From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0C77EC433EF for ; Tue, 14 Dec 2021 00:07:24 +0000 (UTC) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-523-BWYzoPeeOKapVMpk8hE0lQ-1; Mon, 13 Dec 2021 19:07:20 -0500 X-MC-Unique: BWYzoPeeOKapVMpk8hE0lQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D53748015CD; Tue, 14 Dec 2021 00:07:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 91A59196F4; Tue, 14 Dec 2021 00:07:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 43EE34BB7C; Tue, 14 Dec 2021 00:07:16 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BE07EVX003396 for ; Mon, 13 Dec 2021 19:07:14 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3AEFF1402403; Tue, 14 Dec 2021 00:07:14 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 35ACB1402401 for ; Tue, 14 Dec 2021 00:07:14 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1D15285A5A8 for ; Tue, 14 Dec 2021 00:07:14 +0000 (UTC) Received: from sonic301-36.consmr.mail.ne1.yahoo.com (sonic301-36.consmr.mail.ne1.yahoo.com [66.163.184.205]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-70-Euf7eRVMOMWx1CTBXvR3CQ-1; Mon, 13 Dec 2021 19:07:12 -0500 X-MC-Unique: Euf7eRVMOMWx1CTBXvR3CQ-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639440431; bh=6kZqOyyifQKvDyAEplPy1+5QW2lJbvzcBKRE8bZSph0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=SY8lzhaaKWAMJx9LajcmdmUhAbS2pPXJyvujUDRSgHLIDacF3fmsCqCfI7fOBR9nBNZspXhMZ3PiA7zXRHm6pfMXqGoz6EbQtZiKUUm1pRYLIS8bKo/9OTNgnWKp+nBDIffsa3UWhEGWTCEDdhc94cA0iHN6/ss9i345RjrYG3V7HtU76mVlnraaYemxz5w4T3sPh1y8lQLqUQ5OV3wxydHsni19NJey/UcAe/ZWHJMM29x9AwjSTGNz8AP9+cOWxH85RXG24pCCNbtalaO0fWDFJY7ktpfSk1hKo1fR+IPrJcDXY9ksejdvlaU2x1bjwYv/r97LHOqnH5fxITJXsA== X-YMail-OSG: UM9eCKwVM1nophkTjnoLZQG7D6JWCNzW36cx5knz1vQ5aVbMnRJ2oDbWGr3qV4Z qV3o6zBjHs7fQ2m4_2wBh_ZaIseJTc352UPUx6UHG9zrRkV.l7bmh0a2hBxn1JgroGouQZu9btUz Rx2bvvMoJWeh0UJs226U4V5TagbcwZoUkJffZAQbjqK2_ZFWuLdjcW6RyPHWIk5.VfDClaw6_vBw MKoQzg2sMILygh2o8aYBUOFWc032TYxYfFVlSjODuf5N5Sv1u.OOQYi8FyTxkTL1boxjzBEAMEzp DUdLp3Ib35Q506tWNjKwNfHHTDKiMy5w5bdHd0K_l9_Q6ogQlW37NWxr6ZdEq2.ETmncZt6ySE_j hEaZDHVKtxLkaiLDtYseyTHRwgt25o1lrkYDrPKgwmqpi4va339.OkK_7zfAFxVkVRKiFp011Q9o IwQeMq2_X9_v0f6ZpUlzFwF0wVOQaTbGGhbNz1bDiF6r6NA13Unln9sKPn9NVWs54cBWe94fSkX8 Qz6_wfu775V4oPKSKvlfU8JNoEESOtTQScGzLR9Km4vLB2DpELPtziRbQ5as8x.iUemzX4sHLlSb Kzb0z3HHam6WNloWKrSBtBkJOabQt4pswI.FL.6vSHjInclQamYwLgLblfRUJ_e6RWJvldjISEb5 HkZwEk5a61XIFeUbMtezk7WWQJ1AVQToZZYMk2zaCyacxoUM19q6ysW1xfBDf3Za1KQOjCGFv9Yh RRMtHpj4UYqX59Nz7Mdja.hPPP0K5lZn7JA_WzuEaCL5T7yvuyI7hKGes3bjfEsMPItIURRV_6Vo tHBHYf_NdNfs6WYmtMLqbXK2Vx7b9fvrfaTzTpiqT79G8CnWr50ButEBrpSPa8nEENBie2Wq1yEt 0NKZfSCb7t6pyb0zze1u.OH0JTgZPlZwcfOtrC8l7OSqcpok42DWflTmsT8TY9a1RgHQIIrRUXnj 6C_weIYeCLenURBguZ6wChssNcz9lQEQk7pl.OR1gwJY1S3YYOMFQquscsFGKx_OUqsLuYREnIvQ rvxFpiL92MeoqC3JmT4j3e0iyEWdP2e1v6_cVbk827_MxQn9rRZxW97TXaFRqqjiee3cDOXF_AZ9 9DtLYQRgx7Agl4Qr38gY7jPw2xs03zb44XWWpqa6L9ZWGpY4ITBVFEZXmhaxEcqyoDm8SgMwv8Mw coCfrHZMyKo5raExpeIA1sbU_wyEMLso_Apzmm6gVcNXYbutXkkADLQk0bAIosZx_pBIO4X3M9wE 0NNRVxB4NkXAq_9nhHdFcd6oi.kTcaHO2x7ikLHnInyBatQCl.9CZr5Hq_h07v3pYV.08DxVdCKW M4DAdazOsTU_ReNv3vUycvqF4VP7hr_ePHLE1.DO_NVgae5rH0XdUGxJKg7hspj85ty3oMvdkOZE gZkT3QVyIxu7EdRbwuojKip.aKKJ86r8ac76GIfRTfzLbRiv2zNgb7uOn6YJKSCH7kvqRsV.tiEv KVY0QsaeE_vcHLQtADOM7hiO49rDqMkHbBi50CTVxmPqjtGaCg6HFebqYVWZ.83oChLss1LcdHv1 gVKAmnmTB65jEJuAB77O67DWx2TmtpTqOKs6dsqvSVKVcRclEVAYVnonKVQKNAMziDHJ6uyUA5C4 LDmPumZUgUJyctMc_3jcLAdwXL22feSKlacsqWXO1899ciu6qlP3X2uZjyGaJZG9giCMZJbIcbpY 25sKlLnWAcXP7xZFWspUl2i5Vm1nfdDK7DkUk4iw7fet806z0EukZZ.LlmQQZt1DKtJ_l505rhj9 4jvIvplWD9q_GDdKubQepiJ_7FsSKCNttLHOjcVBoQEEK9QS4h9gAxAQj9i5CrGlJbRTutdOhGti MF8Q8byPyAu2xglkheQHW9Gsd234oCqfhIBOOhp_C_pb6qBPB.qs0ThIGdA5krY84Qbm1K3jUPej FAamD.8IYIbI9Bz_uqEHvSBuC9.ncd_QV_iTjf_FwoclYPxPEJGCMXhauXdnCV9C40D8ytBnsaRP 6JB2zFiTQ9xS0ANNymyGz11Om_EqhCflSFixm5Hi0zJJqJehK0I3jAXPVSm0RumogYDSCGe_x6oR WnyCBizQNUH9CFl38m2aqSJwEFZZroIHbUoIN9Wqy_64003RzpXDwQGZ.6GLhlQeK22HFsBlvF0P 855oLFmoI.MtqodGtWumvEr4hMR2OUmUGMYPtP5PVg2dRr1iJp8UwG7Mo2n_ttvp4hs7q9D59ivE 0S3vAj7tdWbj06p2hMtUadZA8eeap9GNzRD65Gfg85cwzDmSoYN6qt0WhSCbPwyT08UdjCaBl2iv D3YqAyd0c0Y5T44tSSVfeDw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Tue, 14 Dec 2021 00:07:11 +0000 Received: by kubenode530.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7e9ba4d68a399c1dc68810fb1b73116f; Tue, 14 Dec 2021 00:07:08 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v31 24/28] Audit: Add framework for auxiliary records Date: Mon, 13 Dec 2021 15:40:30 -0800 Message-Id: <20211213234034.111891-25-casey@schaufler-ca.com> In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Add a list for auxiliary record data to the audit_buffer structure. Add the audit_stamp information to the audit_buffer as there's no guarantee that there will be an audit_context containing the stamp associated with the event. At audit_log_end() time create auxiliary records (none are currently defined) as have been added to the list. Signed-off-by: Casey Schaufler --- kernel/audit.c | 84 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 74 insertions(+), 10 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 069cd4c81a61..fc3662ff126e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -191,15 +191,25 @@ static struct audit_ctl_mutex { * should be at least that large. */ #define AUDIT_BUFSIZ 1024 +/* The audit_context_entry contains data required to create an + * auxiliary record. + */ +struct audit_context_entry { + struct list_head list; + int type; /* Audit record type */ +}; + /* The audit_buffer is used when formatting an audit record. The caller * locks briefly to get the record off the freelist or to allocate the * buffer, and locks briefly to send the buffer to the netlink layer or * to place it on a transmit queue. Multiple audit_buffers can be in * use simultaneously. */ struct audit_buffer { - struct sk_buff *skb; /* formatted skb ready to send */ - struct audit_context *ctx; /* NULL or associated context */ - gfp_t gfp_mask; + struct sk_buff *skb; /* formatted skb ready to send */ + struct audit_context *ctx; /* NULL or associated context */ + struct list_head aux_records; /* aux record data */ + struct audit_stamp stamp; /* event stamp */ + gfp_t gfp_mask; }; struct audit_reply { @@ -1753,6 +1763,7 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx, ab->ctx = ctx; ab->gfp_mask = gfp_mask; + INIT_LIST_HEAD(&ab->aux_records); return ab; @@ -1813,7 +1824,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1866,14 +1876,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &stamp); + audit_get_stamp(ab->ctx, &ab->stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)stamp.ctime.tv_sec, - stamp.ctime.tv_nsec/1000000, - stamp.serial); + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); return ab; } @@ -2363,7 +2373,7 @@ int audit_signal_info(int sig, struct task_struct *t) } /** - * audit_log_end - end one audit record + * __audit_log_end - end one audit record * @ab: the audit_buffer * * We can not do a netlink send inside an irq context because it blocks (last @@ -2371,7 +2381,7 @@ int audit_signal_info(int sig, struct task_struct *t) * queue and a kthread is scheduled to remove them from the queue outside the * irq context. May be called in any context. */ -void audit_log_end(struct audit_buffer *ab) +void __audit_log_end(struct audit_buffer *ab) { struct sk_buff *skb; struct nlmsghdr *nlh; @@ -2393,6 +2403,60 @@ void audit_log_end(struct audit_buffer *ab) wake_up_interruptible(&kauditd_wait); } else audit_log_lost("rate limit exceeded"); +} + +/** + * audit_log_end - end one audit record + * @ab: the audit_buffer + * + * Let __audit_log_end() handle the message while the buffer housekeeping + * is done here. + * If there are other records that have been deferred for the event + * create them here. + */ +void audit_log_end(struct audit_buffer *ab) +{ + struct audit_context_entry *entry; + struct audit_context mcontext; + struct audit_context *mctx; + struct audit_buffer *mab; + struct list_head *l; + struct list_head *n; + + if (!ab) + return; + + __audit_log_end(ab); + + if (list_empty(&ab->aux_records)) { + audit_buffer_free(ab); + return; + } + + if (ab->ctx == NULL) { + mcontext.stamp = ab->stamp; + mctx = &mcontext; + } else + mctx = ab->ctx; + + list_for_each_safe(l, n, &ab->aux_records) { + entry = list_entry(l, struct audit_context_entry, list); + mab = audit_log_start(mctx, ab->gfp_mask, entry->type); + if (!mab) { + audit_panic("alloc error in audit_log_end"); + continue; + } + switch (entry->type) { + /* Don't know of any quite yet. */ + default: + audit_panic("Unknown type in audit_log_end"); + break; + } + __audit_log_end(mab); + audit_buffer_free(mab); + list_del(&entry->list); + kfree(entry); + } audit_buffer_free(ab); } -- 2.31.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit