Received: by 10.223.185.116 with SMTP id b49csp4877195wrg; Wed, 7 Mar 2018 02:34:05 -0800 (PST) X-Google-Smtp-Source: AG47ELv+TOPTD55cQDcFumCp7EsQs8SgIv4NYhuiA2FvPE8J2h/5t92QfZ/cOFFt9J2AFhx25CVm X-Received: by 2002:a17:902:7509:: with SMTP id i9-v6mr20419210pll.220.1520418845019; Wed, 07 Mar 2018 02:34:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520418844; cv=none; d=google.com; s=arc-20160816; b=eVDDCTfv/5yynPNV9mxtozrFsDHAdrDptGEPbYh/ZsAbkRnIp+JP7kDorAM+YRBC7E EkE9cwJTgortcw4wu9VECBMFre6KZXMPvV2OhLskdNiXPtsx6Z+E/5Z71eABk5Anv7WE J0ZCHLZfszbpD7uKAKWYR6xRjcmFBMwFg+P2OlxTke0J0CqJ03ajaZlkyk671lPClzte 3+0epJy3k1IYzdVJ1GPJ7X7tIft/xQ4vnTiUtbSmzRj320/lrNCLYm+enuBvz/ZeM3mI AmNppgvthWfgR3izckvhOOV1Y/wKpqEffzqGsuYsWuNklO8a7r/804DfH3pxMLSoVOhy 2f1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date:arc-authentication-results; bh=nvHfYWG6xg5LkUPkEavb5tDD9Db7cOnycRA1BbCAGbs=; b=pkqD4JRH7UWn70QNUSlb1Wye0FgS1XiHR26Z3UPn0lo2tmtU2kgwu2W0wbL2SnglfS QBwt6/USl5QZN7flu/NUcY8bSYVDTp7RyiJ0ZOwFPKcX8hgLclaHtYW4Ezxo4dk6gOXE AG+ebnOmlw4KLLU2+1lh0S3JJBPy1a++B/S0qxZNh3k762e+cjn2hiqin4vYSR8vCfC1 qdXiCy8KXSgI4QpBZi86+a+taP9xGJ4lWeUSB+pZY6gLHbDcdUaeq165UAVVznMboi0r E2at27VGyzuRhO0eML8ZoLEe7gu+wrmCLeryrzHC1DZ0xK7NYwptwhXE0v22ZOTy5G/9 5/+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j4si11141320pgf.265.2018.03.07.02.33.50; Wed, 07 Mar 2018 02:34:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751241AbeCGKc5 (ORCPT + 99 others); Wed, 7 Mar 2018 05:32:57 -0500 Received: from mx2.suse.de ([195.135.220.15]:41676 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751132AbeCGKcy (ORCPT ); Wed, 7 Mar 2018 05:32:54 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E5930ACF9; Wed, 7 Mar 2018 10:32:52 +0000 (UTC) Date: Wed, 7 Mar 2018 11:32:52 +0100 (CET) From: Jiri Kosina To: Paul Moore , Andrew Morton , Michal Hocko , Andy Lutomirski cc: linux-kernel@vger.kernel.org Subject: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Message-ID: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Kosina There is no point going through all the audit slow path syscall entry/exit in case the audit daemon is running, but hasn't populated the audit filter with any rules whatsoever. Only set TIF_AUDIT_SYSCALL in case the number of populated audit rules is non-zero. Originally-by: Andy Lutomirski Signed-off-by: Jiri Kosina --- This is basically resurrection / rebase of patch Andi Lutomirski sent some time back in 2014 or so. Andi, is there any reason this hasn't been pursued further? I think we still want to get some of the slow path performance back. Thanks. include/linux/audit.h | 15 +++++++++++++-- kernel/auditfilter.c | 4 ++-- kernel/auditsc.c | 45 ++++++++++++++++++++++++++++++++++++++++----- kernel/fork.c | 2 +- 4 files changed, 56 insertions(+), 10 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index af410d9fbf2d..3d5e96f96be5 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -451,8 +451,10 @@ static inline void audit_fanotify(unsigned int response) __audit_fanotify(response); } -extern int audit_n_rules; extern int audit_signals; +extern void audit_populate(struct task_struct *tsk); +extern void audit_inc_n_rules(void); +extern void audit_dec_n_rules(void); #else /* CONFIG_AUDITSYSCALL */ static inline int audit_alloc(struct task_struct *task) { @@ -572,7 +574,16 @@ static inline void audit_fanotify(unsigned int response) static inline void audit_ptrace(struct task_struct *t) { } -#define audit_n_rules 0 + +static inline void audit_populate(struct task_struct *tsk) +{ } + +static inline void audit_inc_n_rules(void) +{ } + +static inline void audit_dec_n_rules(void) +{ } + #define audit_signals 0 #endif /* CONFIG_AUDITSYSCALL */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 4a1758adb222..46ad138d8ba2 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -991,7 +991,7 @@ static inline int audit_add_rule(struct audit_entry *entry) } #ifdef CONFIG_AUDITSYSCALL if (!dont_count) - audit_n_rules++; + audit_inc_n_rules(); if (!audit_match_signal(entry)) audit_signals++; @@ -1038,7 +1038,7 @@ int audit_del_rule(struct audit_entry *entry) #ifdef CONFIG_AUDITSYSCALL if (!dont_count) - audit_n_rules--; + audit_dec_n_rules(); if (!audit_match_signal(entry)) audit_signals--; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e80459f7e132..642dd856e716 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -91,7 +91,7 @@ #define MAX_PROCTITLE_AUDIT_LEN 128 /* number of audit rules */ -int audit_n_rules; +static int audit_n_rules; /* determines whether we collect data for signals sent */ int audit_signals; @@ -919,6 +919,36 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) return context; } +void audit_inc_n_rules() +{ + struct task_struct *p, *g; + unsigned long flags; + + read_lock_irqsave(&tasklist_lock, flags); + if (!audit_n_rules++) { + do_each_thread(g, p) { + if (p->audit_context) + set_tsk_thread_flag(p, TIF_SYSCALL_AUDIT); + } while_each_thread(g, p); + } + read_unlock_irqrestore(&tasklist_lock, flags); +} + +void audit_dec_n_rules() +{ + struct task_struct *p, *g; + unsigned long flags; + + read_lock_irqsave(&tasklist_lock, flags); + audit_n_rules--; + if (!audit_n_rules) { + do_each_thread(g, p) { + clear_tsk_thread_flag(p, TIF_SYSCALL_AUDIT); + } while_each_thread(g, p); + } + read_unlock_irqrestore(&tasklist_lock, flags); +} + /** * audit_alloc - allocate an audit context block for a task * @tsk: task @@ -938,10 +968,8 @@ int audit_alloc(struct task_struct *tsk) return 0; /* Return if not auditing. */ state = audit_filter_task(tsk, &key); - if (state == AUDIT_DISABLED) { - clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); + if (state == AUDIT_DISABLED) return 0; - } if (!(context = audit_alloc_context(state))) { kfree(key); @@ -951,7 +979,6 @@ int audit_alloc(struct task_struct *tsk) context->filterkey = key; tsk->audit_context = context; - set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); return 0; } @@ -967,6 +994,14 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } +void audit_populate(struct task_struct *tsk) +{ + if (tsk->audit_context && audit_n_rules) + set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); + else + clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); +} + static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, u32 sid, char *comm) diff --git a/kernel/fork.c b/kernel/fork.c index e5d9d405ae4e..79c828746d24 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1955,7 +1955,7 @@ static __latent_entropy struct task_struct *copy_process( attach_pid(p, PIDTYPE_PID); nr_threads++; } - + audit_populate(p); total_forks++; spin_unlock(¤t->sighand->siglock); syscall_tracepoint_update(p); -- Jiri Kosina SUSE Labs