Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp533596pxb; Tue, 19 Oct 2021 07:56:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw03cRFyb2Zkt44fberHTSJdn5/A8YPJ+3W3Jxy88xI5jWvmiUNeFmJ8/b6BA+CS8QKBU+Q X-Received: by 2002:a17:906:2e85:: with SMTP id o5mr37228039eji.543.1634655373605; Tue, 19 Oct 2021 07:56:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634655373; cv=none; d=google.com; s=arc-20160816; b=xzUOVvgj2fyWFo12kmADRolFQJ+8BGmXo4FAHgWkWs3kI/3RLzyUFVCmmWWiYCkEnO Cd6yrCqF2oJcADxhfsyaZV9HfLyrgPNVTKShZ7YSkKgnPEj0XgCugXxOUXBONlpmAFV4 mCub3EjAVu6Virp/E8FE7P7OlOfs+09fMCmBdQPsjS37Ni//5bVcSriOuoIn6Ssx92ht 8aZy9Ue4z5Av93fmwdXJFZqpjse+S8PcMBh/LTtGcgmVXLbInCKcmDiW7Sq/AE7K24tj 2ey+Jm9cFJZbp3meypaJyPig/CuNZjjxsG/loDDgk2Uxb2xU2UnWD7aqvgJC6MYUv1Q5 /fAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature; bh=jNZbYCm4L3nEmVjXY9zlfyw5oLY07ajTFGFsydEKogk=; b=FPryUm9cCTCHu7JWRbSWtN/APb38lNCpRoYwFn5+C3S/ok4YsOtgwDtxTUBUnR/T4p HLjPNYaakdINOemXAUflyGIUewPU8NTEZ5HrdKzMZevK62oKncxYN+aMCLxn9KpQ/TWm yAHoEL5ZtaiilzQvAISOkYt6BFoOL/NLfVlaXA+3Ne7Gfs2yGlpg9IzzJzDKyJx+2MNP 6k/5kA2DgHSsx76mGpuGWb3N9mPBwSwAJ8stqAQ79tC+riWqvSsHKBXVMTmn0yhDzpTB ImGCgDebsIhp2FF3uHUlRJmRM/t7Gtplvj5X4QR2/XakvyvBOYzWFAS1pyVZ9fKojTX5 WPDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=T0ozVcHj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y3si26354717ejl.39.2021.10.19.07.55.49; Tue, 19 Oct 2021 07:56:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=T0ozVcHj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231921AbhJSOxt (ORCPT + 99 others); Tue, 19 Oct 2021 10:53:49 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:56514 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232363AbhJSOxp (ORCPT ); Tue, 19 Oct 2021 10:53:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634655092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jNZbYCm4L3nEmVjXY9zlfyw5oLY07ajTFGFsydEKogk=; b=T0ozVcHj6KMMqQ+50fYAqU+Sw7lCl7RMiYpqUqwtHOU2aTcuY9oUKDmydZy7SV4OvGBLt9 HWwK8ary9B3UN0F13ZkCieTsZnGtHd3rKk30Ds3iktkN9yIrwH+zzRzS+ILzGL3h1ou4t0 al7GV+7xJr4K+GBZzD+QtmkToK4Ivug= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-265-UsGW6vaSN8eVW9F4nHehiA-1; Tue, 19 Oct 2021 10:51:28 -0400 X-MC-Unique: UsGW6vaSN8eVW9F4nHehiA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 29F3F801FCE; Tue, 19 Oct 2021 14:51:27 +0000 (UTC) Received: from x2.localnet (unknown [10.22.33.180]) by smtp.corp.redhat.com (Postfix) with ESMTP id 58D9C7092D; Tue, 19 Oct 2021 14:51:01 +0000 (UTC) From: Steve Grubb To: paul@paul-moore.com, eparis@redhat.com, rgb@redhat.com, linux-audit@redhat.com Cc: wangweiyang2@huawei.com, linux-audit@redhat.com, linux-kernel@vger.kernel.org, Gaosheng Cui Subject: Re: [PATCH -next, v3 2/2] audit: return early if the rule has a lower priority Date: Tue, 19 Oct 2021 10:51:00 -0400 Message-ID: <5543735.DvuYhMxLoT@x2> Organization: Red Hat In-Reply-To: <20211016072351.237745-3-cuigaosheng1@huawei.com> References: <20211016072351.237745-1-cuigaosheng1@huawei.com> <20211016072351.237745-3-cuigaosheng1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Saturday, October 16, 2021 3:23:51 AM EDT Gaosheng Cui wrote: > It is not necessary for audit_filter_rules() functions to check > audit fileds of the rule with a lower priority, and if we did, > there might be some unintended effects, such as the ctx->ppid > may be changed unexpectedly, so return early if the rule has > a lower priority. > > Signed-off-by: Gaosheng Cui > --- > kernel/auditsc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 42d4a4320526..b517947bfa48 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk, > u32 sid; > unsigned int sessionid; > > + if (ctx && rule->prio <= ctx->prio) > + return 0; > + Just wondering something... If the first thing we do is to decide to return, should we have called the function in the first place? I wonder if this test should be used to break out of the rule iteration loops so that we don't keep calling only to return ? -Steve > cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); > > for (i = 0; i < rule->field_count; i++) { > @@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk, > } > > if (ctx) { > - if (rule->prio <= ctx->prio) > - return 0; > if (rule->filterkey) { > kfree(ctx->filterkey); > ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);