[RFC PATCH 07/15] Audit: Call only the first of the audit rule hooks

Audit system development
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com,
	linux-security-module@vger.kernel.org, audit@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
	john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
	selinux@vger.kernel.org
Subject: [RFC PATCH 07/15] Audit: Call only the first of the audit rule hooks
Date: Sat, 21 Jun 2025 10:18:42 -0700	[thread overview]
Message-ID: <20250621171851.5869-8-casey@schaufler-ca.com> (raw)
In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com>

The audit system is not (yet) capable for distinguishing
between audit rules specified for multiple security modules.
Call only the first registered of the audit rule hooks.
The order of registration, which can be specified with the
lsm= boot parameter, is hence an important consideration.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/security/security.c b/security/security.c
index 2286285f8aea..93d4ac39fe9f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5056,7 +5056,13 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key,
 int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
 			     gfp_t gfp)
 {
-	return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp);
+	struct lsm_static_call *scall;
+
+	lsm_for_each_hook(scall, audit_rule_init) {
+		return scall->hl->hook.audit_rule_init(field, op, rulestr,
+						       lsmrule, gfp);
+	}
+	return LSM_RET_DEFAULT(audit_rule_init);
 }
 
 /**
@@ -5070,7 +5076,12 @@ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
  */
 int security_audit_rule_known(struct audit_krule *krule)
 {
-	return call_int_hook(audit_rule_known, krule);
+	struct lsm_static_call *scall;
+
+	lsm_for_each_hook(scall, audit_rule_known) {
+		return scall->hl->hook.audit_rule_known(krule);
+	}
+	return LSM_RET_DEFAULT(audit_rule_known);
 }
 
 /**
@@ -5082,7 +5093,12 @@ int security_audit_rule_known(struct audit_krule *krule)
  */
 void security_audit_rule_free(void *lsmrule)
 {
-	call_void_hook(audit_rule_free, lsmrule);
+	struct lsm_static_call *scall;
+
+	lsm_for_each_hook(scall, audit_rule_free) {
+		scall->hl->hook.audit_rule_free(lsmrule);
+		return;
+	}
 }
 
 /**
@@ -5101,7 +5117,13 @@ void security_audit_rule_free(void *lsmrule)
 int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,
 			      void *lsmrule)
 {
-	return call_int_hook(audit_rule_match, prop, field, op, lsmrule);
+	struct lsm_static_call *scall;
+
+	lsm_for_each_hook(scall, audit_rule_match) {
+		return scall->hl->hook.audit_rule_match(prop, field, op,
+							lsmrule);
+	}
+	return LSM_RET_DEFAULT(audit_rule_match);
 }
 #endif /* CONFIG_AUDIT */
 
-- 
2.47.0

next prev parent reply	other threads:[~2025-06-21 17:20 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20250621171851.5869-1-casey.ref@schaufler-ca.com>
2025-06-21 17:18 ` [RFC PATCH 00/15] LSM: No exclusive LSMs Casey Schaufler
2025-06-21 17:18   ` [RFC PATCH 01/15] Audit: Create audit_stamp structure Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 1/15] " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 02/15] LSM: security_lsmblob_to_secctx module selection Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 2/15] " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 03/15] Audit: Add record for multiple task security contexts Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 3/15] " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 04/15] Audit: Add record for multiple object contexts Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 4/15] " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 05/15] LSM: Single calls in secid hooks Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 5/15] " Paul Moore
2025-11-04 16:00       ` Casey Schaufler
2025-06-21 17:18   ` [RFC PATCH 06/15] LSM: Exclusive secmark usage Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 6/15] " Paul Moore
2025-06-21 17:18   ` Casey Schaufler [this message]
2025-10-14 23:12     ` [PATCH RFC 7/15] Audit: Call only the first of the audit rule hooks Paul Moore
2025-06-21 17:18   ` [RFC PATCH 08/15] AppArmor: Remove the exclusive flag Casey Schaufler
2025-06-21 17:18   ` [RFC PATCH 09/15] LSM: Add mount opts blob size tracking Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC 9/15] " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 10/15] LSM: allocate mnt_opts blobs instead of module specific data Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 11/15] LSM: Infrastructure management of the mnt_opts security blob Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 12/15] LSM: Allow reservation of netlabel Casey Schaufler
2025-10-14 23:12     ` [PATCH RFC " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 13/15] LSM: restrict security_cred_getsecid() to a single LSM Casey Schaufler
2025-10-14 23:13     ` [PATCH RFC " Paul Moore
2025-06-21 17:18   ` [RFC PATCH 14/15] Smack: Remove LSM_FLAG_EXCLUSIVE Casey Schaufler
2025-06-21 17:18   ` [RFC PATCH 15/15] LSM: Remove exclusive LSM flag Casey Schaufler

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2286285f8ae dfblob:93d4ac39fe9 )
 OR (
bs:"[RFC PATCH 07/15] Audit: Call only the first of the audit rule hooks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250621171851.5869-8-casey@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=audit@vger.kernel.org \
    --cc=eparis@redhat.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=selinux@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox