From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@parisplace.org>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH ghak59 V1 4/6] audit: hand taken context to audit_kill_trees for syscall logging
Date: Fri, 13 Jul 2018 17:44:45 -0400 [thread overview]
Message-ID: <20180713214445.6kdccolnabjchr4d@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAHC9VhRMhX8iL2N2TN7qQmZ=3rb8uAr=kUiOjc04JAR0QzR6fg@mail.gmail.com>
On 2018-06-28 18:23, Paul Moore wrote:
> On Thu, Jun 14, 2018 at 4:23 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > Since the context is taken from the task in __audit_syscall_exit() and
> > __audit_free(), hand it to audit_kill_trees() so it can be used to
> > associate with a syscall record. This requires adding the context
> > parameter to kill_rules() rather than using the current audit_context
> > (which has been taken).
> >
> > The callers of trim_marked() and evict_chunk() still have their context.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/50
> > See: https://github.com/linux-audit/audit-kernel/issues/59
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > kernel/audit.h | 4 ++--
> > kernel/audit_tree.c | 18 ++++++++++--------
> > kernel/auditsc.c | 4 ++--
> > 3 files changed, 14 insertions(+), 12 deletions(-)
> >
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 214e149..f39f7aa 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -312,7 +312,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab,
> > extern int audit_tag_tree(char *old, char *new);
> > extern const char *audit_tree_path(struct audit_tree *tree);
> > extern void audit_put_tree(struct audit_tree *tree);
> > -extern void audit_kill_trees(struct list_head *list);
> > +extern void audit_kill_trees(struct audit_context *context);
> > #else
> > #define audit_remove_tree_rule(rule) BUG()
> > #define audit_add_tree_rule(rule) -EINVAL
> > @@ -321,7 +321,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab,
> > #define audit_put_tree(tree) (void)0
> > #define audit_tag_tree(old, new) -EINVAL
> > #define audit_tree_path(rule) "" /* never called */
> > -#define audit_kill_trees(list) BUG()
> > +#define audit_kill_trees(context) BUG()
> > #endif
> >
> > extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
> > diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> > index a01b9da..2d3e1071 100644
> > --- a/kernel/audit_tree.c
> > +++ b/kernel/audit_tree.c
> > @@ -493,13 +493,13 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
> > return 0;
> > }
> >
> > -static void audit_tree_log_remove_rule(struct audit_krule *rule)
> > +static void audit_tree_log_remove_rule(struct audit_context *context, struct audit_krule *rule)
> > {
> > struct audit_buffer *ab;
> >
> > if (!audit_enabled)
> > return;
> > - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> > if (unlikely(!ab))
> > return;
> > audit_log_format(ab, "op=remove_rule");
> > @@ -510,7 +510,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
> > audit_log_end(ab);
> > }
> >
> > -static void kill_rules(struct audit_tree *tree)
> > +static void kill_rules(struct audit_context *context, struct audit_tree *tree)
> > {
> > struct audit_krule *rule, *next;
> > struct audit_entry *entry;
> > @@ -521,7 +521,7 @@ static void kill_rules(struct audit_tree *tree)
> > list_del_init(&rule->rlist);
> > if (rule->tree) {
> > /* not a half-baked one */
> > - audit_tree_log_remove_rule(rule);
> > + audit_tree_log_remove_rule(context, rule);
> > if (entry->rule.exe)
> > audit_remove_mark(entry->rule.exe);
> > rule->tree = NULL;
> > @@ -584,7 +584,7 @@ static void trim_marked(struct audit_tree *tree)
> > tree->goner = 1;
> > spin_unlock(&hash_lock);
> > mutex_lock(&audit_filter_mutex);
> > - kill_rules(tree);
> > + kill_rules(audit_context(), tree);
> > list_del_init(&tree->list);
> > mutex_unlock(&audit_filter_mutex);
> > prune_one(tree);
> > @@ -924,8 +924,10 @@ static void audit_schedule_prune(void)
> > * ... and that one is done if evict_chunk() decides to delay until the end
> > * of syscall. Runs synchronously.
> > */
> > -void audit_kill_trees(struct list_head *list)
> > +void audit_kill_trees(struct audit_context *context)
> > {
> > + struct list_head *list = &context->killed_trees;
> > +
> > audit_ctl_lock();
> > mutex_lock(&audit_filter_mutex);
> >
> > @@ -933,7 +935,7 @@ void audit_kill_trees(struct list_head *list)
> > struct audit_tree *victim;
> >
> > victim = list_entry(list->next, struct audit_tree, list);
> > - kill_rules(victim);
> > + kill_rules(context, victim);
> > list_del_init(&victim->list);
> >
> > mutex_unlock(&audit_filter_mutex);
> > @@ -972,7 +974,7 @@ static void evict_chunk(struct audit_chunk *chunk)
> > list_del_init(&owner->same_root);
> > spin_unlock(&hash_lock);
> > if (!postponed) {
> > - kill_rules(owner);
> > + kill_rules(audit_context(), owner);
> > list_move(&owner->list, &prune_list);
> > need_prune = 1;
> > } else {
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index ceb1c45..2590c9e 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1490,7 +1490,7 @@ void __audit_free(struct task_struct *tsk)
> > if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
> > audit_log_exit(context, tsk);
> > if (!list_empty(&context->killed_trees))
> > - audit_kill_trees(&context->killed_trees);
> > + audit_kill_trees(context);
>
> See my comment below about the ordering of audit_kill_trees() and
> audit_log_exit().
>
> > audit_free_context(context);
> > }
> > @@ -1577,7 +1577,7 @@ void __audit_syscall_exit(int success, long return_code)
> > context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
> >
> > if (!list_empty(&context->killed_trees))
> > - audit_kill_trees(&context->killed_trees);
> > + audit_kill_trees(context);
>
> I wonder if we should move the kill_trees if-block above the
> audit_log_exit() block so that any records that are emitted will be
> before the SYSCALL record. I didn't chase down all the code paths,
> but it seems like it should be safe, no?
Interesting. I thought I had looked at re-ordering them and rejected
that approach due to that information being needed for audit_log_exit(),
but I don't find any such dependency this pass through the code.
I guess the only concern I have then is that if the state is anything
other than AUDIT_RECORD_CONTEXT it would be an orphan record, but it
would be regardless with the existing code or with my proposed changes.
Perhaps that is a bug to start with, though I'm not sure it is at all
serious, so I'm not concerned about it.
I think re-ordering should be safe and that eliminates the seeming
complexity introduced by the next patch, which is a good thing.
> > audit_free_names(context);
> > unroll_tree_refs(context, NULL, 0);
>
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2018-07-13 21:44 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 20:21 [RFC PATCH ghak59 V1 0/6] audit: config_change normalizations and event record gathering Richard Guy Briggs
2018-06-14 20:21 ` [RFC PATCH ghak59 V1 1/6] audit: give a clue what CONFIG_CHANGE op was involved Richard Guy Briggs
2018-06-28 19:41 ` Paul Moore
2018-07-13 0:41 ` Richard Guy Briggs
2018-07-18 21:45 ` Paul Moore
2018-07-19 16:08 ` Richard Guy Briggs
2018-07-19 22:47 ` Paul Moore
2018-07-20 13:27 ` Richard Guy Briggs
2018-07-20 14:21 ` Paul Moore
2018-06-14 20:21 ` [RFC PATCH ghak59 V1 2/6] audit: add syscall information to CONFIG_CHANGE records Richard Guy Briggs
2018-06-28 21:47 ` Paul Moore
2018-06-28 22:10 ` Paul Moore
2018-06-14 20:21 ` [RFC PATCH ghak59 V1 3/6] audit: exclude user records from syscall context Richard Guy Briggs
2018-06-28 22:11 ` Paul Moore
2018-07-12 21:46 ` Richard Guy Briggs
2018-07-23 16:40 ` Richard Guy Briggs
2018-07-23 21:00 ` Paul Moore
2018-07-24 13:02 ` Richard Guy Briggs
2018-07-24 20:17 ` Paul Moore
2018-06-14 20:21 ` [RFC PATCH ghak59 V1 4/6] audit: hand taken context to audit_kill_trees for syscall logging Richard Guy Briggs
2018-06-28 22:23 ` Paul Moore
2018-07-13 21:44 ` Richard Guy Briggs [this message]
2018-06-14 20:21 ` [RFC PATCH ghak59 V1 5/6] audit: move EOE record after kill_trees for exit/free Richard Guy Briggs
2018-06-28 22:25 ` Paul Moore
2018-06-14 20:21 ` [RFC PATCH ghak59 V1 6/6] audit: extend config_change mark/watch/tree rule changes Richard Guy Briggs
2018-06-28 22:28 ` Paul Moore
2018-06-29 12:31 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180713214445.6kdccolnabjchr4d@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox