Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4147703ioa; Tue, 26 Apr 2022 18:47:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0cDJwlOQ0rS3optewobdNdujdsC4h22cs7n4ZcdPMF9G/OfRUGwfvXbJfTifqJ6KHixy3 X-Received: by 2002:a17:902:ea0b:b0:15c:fbe1:2cdb with SMTP id s11-20020a170902ea0b00b0015cfbe12cdbmr16389579plg.126.1651024025914; Tue, 26 Apr 2022 18:47:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651024025; cv=none; d=google.com; s=arc-20160816; b=iWzq3rcT/Z1BJKQmIOv2gs5/aZLqD97FHod2mcIR6GW761ue+j44UFCZXxrXS2fGOC yK97+EW8f/Ob5SULOdGwd67Z4MJa+61coT8qmChh/2GTI9sbxxzTZvmMWRmgd3h2WXkc UpSnSzAmLjdLYz9lRrzwqdQ+CkO609b8jk+tLi7s9E7YwucjrBim14YqP4420FZjJ8VT 4bOWY2t+XC255/e7f1jlbm5LfBOIN/kZJCXs9srm+gkhPEP+icM7VY1HYV4hviOYJUdi bw3je6RLNj9j4FBNZc2KoPBKfUXW0YF0Klitzyt7Nciqm72lIjuf0wGRN6ZjWE14rY4m IOeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=V8eK/38S7nXsJDHDuFBJHT2DHw6X25gLGYO4O8kog9s=; b=Qw7XTgMsaMMyu2+lTpG3zXie8uwt9yD8S33TeQsHtWnvwDnXbM0R41Liz8BZCz2He+ gYIrWO4xcYD/F+cYq8oQE4TKu12UrcZRGKzLGvRcI7HnpqNea3xUA3uqJYCgNIcUfYPd PeRBwwuLZ6JmnhvOgHvCfl6WAIsYLRnT0wUYo/pKwPq/B3L8Gfh4hC/sIoBd0vdMaZWm 4Lss/iXIIEYuMPvlyNb9a2n4pAFNG2Q+gAQJEjnmzAOF5v9udnpBB1lHi9T08X3y+fS5 r6ETU6KnWU3z2ZHf3ubzxeQiy80fjGN7Rg39tQf7XKCn2oaOr7txrVAzvjAXTDyRsW/x Wh6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=u35R0UN3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 78-20020a621651000000b004faac3a73f6si30099pfw.79.2022.04.26.18.46.49; Tue, 26 Apr 2022 18:47:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=u35R0UN3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241289AbiDZSQV (ORCPT + 99 others); Tue, 26 Apr 2022 14:16:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350505AbiDZSQP (ORCPT ); Tue, 26 Apr 2022 14:16:15 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9884D6D182 for ; Tue, 26 Apr 2022 11:12:56 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id b19so26569835wrh.11 for ; Tue, 26 Apr 2022 11:12:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=V8eK/38S7nXsJDHDuFBJHT2DHw6X25gLGYO4O8kog9s=; b=u35R0UN3dU32TrIh0qvJzhptZTfQg3iXdiYRwFzb6PgosVUkEoBsHIY3z64LRyagQs BBxFEKx9Qx7FIuNXcc3PTKV05MXUWxximDOybDKGH1D3+pSEiYhpphRYDUsQ7rq9yYkL ORs9z4rn0E9uCIrRqFHH4Ecg0UfhSLZLQryYuRJObs/A8QBmVoz293wKJH7ilzbiHeRY chyixo48s9kXy3GAKZnGE2dgQe0YrpeHmYYeDnlRGurYd6Y8GYhfOW/N5o7nyK94G3uC Gxcw572F44belh9kBNq/e1DOLzvZi5jXnRnWR4uUEb1sVHTcAF8OIkrcCafbePYC/1aK ZcEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V8eK/38S7nXsJDHDuFBJHT2DHw6X25gLGYO4O8kog9s=; b=E3GQJzMmfVjurLAtsVUQffl/Mg4cDLz1SNtfc7G7mQZKhzQp68rT7RENLUVPc0ipR9 vWbs6Y5AM/NNuX57psy4omdyf8ccLOrbUB2A7vYbV/qDkh6m/7Tr81dCly9VSSsqiEDM nGZid8oD6DCo//l7I3zPLtN4OwDE0auIeLOeVS1/s9hFkPv1ITc6HkWWd4UteY0dKVbC TGnSZJJIYDxZUlPLyG1va5cIhK0hXho5j1aZWmMWGANpnu9wCly8cT8hx5OOnFn4dJbD +iVjegzyhFb+Y/DakDlWjrmC6plsEpLhjK+QmCzhj2Fo8Blr0+vcwvMGVZInvKKNMjE4 5LNA== X-Gm-Message-State: AOAM532KB8ucrQ6/D7RmeVd4hwC76GEqwDPDxqmzo0P/XFSdsLFTAAmo OFvrGKQYzMfrAad+KQPDbijOdZkMON4EGLAmc4gX X-Received: by 2002:a5d:6c6d:0:b0:20a:7614:bf77 with SMTP id r13-20020a5d6c6d000000b0020a7614bf77mr19585388wrz.662.1650996774977; Tue, 26 Apr 2022 11:12:54 -0700 (PDT) MIME-Version: 1.0 References: <20220418145945.38797-1-casey@schaufler-ca.com> <20220418145945.38797-26-casey@schaufler-ca.com> <81c9f88f-7e8f-0ca6-56b8-049571af6809@canonical.com> In-Reply-To: <81c9f88f-7e8f-0ca6-56b8-049571af6809@canonical.com> From: Paul Moore Date: Tue, 26 Apr 2022 14:12:44 -0400 Message-ID: Subject: Re: [PATCH v35 25/29] Audit: Allow multiple records in an audit_buffer To: John Johansen Cc: Casey Schaufler , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, keescook@chromium.org, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 25, 2022 at 9:06 PM John Johansen wrote: > On 4/18/22 07:59, Casey Schaufler wrote: > > Replace the single skb pointer in an audit_buffer with > > a list of skb pointers. Add the audit_stamp information > > to the audit_buffer as there's no guarantee that there > > will be an audit_context containing the stamp associated > > with the event. At audit_log_end() time create auxiliary > > records (none are currently defined) as have been added > > to the list. > > > > Suggested-by: Paul Moore > > Signed-off-by: Casey Schaufler > > I agree with Paul that audit_buffer_aux_new() and > audit_buffer_aux_end() belong in this patch > > > > --- > > kernel/audit.c | 62 +++++++++++++++++++++++++++++++------------------- > > 1 file changed, 39 insertions(+), 23 deletions(-) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 6b6c089512f7..4d44c05053b0 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -197,8 +197,10 @@ static struct audit_ctl_mutex { > > * to place it on a transmit queue. Multiple audit_buffers can be in > > * use simultaneously. */ > > struct audit_buffer { > > - struct sk_buff *skb; /* formatted skb ready to send */ > > + struct sk_buff *skb; /* the skb for audit_log functions */ > > + struct sk_buff_head skb_list; /* formatted skbs, ready to send */ > > struct audit_context *ctx; /* NULL or associated context */ > > + struct audit_stamp stamp; /* audit stamp for these records */ > > gfp_t gfp_mask; > > }; > > > > @@ -1765,10 +1767,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set); > > > > static void audit_buffer_free(struct audit_buffer *ab) > > { > > + struct sk_buff *skb; > > + > > if (!ab) > > return; > > > > - kfree_skb(ab->skb); > > + while((skb = skb_dequeue(&ab->skb_list))) > > + kfree_skb(skb); > > we still have and ab->skb can we have a debug check that its freed by walking the queue? By definition ab->skb is always going to point at something on the list, if it doesn't we are likely to have failures elsewhere. The structure definition is private to kernel/audit.c and the allocation/creation is handled by an allocator function which always adds the new skb to the list so I think we're okay. We could add additional checks, but with audit performance already a hot topic I would prefer to draw the debug-check line at input coming from outside the audit subsystem. -- paul-moore.com