Re: [RFC PATCH ghak59 V1 4/6] audit: hand taken context to audit_kill_trees for syscall logging

On Thu, Jun 14, 2018 at 4:23 PM Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > Since the context is taken from the task in __audit_syscall_exit() and > __audit_free(), hand it to audit_kill_trees() so it can be used to > associate with a syscall record. This requires adding the context > parameter to kill_rules() rather than using the current audit_context > (which has been taken). > > The callers of trim_marked() and evict_chunk() still have their context. > > See: https://github.com/linux-audit/audit-kernel/issues/50 > See: https://github.com/linux-audit/audit-kernel/issues/59 > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > --- > kernel/audit.h | 4 ++-- > kernel/audit_tree.c | 18 ++++++++++-------- > kernel/auditsc.c | 4 ++-- > 3 files changed, 14 insertions(+), 12 deletions(-) > > diff --git a/kernel/audit.h b/kernel/audit.h > index 214e149..f39f7aa 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -312,7 +312,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > extern int audit_tag_tree(char *old, char *new); > extern const char *audit_tree_path(struct audit_tree *tree); > extern void audit_put_tree(struct audit_tree *tree); > -extern void audit_kill_trees(struct list_head *list); > +extern void audit_kill_trees(struct audit_context *context); > #else > #define audit_remove_tree_rule(rule) BUG() > #define audit_add_tree_rule(rule) -EINVAL > @@ -321,7 +321,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > #define audit_put_tree(tree) (void)0 > #define audit_tag_tree(old, new) -EINVAL > #define audit_tree_path(rule) "" /* never called */ > -#define audit_kill_trees(list) BUG() > +#define audit_kill_trees(context) BUG() > #endif > > extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); > diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c > index a01b9da..2d3e1071 100644 > --- a/kernel/audit_tree.c > +++ b/kernel/audit_tree.c > @@ -493,13 +493,13 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) > return 0; > } > > -static void audit_tree_log_remove_rule(struct audit_krule *rule) > +static void audit_tree_log_remove_rule(struct audit_context *context, struct audit_krule *rule) > { > struct audit_buffer *ab; > > if (!audit_enabled) > return; > - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > if (unlikely(!ab)) > return; > audit_log_format(ab, "op=remove_rule"); > @@ -510,7 +510,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) > audit_log_end(ab); > } > > -static void kill_rules(struct audit_tree *tree) > +static void kill_rules(struct audit_context *context, struct audit_tree *tree) > { > struct audit_krule *rule, *next; > struct audit_entry *entry; > @@ -521,7 +521,7 @@ static void kill_rules(struct audit_tree *tree) > list_del_init(&rule->rlist); > if (rule->tree) { > /* not a half-baked one */ > - audit_tree_log_remove_rule(rule); > + audit_tree_log_remove_rule(context, rule); > if (entry->rule.exe) > audit_remove_mark(entry->rule.exe); > rule->tree = NULL; > @@ -584,7 +584,7 @@ static void trim_marked(struct audit_tree *tree) > tree->goner = 1; > spin_unlock(&hash_lock); > mutex_lock(&audit_filter_mutex); > - kill_rules(tree); > + kill_rules(audit_context(), tree); > list_del_init(&tree->list); > mutex_unlock(&audit_filter_mutex); > prune_one(tree); > @@ -924,8 +924,10 @@ static void audit_schedule_prune(void) > * ... and that one is done if evict_chunk() decides to delay until the end > * of syscall. Runs synchronously. > */ > -void audit_kill_trees(struct list_head *list) > +void audit_kill_trees(struct audit_context *context) > { > + struct list_head *list = &context->killed_trees; > + > audit_ctl_lock(); > mutex_lock(&audit_filter_mutex); > > @@ -933,7 +935,7 @@ void audit_kill_trees(struct list_head *list) > struct audit_tree *victim; > > victim = list_entry(list->next, struct audit_tree, list); > - kill_rules(victim); > + kill_rules(context, victim); > list_del_init(&victim->list); > > mutex_unlock(&audit_filter_mutex); > @@ -972,7 +974,7 @@ static void evict_chunk(struct audit_chunk *chunk) > list_del_init(&owner->same_root); > spin_unlock(&hash_lock); > if (!postponed) { > - kill_rules(owner); > + kill_rules(audit_context(), owner); > list_move(&owner->list, &prune_list); > need_prune = 1; > } else { > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index ceb1c45..2590c9e 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1490,7 +1490,7 @@ void __audit_free(struct task_struct *tsk) > if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) > audit_log_exit(context, tsk); > if (!list_empty(&context->killed_trees)) > - audit_kill_trees(&context->killed_trees); > + audit_kill_trees(context); See my comment below about the ordering of audit_kill_trees() and audit_log_exit(). > audit_free_context(context); > } > @@ -1577,7 +1577,7 @@ void __audit_syscall_exit(int success, long return_code) > context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; > > if (!list_empty(&context->killed_trees)) > - audit_kill_trees(&context->killed_trees); > + audit_kill_trees(context); I wonder if we should move the kill_trees if-block above the audit_log_exit() block so that any records that are emitted will be before the SYSCALL record. I didn't chase down all the code paths, but it seems like it should be safe, no?

> audit_free_names(context); > unroll_tree_refs(context, NULL, 0); paul moore