[RFC PATCH 0/9] Move the audit netlink multicast send to the kauditd_thread
by Paul Moore
This patchset started off innocently enough with the goal of moving
the netlink multicast send from audit_log_end() to kauditd_thread().
However, things escalated rather quickly as this uncovered, or made
worse, a number of inherent problems in the audit backlog queues.
This patchset attempts to address both the multicast and queue
problems.
I've spent a few weeks playing with this, stressing it a bit, and
tweaking some of the logic and so far it is performing at least as
well as the existing code for all the scenarios I've thrown at it;
if you happen to have a particularly nasty audit test, I'd
appreciate hearing about it, and I'd appreciate it even more if
you could give it a test too.
I'm posting this patchset as a RFC because this is a pretty big
change to some rather critical code and I thought some review
would be prudent; if I don't see anything substantial by next week
I'll go ahead and merge this into audit#next, along with the
patch from WANG Cong which started the little endeavor (see the
links below). You'll note I'm not including the patch from WANG
Cong in this patchset for the sake of clarity.
Enough from me, please take a look at the patchset that follows
and post any comments you may have to the list. In case you are
running Fedora Rawhide, I've been building some kernels you can
use to test at the link below:
* GitHub Issue Trackers
- https://github.com/linux-audit/audit-kernel/issues/23
- https://github.com/linux-audit/audit-kernel/issues/22
* Fedora Rawhide Kernel Builds
- https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-testing
---
Paul Moore (8):
audit: fixup audit_init()
audit: queue netlink multicast sends just like we do for unicast sends
audit: rename the queues and kauditd related functions
audit: rework the audit queue handling
audit: rework audit_log_start()
audit: wake up kauditd_thread after auditd registers
audit: handle a clean auditd shutdown with grace
audit: don't ever sleep on a command record/message
Richard Guy Briggs (1):
audit: move kaudit thread start from auditd registration to kaudit init (#2)
kernel/audit.c | 508 +++++++++++++++++++++++++++++++++-----------------------
1 file changed, 302 insertions(+), 206 deletions(-)
7 years, 11 months
[PATCH] Fix AUDIT_MAC_POLICY_LOAD event formatting
by Steve Grubb
The AUDIT_MAC_POLICY_LOAD event has dangling text that means the same thing
as the event type and is missing the uid and results field. The bigger issue
is that in some failure cases no event is emitted. This patch fixes the noted
problems.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
---
--- vanilla-4.9-rc5.orig/security/selinux/selinuxfs.c 2016-11-16 15:16:34.738723900 -0500
+++ linux-4.9.0-0.rc5.git0.1.fc24.x86_64/security/selinux/selinuxfs.c 2016-11-21 12:16:08.046787604 -0500
@@ -494,6 +494,7 @@ static ssize_t sel_write_load(struct fil
{
ssize_t length;
void *data = NULL;
+ unsigned int result = 0;
mutex_lock(&sel_mutex);
@@ -525,24 +526,26 @@ static ssize_t sel_write_load(struct fil
length = sel_make_bools();
if (length)
- goto out1;
+ goto out;
length = sel_make_classes();
if (length)
- goto out1;
+ goto out;
length = sel_make_policycap();
if (length)
- goto out1;
+ goto out;
length = count;
+ result = 1;
-out1:
+out:
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
- "policy loaded auid=%u ses=%u",
+ "uid=%u auid=%u ses=%u res=%u",
+ from_kuid(&init_user_ns, task_uid(current)),
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
-out:
+ audit_get_sessionid(current), result);
+
mutex_unlock(&sel_mutex);
vfree(data);
return length;
7 years, 11 months
[PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events
by Steve Grubb
The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code
logs the value of the field with quotes. This field is documented to not be
encoded, so it should not have quotes.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
---
diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c
--- vanilla-4.9-rc5.orig/kernel/auditfilter.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/auditfilter.c 2016-11-16 16:00:30.608728324 -0500
@@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
audit_log_task_context(ab);
- audit_log_format(ab, " op=");
- audit_log_string(ab, action);
+ audit_log_format(ab, " op=%s", action);
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
audit_log_end(ab);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c vanilla-4.9-rc5/kernel/audit_fsnotify.c
--- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_fsnotify.c 2016-11-16 16:02:41.516728544 -0500
@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c
--- vanilla-4.9-rc5.orig/kernel/audit_tree.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_tree.c 2016-11-16 16:03:26.414728619 -0500
@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "op=");
- audit_log_string(ab, "remove_rule");
+ audit_log_format(ab, "op=remove_rule");
audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c
--- vanilla-4.9-rc5.orig/kernel/audit_watch.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_watch.c 2016-11-16 16:04:18.287728706 -0500
@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey);
7 years, 11 months
Convert audit log to JSON/XML with aushape
by Nikolai Kondrashov
Hi everyone,
I would like to introduce a tool I have been working on for a while with
Steven Grubb's guidance. It's an audit log converter called "aushape".
It is based on auparse and can convert raw audit log to JSON and XML.
https://github.com/Scribery/aushape
Aushape can be used standalone, or as an audispd plugin for on-the-fly
conversion.
The output schema is being designed to correspond closely to original log
structure, but to be event-, rather than record-oriented. I.e. the log
consists of a series of events, with each containing one or more records.
Ultimately, the schema and part of the conversion code will be generated from
the official record and field dictionaries, and the intent is to have aushape
a part of auditd distribution.
I would like to build something that will have more uses than just within Red
Hat projects I'm working on, so I ask you to please take a look at aushape,
its interface and output schemas, tell me what you think about it, if you can
use it, and what you would like changed. I will be glad to answer any
questions you might have.
One of the aims for me is to be able to store the converted audit log in
ElasticSearch and query it from there easily with the help of Kibana. That
puts some limits on the output structure. One of them is that an output event
can only contain unique record types, e.g. it can't contain repeated "PATH" or
"EXECVE" records. Instead, those repeated records are aggregated and stored as
an array under the correponding record type container. "EXECVE" records are
decoded into a simple argument list and "PATH" records are sorted by their
item ID, in particular. This is done to simplify matching on specific record
fields in ElasticSearch and to avoid using "nested" type, which Kibana has
difficulties with.
At the moment aushape output includes raw log messages it was generated from
to help with debugging, but eventually that will be optional. Features coming
soon are limiting event and record sizes (they can get very big
theoretically), and reporting any conversion errors in-band, as special kind
of events, preserving the original log lines, so they could be re-processed.
Nick
7 years, 11 months
[PATCH] audit: tame initialization warning len_abuf in audit_log_execve_info
by Richard Guy Briggs
Tame initialization warning of len_abuf in audit_log_execve_info even
though there isn't presently a bug introduced by commit 43761473c254
("audit: fix a double fetch in audit_log_single_execve_arg()"). Using
UNINITIALIZED_VAR instead may mask future bugs.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e414dfa..d161b17 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1000,7 +1000,7 @@ static void audit_log_execve_info(struct audit_context *context,
long len_rem;
long len_full;
long len_buf;
- long len_abuf;
+ long len_abuf = 0;
long len_tmp;
bool require_data;
bool encode;
--
1.7.1
7 years, 11 months
[pcmoore-audit:working-testing 5/6] kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
by kbuild test robot
tree: git://git.infradead.org/users/pcmoore/audit working-testing
head: a49c8e50dda0d0232dfbed567608724c9666b6ab
commit: 20fb66989030c8f631d687ddaca75b9f7f2ee589 [5/6] Work in progress, no commit description yet.
config: mips-mtx1_defconfig (attached as .config)
compiler: mipsel-linux-gnu-gcc (Debian 6.1.1-9) 6.1.1 20160705
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin... -O ~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 20fb66989030c8f631d687ddaca75b9f7f2ee589
# save the attached .config to linux build tree
make.cross ARCH=mips
All error/warnings (new ones prefixed by >>):
In file included from include/linux/file.h:8:0,
from kernel/audit.c:46:
kernel/audit.c: In function 'audit_log_start':
>> kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:518:25: note: in definition of macro '__ACCESS_ONCE'
__maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
^
>> kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
>> kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:518:52: note: in definition of macro '__ACCESS_ONCE'
__maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
^
>> kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
>> kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:519:19: note: in definition of macro '__ACCESS_ONCE'
(volatile typeof(x) *)&(x); })
^
>> kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
>> kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:519:26: note: in definition of macro '__ACCESS_ONCE'
(volatile typeof(x) *)&(x); })
^
>> kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
vim +1457 kernel/audit.c
1451 * 2. current != auditd
1452 * 3. ACCESS_ONCE(audit_cmd_mutex.owner) != current
1453 * 4. ???
1454 */
1455
1456 if ((!audit_pid && audit_pid != current->tgid) &&
> 1457 (ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
1458 long sleep_time = audit_backlog_wait_time;
1459
1460 while (audit_backlog_limit &&
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
7 years, 11 months
[pcmoore-audit:working-testing 5/6] kernel/audit.c:1456:2: note: in expansion of macro 'if'
by kbuild test robot
tree: git://git.infradead.org/users/pcmoore/audit working-testing
head: a49c8e50dda0d0232dfbed567608724c9666b6ab
commit: 20fb66989030c8f631d687ddaca75b9f7f2ee589 [5/6] Work in progress, no commit description yet.
config: x86_64-randconfig-s2-11120755 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
git checkout 20fb66989030c8f631d687ddaca75b9f7f2ee589
# save the attached .config to linux build tree
make ARCH=x86_64
All warnings (new ones prefixed by >>):
In file included from include/linux/file.h:8:0,
from kernel/audit.c:46:
kernel/audit.c: In function 'audit_log_start':
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:30: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:30: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:30: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:30: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:42: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:42: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:42: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:149:42: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:160:16: note: in definition of macro '__trace_if'
______r = !!(cond); \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:160:16: note: in definition of macro '__trace_if'
______r = !!(cond); \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:160:16: note: in definition of macro '__trace_if'
______r = !!(cond); \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
kernel/audit.c:1457:34: error: 'struct mutex' has no member named 'owner'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^
include/linux/compiler.h:160:16: note: in definition of macro '__trace_if'
______r = !!(cond); \
^~~~
>> kernel/audit.c:1456:2: note: in expansion of macro 'if'
if ((!audit_pid && audit_pid != current->tgid) &&
^~
include/linux/compiler.h:520:26: note: in expansion of macro '__ACCESS_ONCE'
#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
^~~~~~~~~~~~~
kernel/audit.c:1457:7: note: in expansion of macro 'ACCESS_ONCE'
(ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
^~~~~~~~~~~
vim +/if +1456 kernel/audit.c
1440 struct timespec t;
1441 unsigned int uninitialized_var(serial);
1442
1443 if (audit_initialized != AUDIT_INITIALIZED)
1444 return NULL;
1445
1446 if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
1447 return NULL;
1448
1449 /* XXX - wait on a possible backlog only under these conditions:
1450 * 1. audit_backlog_limit is non-zero
1451 * 2. current != auditd
1452 * 3. ACCESS_ONCE(audit_cmd_mutex.owner) != current
1453 * 4. ???
1454 */
1455
> 1456 if ((!audit_pid && audit_pid != current->tgid) &&
1457 (ACCESS_ONCE(audit_cmd_mutex.owner) != current)) {
1458 long sleep_time = audit_backlog_wait_time;
1459
1460 while (audit_backlog_limit &&
1461 (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
1462 /* wake kauditd to try and flush the queue */
1463 wake_up_interruptible(&kauditd_wait);
1464
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
7 years, 11 months
aureport endless loop with specific input on Debian 8
by Vincas Dargis
Hi,
I have reported bug in Debian bug tracker [1] that after upgrading to Debian 8, aureport does not finish it's
"reporting" for hours one some inputs, generated by ausearch. It's stuck with 100% CPU usage.
Since maintainer haven't responded yet, I though I could try for help directly here.
More info, and two example input files for reproducing attached in same bug report.
I wonder, would it be... "reasonable" to hope for some kind isolated patch that Debian maintainer could apply and
release fix for Debian 8 which is currently in "stable" mode? I know it's kinda not the mailing list to ask about it,
but maybe you have experience in that regard?
Thanks!
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841272
7 years, 12 months
[PATCH] audit: less stack usage for /proc/*/loginuid
by Alexey Dobriyan
%u requires 10 characters at most not 20.
Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com>
---
fs/proc/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1243,7 +1243,7 @@ static const struct file_operations proc_oom_score_adj_operations = {
};
#ifdef CONFIG_AUDITSYSCALL
-#define TMPBUFLEN 21
+#define TMPBUFLEN 11
static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
size_t count, loff_t *ppos)
{
7 years, 12 months