Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2384187imm; Thu, 14 Jun 2018 13:26:21 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIllyh47wU3cg2uR8Sp3y3xlpirc0PSr6DODHDFf0/x+FbDNAThTLd3Y5MMbuIVZ4cKFJNw X-Received: by 2002:a63:6882:: with SMTP id d124-v6mr3500671pgc.83.1529007981796; Thu, 14 Jun 2018 13:26:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529007981; cv=none; d=google.com; s=arc-20160816; b=L+Ib1eWORYH9vwG9clnO+neEv1cPVBKv3p5L+USB8wND8ceSEmus/PGsnyMBGVErDI nnd36Pt6QFi3GUVTBU05/nKzMIPaY7+9JJBxj3jPHWhWfYOPw17oZ0FGMVBnOgXN4jzN JGlkuiyRe1ksBS8X53+WnVtitfEUnkptlXCKSOrgG34mJ2+Wn5/diCrVcezvjFePYrRp P68DGPrXJqMzPOjYs0IIidcpN6Xl3b48b8TqArMQRJYKmL9pRkF+teKguXhQHuSJDR3i 75Bo5AG/D0jBy9Cs/CC2dxT1PhpGKu4RVZxbENB0Y+dNrSXsLfTHE2yDb99dXcIm4RqM hejg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=BQoetPck0hRw/mxis/Z/5IcHS0pucUxdG0IPLi7LZaQ=; b=uJW9qXUw4i2OOgIvx/jgmwzxdkbuCjoBAaqKPlNdJyl4KsOLdKOv/Zi+ao/Rh3h4s7 y6Mach8SxKLruG99YSEUwIefu8ObID/ribYPUvjrYn3pqsIEVZKkOw0ycR2qgXLNqmLv kUprz5ZSDiCFYYnOQc2ZLPSvYylBEmIbzyAcvsY+9yET24kP96QQkevZgUZsqHZ+EVmS rnlgP32WpdHvzM8685nlAYu0zDytyqbFZd8PLqEf3i0195gbl9gSC4Le2UR5lYOB02kg Lht15Wgn5XPICP/Owt/oTvVfKQEAgr0tKm9of1cdCzfChON38cg4rDBGsE3zn+7Wd2gA ZyTA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d14-v6si6441774pln.206.2018.06.14.13.26.06; Thu, 14 Jun 2018 13:26:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755499AbeFNUYD (ORCPT + 99 others); Thu, 14 Jun 2018 16:24:03 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43844 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754695AbeFNUXQ (ORCPT ); Thu, 14 Jun 2018 16:23:16 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 098BA4075656; Thu, 14 Jun 2018 20:23:16 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-45.rdu2.redhat.com [10.10.112.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 885E111166FE; Thu, 14 Jun 2018 20:23:13 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML Cc: eparis@parisplace.org, Paul Moore , Steve Grubb , Alexander Viro , Richard Guy Briggs Subject: [RFC PATCH ghak59 V1 3/6] audit: exclude user records from syscall context Date: Thu, 14 Jun 2018 16:21:13 -0400 Message-Id: <907e32319825bb6336a662f4f6f6d173f56f3226.1529003588.git.rgb@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 14 Jun 2018 20:23:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 14 Jun 2018 20:23:16 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since the function audit_log_common_recv_msg() is shared by a number of AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types, and since the AUDIT_CONFIG_CHANGE message type has been converted to a syscall accompanied record type, special-case the AUDIT_USER_* range of messages so they remain standalone records. See: https://github.com/linux-audit/audit-kernel/issues/59 Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index e469234..c8c2efc 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1057,7 +1057,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) return err; } -static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) +static void __audit_log_common_recv_msg(struct audit_context *context, + struct audit_buffer **ab, u16 msg_type) { uid_t uid = from_kuid(&init_user_ns, current_uid()); pid_t pid = task_tgid_nr(current); @@ -1067,7 +1068,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) return; } - *ab = audit_log_start(audit_context(), GFP_KERNEL, msg_type); + *ab = audit_log_start(context, GFP_KERNEL, msg_type); if (unlikely(!*ab)) return; audit_log_format(*ab, "pid=%d uid=%u", pid, uid); @@ -1075,6 +1076,11 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) audit_log_task_context(*ab); } +static inline void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) +{ + __audit_log_common_recv_msg(audit_context(), ab, msg_type); +} + int is_audit_feature_set(int i) { return af.features & AUDIT_FEATURE_TO_MASK(i); @@ -1341,7 +1347,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (err) break; } - audit_log_common_recv_msg(&ab, msg_type); + __audit_log_common_recv_msg(NULL, &ab, msg_type); if (msg_type != AUDIT_USER_TTY) audit_log_format(ab, " msg='%.*s'", AUDIT_MESSAGE_TEXT_MAX, -- 1.8.3.1