Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp977632pxp;
        Wed, 16 Mar 2022 23:15:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwUlCbKFSbuKwhNSwbMj7sEtCLm8I57efevV20al+5KKwrZ0Y9KNlDEt7jqMx11qM+f/WiE
X-Received: by 2002:a17:902:e74b:b0:152:fef9:a56 with SMTP id p11-20020a170902e74b00b00152fef90a56mr3591602plf.58.1647497704126;
        Wed, 16 Mar 2022 23:15:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647497704; cv=none;
        d=google.com; s=arc-20160816;
        b=VkjuECIX9ltrBUhc7gUC6484w1Q5J5Pt+Jnv8U475tqUAotofYRGRV1q0O7W1IfTIE
         cVqhyMmdYRXg/1KuU1JKSiG5cr82+5i8TrOUM2cwVDqt86oD1UG+0BzXt1w+jnIvv+tA
         wSaDOz3v6iLkynevLjfRWAhidAA+M5W/Na5+dApltORGRZF/INE/1H33MR7IDwJTUzGE
         BfBZ7i54vareWjL7/e/976a99NkHRfl2gUhNQOGP9pJYKESC5G6nfc1acq5AoSaFXaBj
         f2vUCKHGJm5PdwNXNj6hXF8JytXzbCA39EjWbXoURoeEJSsF1iJjr3g1tyRnkc9FOMBE
         ydUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=rytjyPZ9RNxi/avIuivSs6xI7PnvqvUQtVccmZitEKI=;
        b=Ir9fdg+t8vSMgxvZiaaTzZySfdFsRatO9QUStpP/K76DudWQXkWn8UuVU7wxDM0sud
         CNT9rxLsJf0qavHNKvmhWzgRtNbgxlpZmb+ZhXVw78uuyrib7UIpbv6e5+RmKZAatctl
         hk8K9ZSzRcGGxHGojA0OBi1CBLZ0rnnBS/AEnUvbZ/qZmaQddB9XM4STm9J2qk0Vug91
         p46/bM0lXTqsC+RpMwf8Kvuru95CiUTsBiA0A4P736e1CLuJ/+5hZSNdzNNz26vRrneH
         zL73nKp0Vn6M7YAvrGLWAr20r+vpKzQMXGbCgS9t1vb6jGuEQQL6cdSqXVcctL62D1/Q
         uktg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=gAazJfXI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id u26-20020a63141a000000b00382027737e9si1119920pgl.63.2022.03.16.23.15.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Mar 2022 23:15:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=gAazJfXI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 036A2182DBA;
	Wed, 16 Mar 2022 21:58:02 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1352614AbiCOXtD (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Tue, 15 Mar 2022 19:49:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57116 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1348320AbiCOXtC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Mar 2022 19:49:02 -0400
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDC4126D9
        for <linux-kernel@vger.kernel.org>; Tue, 15 Mar 2022 16:47:48 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id hw13so830240ejc.9
        for <linux-kernel@vger.kernel.org>; Tue, 15 Mar 2022 16:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=rytjyPZ9RNxi/avIuivSs6xI7PnvqvUQtVccmZitEKI=;
        b=gAazJfXI5UKMUFXIaLVmR4ut6nyHRO1MbFHm2xIVfKwZjvF9UpO93tabuvO5mNS4cq
         GekKVQ+O/gYxc//atQNwW86Fl6+OHtxy1l3hP1VfXU425AoJ7WbzCPl1pEewLwo4VSc4
         I1iXvR6ObDSmwwjCvdhvq3dorv/rcAqR5aWuraEVlNxDnO3zZ0sgoz2p+7GXgYZ2p6tg
         GZjyKJpZYfErbiMJx/9y6xZ56/GhuLRpGfIeTo4PgPXd7OQsdKSfo4whGJzD5P+tS4oJ
         lMYaFxmBznvGAs6E5Tqk9XtKXF7N1r+XUtmIfvKgQy6jMvRckCQxvSATJUiNu8CXSRpT
         MJUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=rytjyPZ9RNxi/avIuivSs6xI7PnvqvUQtVccmZitEKI=;
        b=gHiVAjX8y4gmEHIJgk2R5unZkF1OL1Z7UOE65Su5D5tnD5HBjz0MQKInT+sobS8wru
         BbIOPMnTyinHiHyAEOQvXS5bB/GCevBaK0XgNKme2NzpAS5e8uVRBbZBVTd4WKudlNy+
         hM0eL6Dzm98sSFeOX5zhl56e7g/BqCjAPx81OgwPHqDX9ls3zmS945rC0Fw7xnsd6rkL
         hRniQwxITGdkmNTr9URvgaByukdl1MgfdSUZmkjQFCuoG1/n815QhIw0dm8bPQRVW7r2
         9j5GAfHF1zQ/oiXxs2lwVekKkdYJoD4DJV2bTI2CopMqcyEgS9ucfHvuJkZ54TuPCAOw
         u/0Q==
X-Gm-Message-State: AOAM531y49AuHx98s5xb/gmwrLdr/+YzzDRMtNcnRu5xu+6uLy4gjuS3
        cwHJHJAW76E6WpeOVWQm17mUMtehwlyHsr/6szLzokUgvA==
X-Received: by 2002:a17:907:1b09:b0:6d8:faa8:4a06 with SMTP id
 mp9-20020a1709071b0900b006d8faa84a06mr24602944ejc.701.1647388067190; Tue, 15
 Mar 2022 16:47:47 -0700 (PDT)
MIME-Version: 1.0
References: <20220310234632.16194-1-casey@schaufler-ca.com> <20220310234632.16194-26-casey@schaufler-ca.com>
In-Reply-To: <20220310234632.16194-26-casey@schaufler-ca.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Tue, 15 Mar 2022 19:47:36 -0400
Message-ID: <CAHC9VhTkXaJ6nsJU9hf9KO22bGSpyr8EeBQKef-f6jhy_6OEkA@mail.gmail.com>
Subject: Re: [PATCH v33 25/29] Audit: Allow multiple records in an audit_buffer
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
        linux-audit@redhat.com, keescook@chromium.org,
        john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
        stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 10, 2022 at 6:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Replace the single skb pointer in an audit_buffer with
> a list of skb pointers. Add the audit_stamp information
> to the audit_buffer as there's no guarantee that there
> will be an audit_context containing the stamp associated
> with the event. At audit_log_end() time create auxiliary
> records (none are currently defined) as have been added
> to the list.
>
> Suggested-by: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  kernel/audit.c | 53 +++++++++++++++++++++++++++++++++-----------------
>  1 file changed, 35 insertions(+), 18 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f012c3786264..4713e66a12af 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -197,8 +197,10 @@ static struct audit_ctl_mutex {
>   * to place it on a transmit queue.  Multiple audit_buffers can be in
>   * use simultaneously. */
>  struct audit_buffer {
> -       struct sk_buff       *skb;      /* formatted skb ready to send */
> +       struct sk_buff       *skb;      /* the skb for audit_log functions */
> +       struct sk_buff_head  skb_list;  /* formatted skbs, ready to send */
>         struct audit_context *ctx;      /* NULL or associated context */
> +       struct audit_stamp   stamp;     /* audit stamp for these records */
>         gfp_t                gfp_mask;
>  };
>
> @@ -1744,7 +1746,6 @@ static void audit_buffer_free(struct audit_buffer *ab)
>         if (!ab)
>                 return;
>
> -       kfree_skb(ab->skb);

I like the safety in knowing that audit_buffer_free() would free the
ab->skb memory, I'm not sure I want to get rid of that.  With the
understanding that ab->skb is always going to be present somewhere in
ab->skb_list, any reason not to do something like this?

  while ((skb = skb_dequeue(&ab->skb_list)))
    kfree_skb(skb);

>         kmem_cache_free(audit_buffer_cache, ab);
>  }
>
> @@ -1760,11 +1761,15 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
>         ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
>         if (!ab->skb)
>                 goto err;
> -       if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
> +       if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) {
> +               kfree_skb(ab->skb);
>                 goto err;
> +       }

Assuming we restore the audit_buffer_free() functionality as mentioned
above, if we move the ab->skb_list init and enqueue calls before we
attempt the nlmsg_put() we can drop the kfree_skb() call and just use
the existing audit_buffer_free() call at the err target.


>         ab->ctx = ctx;
>         ab->gfp_mask = gfp_mask;
> +       skb_queue_head_init(&ab->skb_list);
> +       skb_queue_tail(&ab->skb_list, ab->skb);
>
>         return ab;
>

--
paul-moore.com