy Briggs
2013-12-06 18:40                   ` Casey Schaufler
2013-12-06 18:40                     ` Casey Schaufler
2013-12-08 22:17                     ` Richard Guy Briggs
2013-12-05  2:45                 ` [PATCH 3/3] audit: drop audit_cmd_lock in AUDIT_USER family of cases Richard Guy Briggs
2013-12-05  2:45                   ` Richard Guy Briggs
2013-12-09  2:31                   ` Toshiyuki Okajima
2013-12-09  2:31                     ` Toshiyuki Okajima
2013-12-05  7:15                 ` [RESEND][BUG][PATCH V3] audit: audit_log_start running on auditd should not stop Toshiyuki Okajima
2013-12-05  7:15                   ` Toshiyuki Okajima

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=526E2C59.5070907@jp.fujitsu.com \
    --to=toshi.okajima@jp.fujitsu.com \
    --cc=eparis@redhat.com \
    --cc=gaofeng@cn.fujitsu.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.