Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4101819imu; Mon, 14 Jan 2019 15:08:48 -0800 (PST) X-Google-Smtp-Source: ALg8bN5ZgHkhvZl8JBq3J/e2XBi7lvA0l3S9n2t4Da/jKIC9d6QfpHmYeBzmlWqtvsjDD4ZpY9KZ X-Received: by 2002:a17:902:2c03:: with SMTP id m3mr923089plb.6.1547507328186; Mon, 14 Jan 2019 15:08:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547507328; cv=none; d=google.com; s=arc-20160816; b=Sdu5RnhpGHdHSprDuv0Ajk0P6EdRmih2g1Fp9ECrxUluShjcYQ96QyITHLV3b3sM/6 cs9JKSx/cxp04za0FeeZ8qoU6rkExZJ19tr+p1j6rwjiFmdtUjYk9K8f6tXCRiDHUtK+ Pksa3xeMyKwonbfPgjv0CeKzX9RqR4AWfo0akJ4sicjqJ/0CUUC2DOMtFTwRe+1xMGC/ Jj58Nix9db7ibBhykexHC/q+R1o38ui+NNYyGklpktj3j8cO9mBQm9mf2CEwi0Ow7gOj tUC/tzUEIIZiNugJTRjaPdbky5Ws26YOUJIZShOjrSK4nh16wlQxX3YkfKztu0+CRFL0 DOLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KFcffHXckPzV/8f9aMGMDIoDr8zAvxUPITrJRmxio4M=; b=IVZ5ip7UqiwHRnpnUKaVO2M+5f2nz1Ifm2IzpX485IkWdB+fsl41++hSLaz26HXi2X Cw/AJRs0UErf3FWeawGxhUOxIZ0z7ymPXCVrWVteCc4+/Z5LD1DoE2I9H9W2nYDZiqg5 /11pU3iFpHfbfornaLIVRsqHz6ND4EoIUQlW/z9IMCSY6xvlytimTaP3APJBsI9w1olQ SQJqVnDKtKo3vZ5F+dqXTi0IRJPw35P6maTxG+ARnT62K04j+Dj0GvPVaH1u2Eny9KW/ B66ycQl9IETwuCqxPRGa7lXBL7RJwUauPbhEDUrKtIHvydkmMTOfaBzDBYZJbFBsYfZD 8D6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=aE8gRnu9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t5si1495507pgm.79.2019.01.14.15.08.32; Mon, 14 Jan 2019 15:08:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=aE8gRnu9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727081AbfANXGa (ORCPT + 99 others); Mon, 14 Jan 2019 18:06:30 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:42340 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726782AbfANXGa (ORCPT ); Mon, 14 Jan 2019 18:06:30 -0500 Received: by mail-lj1-f194.google.com with SMTP id l15-v6so650809lja.9 for ; Mon, 14 Jan 2019 15:06:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KFcffHXckPzV/8f9aMGMDIoDr8zAvxUPITrJRmxio4M=; b=aE8gRnu9uYyuWNqpR7HoTjtcMBuCMe6unQaFyvoNaDOv7NgT/Gv76VDF4TxaVBBoWE JjWlLYcowmY7QazGo+EK/RluZfbOV2KVESKnuckQGdvYGd60U00CHBnzk+ErCjclrzMv wM+WaJ0Ygyn/1BAMyDbLHwYNkD7JuwR2Llp1Y6VaDW0JtgvSzlXL/nrCvOEc9Dhcy6XT g7wM/MDJJsKwsFV1a9n81wk/6mTsW5MGeFWgra55yWuMBl8IQToTi7GbKEaHlHvicN58 ePj6wPayabS3cKLjk/IthLfa8eXoH7ADnVgD/fHOsYnDmziZddB3KIN0mzPhZLmZ8Us4 KAjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KFcffHXckPzV/8f9aMGMDIoDr8zAvxUPITrJRmxio4M=; b=taFNakIN15rYhNl0P162prDJz832ulnqvDoNN7jvSLmG0WUk21c1r0WbmRvtqDdhMs WiOYsIs6I7TJvCSs6kfpFfek8udIqvj3/zN8GfzkTeSas3S3AIxSJoTzT5Iyn84Ow+r+ Tt4k4Zr0jK1owSi7t873VIOwjfPCRcr5yMmJlae3eWlPat+BNJcByg0w0eg64GlCTAzA tAzpeTcmSRsS7+WooIKVlLiAaamXCpQfelaO7AhJHPl8GmeO3NMlEpG3CF8loclqiKeo LMjjjDM9hMpqq+Pl1rR7DtMwQPQVpltreQxlYxASrxOthfB6Ybh9jXCm5E384hYOhsg5 FO+w== X-Gm-Message-State: AJcUukfpS+924h/oEIuguMUBZuvrxobnvmZttTLw9sv0KEj6TC3kwrbn bBvXUYaOvLP7cppA/T4EDEAuxnsZt/Buf8M4t5Fs X-Received: by 2002:a2e:8605:: with SMTP id a5-v6mr562571lji.145.1547507186712; Mon, 14 Jan 2019 15:06:26 -0800 (PST) MIME-Version: 1.0 References: <557aec24451674a80c757600e39b91fd8cfc29a4.1544477629.git.rgb@redhat.com> In-Reply-To: <557aec24451674a80c757600e39b91fd8cfc29a4.1544477629.git.rgb@redhat.com> From: Paul Moore Date: Mon, 14 Jan 2019 18:06:15 -0500 Message-ID: Subject: Re: [PATCH ghak59 V3 3/4] audit: hand taken context to audit_kill_trees for syscall logging To: Richard Guy Briggs Cc: LKML , Linux-Audit Mailing List , Eric Paris , Alexander Viro , Steve Grubb Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote: > > Since the context is derived from the task parameter handed to > __audit_free(), hand the context to audit_kill_trees() so it can be used > to associate with a syscall record. This requires adding the context > parameter to kill_rules() rather than using the current audit_context. > > The callers of trim_marked() and evict_chunk() still have their context. > > The EOE record was being issued prior to the pruning of the killed_tree > list. > > Move the kill_trees call before the audit_log_exit call in > __audit_free() and __audit_syscall_exit() so that any pruned trees > CONFIG_CHANGE records are included with the associated syscall event by > the user library due to the EOE record flagging the end of the event. > > See: https://github.com/linux-audit/audit-kernel/issues/50 > See: https://github.com/linux-audit/audit-kernel/issues/59 > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.h | 4 ++-- > kernel/audit_tree.c | 18 ++++++++++-------- > kernel/auditsc.c | 12 ++++++------ > 3 files changed, 18 insertions(+), 16 deletions(-) Merged. > diff --git a/kernel/audit.h b/kernel/audit.h > index 91421679a168..6ffb70575082 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -314,7 +314,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > extern int audit_tag_tree(char *old, char *new); > extern const char *audit_tree_path(struct audit_tree *tree); > extern void audit_put_tree(struct audit_tree *tree); > -extern void audit_kill_trees(struct list_head *list); > +extern void audit_kill_trees(struct audit_context *context); > #else > #define audit_remove_tree_rule(rule) BUG() > #define audit_add_tree_rule(rule) -EINVAL > @@ -323,7 +323,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > #define audit_put_tree(tree) (void)0 > #define audit_tag_tree(old, new) -EINVAL > #define audit_tree_path(rule) "" /* never called */ > -#define audit_kill_trees(list) BUG() > +#define audit_kill_trees(context) BUG() > #endif > > extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); > diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c > index b0bd59ef4271..bf77d265e68e 100644 > --- a/kernel/audit_tree.c > +++ b/kernel/audit_tree.c > @@ -524,13 +524,13 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) > return 0; > } > > -static void audit_tree_log_remove_rule(struct audit_krule *rule) > +static void audit_tree_log_remove_rule(struct audit_context *context, struct audit_krule *rule) > { > struct audit_buffer *ab; > > if (!audit_enabled) > return; > - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > if (unlikely(!ab)) > return; > audit_log_format(ab, "op=remove_rule dir="); > @@ -540,7 +540,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) > audit_log_end(ab); > } > > -static void kill_rules(struct audit_tree *tree) > +static void kill_rules(struct audit_context *context, struct audit_tree *tree) > { > struct audit_krule *rule, *next; > struct audit_entry *entry; > @@ -551,7 +551,7 @@ static void kill_rules(struct audit_tree *tree) > list_del_init(&rule->rlist); > if (rule->tree) { > /* not a half-baked one */ > - audit_tree_log_remove_rule(rule); > + audit_tree_log_remove_rule(context, rule); > if (entry->rule.exe) > audit_remove_mark(entry->rule.exe); > rule->tree = NULL; > @@ -633,7 +633,7 @@ static void trim_marked(struct audit_tree *tree) > tree->goner = 1; > spin_unlock(&hash_lock); > mutex_lock(&audit_filter_mutex); > - kill_rules(tree); > + kill_rules(audit_context(), tree); > list_del_init(&tree->list); > mutex_unlock(&audit_filter_mutex); > prune_one(tree); > @@ -973,8 +973,10 @@ static void audit_schedule_prune(void) > * ... and that one is done if evict_chunk() decides to delay until the end > * of syscall. Runs synchronously. > */ > -void audit_kill_trees(struct list_head *list) > +void audit_kill_trees(struct audit_context *context) > { > + struct list_head *list = &context->killed_trees; > + > audit_ctl_lock(); > mutex_lock(&audit_filter_mutex); > > @@ -982,7 +984,7 @@ void audit_kill_trees(struct list_head *list) > struct audit_tree *victim; > > victim = list_entry(list->next, struct audit_tree, list); > - kill_rules(victim); > + kill_rules(context, victim); > list_del_init(&victim->list); > > mutex_unlock(&audit_filter_mutex); > @@ -1017,7 +1019,7 @@ static void evict_chunk(struct audit_chunk *chunk) > list_del_init(&owner->same_root); > spin_unlock(&hash_lock); > if (!postponed) { > - kill_rules(owner); > + kill_rules(audit_context(), owner); > list_move(&owner->list, &prune_list); > need_prune = 1; > } else { > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 6593a5207fb0..b585ceb2f7a2 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1444,6 +1444,9 @@ void __audit_free(struct task_struct *tsk) > if (!context) > return; > > + if (!list_empty(&context->killed_trees)) > + audit_kill_trees(context); > + > /* We are called either by do_exit() or the fork() error handling code; > * in the former case tsk == current and in the latter tsk is a > * random task_struct that doesn't doesn't have any meaningful data we > @@ -1460,9 +1463,6 @@ void __audit_free(struct task_struct *tsk) > audit_log_exit(); > } > > - if (!list_empty(&context->killed_trees)) > - audit_kill_trees(&context->killed_trees); > - > audit_set_context(tsk, NULL); > audit_free_context(context); > } > @@ -1537,6 +1537,9 @@ void __audit_syscall_exit(int success, long return_code) > if (!context) > return; > > + if (!list_empty(&context->killed_trees)) > + audit_kill_trees(context); > + > if (!context->dummy && context->in_syscall) { > if (success) > context->return_valid = AUDITSC_SUCCESS; > @@ -1571,9 +1574,6 @@ void __audit_syscall_exit(int success, long return_code) > context->in_syscall = 0; > context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; > > - if (!list_empty(&context->killed_trees)) > - audit_kill_trees(&context->killed_trees); > - > audit_free_names(context); > unroll_tree_refs(context, NULL, 0); > audit_free_aux(context); > -- > 1.8.3.1 > -- paul moore www.paul-moore.com