From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Andi Kleen <andi@firstfloor.org>, Steve Grubb <sgrubb@redhat.com>,
Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] audit: Only use the syscall slowpath when syscall audit rules exist
Date: Mon, 3 Feb 2014 19:11:44 +0100 [thread overview]
Message-ID: <20140203181144.GA29296@redhat.com> (raw)
In-Reply-To: <a8356e46aed7213128e84a888170391adb6afe30.1391449825.git.luto@amacapital.net>
On 02/03, Andy Lutomirski wrote:
>
> @@ -911,6 +918,47 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
> return context;
> }
>
> +void audit_inc_n_rules()
> +{
> + struct task_struct *p, *g;
> +
> + write_lock(&n_rules_lock);
> +
> + if (audit_n_rules++ != 0)
> + goto out; /* The overall state isn't changing. */
> +
> + read_lock(&tasklist_lock);
> + do_each_thread(g, p) {
> + if (p->audit_context)
> + set_tsk_thread_flag(p, TIF_SYSCALL_AUDIT);
> + } while_each_thread(g, p);
> + read_unlock(&tasklist_lock);
Cosmetic, but I'd suggest to use for_each_process_thread() instead
of do_each_thread/while_each_thread.
And I am not sure why n_rules_lock is rwlock_t... OK, to make
audit_alloc() more scalable, I guess. Please see below.
> @@ -942,8 +995,14 @@ int audit_alloc(struct task_struct *tsk)
> }
> context->filterkey = key;
>
> + read_lock(&n_rules_lock);
> tsk->audit_context = context;
> - set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> + if (audit_n_rules)
> + set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> + else
> + clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> + read_unlock(&n_rules_lock);
Perhaps this is fine, but n_rules_lock can't prevent the race with
audit_inc/dec_n_rules(). The problem is, this is called before the
new task is visible to for_each_process_thread().
If we want to fix this race, we need something like audit_sync_flags()
called after copy_process() drops tasklist, or from tasklist_lock
protected section (in this case it doesn't need n_rules_lock).
Or perhaps audit_alloc() should not try to clear TIF_SYSCALL_AUDIT at all.
In both cases n_rules_lock can be spinlock_t.
Oleg.
next prev parent reply other threads:[~2014-02-03 18:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-03 17:53 [PATCH] audit: Only use the syscall slowpath when syscall audit rules exist Andy Lutomirski
2014-02-03 18:11 ` Oleg Nesterov [this message]
2014-02-03 18:33 ` Andy Lutomirski
2014-02-03 20:23 ` Steve Grubb
2014-02-03 22:08 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140203181144.GA29296@redhat.com \
--to=oleg@redhat.com \
--cc=andi@firstfloor.org \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox