Re: [PATCH v24 21/25] audit: add support for non-syscall auxiliary records
On Tue, Jan 26, 2021 at 1:58 PM Casey Schaufler wrote: > > On 1/26/2021 10:42 AM, Richard Guy Briggs wrote: > > On 2021-01-26 08:41, Casey Schaufler wrote: > >> Standalone audit records have the timestamp and serial number generated > >> on the fly and as such are unique, making them standalone. This new > >> function audit_alloc_local() generates a local audit context that will > >> be used only for a standalone record and its auxiliary record(s). The > >> context is discarded immediately after the local associated records are > >> produced. > >> > >> Signed-off-by: Richard Guy Briggs > >> Signed-off-by: Casey Schaufler > >> Cc: linux-au...@redhat.com > >> To: Richard Guy Briggs > > This has been minorly bothering me for several revisions... Is there a > > way for the development/authorship to be accurately reflected > > if/when this patch is merged before the contid patch set? > > I don't know the right way to do that because I had to pull > some of what was in the original patch out. Any way you would > like it done is fine with me. I'm not sure if there is one perfect way. I typically see either a "From: " line if the author is different from the submitter, or in more complex cases such as this it seems like a simple note giving credit in the description might be the best option. -- paul moore www.paul-moore.com
Re: [PATCH v24 21/25] audit: add support for non-syscall auxiliary records
On 2021-01-26 10:58, Casey Schaufler wrote: > On 1/26/2021 10:42 AM, Richard Guy Briggs wrote: > > On 2021-01-26 08:41, Casey Schaufler wrote: > >> Standalone audit records have the timestamp and serial number generated > >> on the fly and as such are unique, making them standalone. This new > >> function audit_alloc_local() generates a local audit context that will > >> be used only for a standalone record and its auxiliary record(s). The > >> context is discarded immediately after the local associated records are > >> produced. > >> > >> Signed-off-by: Richard Guy Briggs > >> Signed-off-by: Casey Schaufler > >> Cc: linux-au...@redhat.com > >> To: Richard Guy Briggs > > This has been minorly bothering me for several revisions... Is there a > > way for the development/authorship to be accurately reflected > > if/when this patch is merged before the contid patch set? > > I don't know the right way to do that because I had to pull > some of what was in the original patch out. Any way you would > like it done is fine with me. Other than diff context, it appears to be identical to the patch in the v9 contid patchset (with one tiny cut/paste below, I don't know how it compiles...). There are minor updates to bring it up to v11. > >> --- > >> include/linux/audit.h | 8 > >> kernel/audit.h| 1 + > >> kernel/auditsc.c | 33 - > >> 3 files changed, 37 insertions(+), 5 deletions(-) > >> > >> diff --git a/include/linux/audit.h b/include/linux/audit.h > >> index 418a485af114..97cd7471e572 100644 > >> --- a/include/linux/audit.h > >> +++ b/include/linux/audit.h > >> @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct > >> task_struct *t) > >>/* Public API */ > >> extern int audit_alloc(struct task_struct *task); > >> extern void __audit_free(struct task_struct *task); > >> +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); > >> +extern void audit_free_context(struct audit_context *context); > >> extern void __audit_syscall_entry(int major, unsigned long a0, unsigned > >> long a1, > >> unsigned long a2, unsigned long a3); > >> extern void __audit_syscall_exit(int ret_success, long ret_value); > >> @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, > >> u8 af, > >> extern int audit_n_rules; > >> extern int audit_signals; > >> #else /* CONFIG_AUDITSYSCALL */ > >> ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) This extra "+" that ends up at the beginning of the line looks unintentional and I'd have expected the compiler to complain. > >> +{ > >> + return NULL; > >> +} > >> +static inline void audit_free_context(struct audit_context *context) > >> +{ } > >> static inline int audit_alloc(struct task_struct *task) > >> { > >>return 0; > >> diff --git a/kernel/audit.h b/kernel/audit.h > >> index ce41886807bb..3f2285e1c6e0 100644 > >> --- a/kernel/audit.h > >> +++ b/kernel/audit.h > >> @@ -99,6 +99,7 @@ struct audit_proctitle { > >> struct audit_context { > >>int dummy; /* must be the first element */ > >>int in_syscall; /* 1 if task is in a syscall */ > >> + boollocal; /* local context needed */ > >>enum audit_statestate, current_state; > >>unsigned intserial; /* serial number for record */ > >>int major; /* syscall number */ > >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c > >> index de2b2ecb3aea..479b3933d788 100644 > >> --- a/kernel/auditsc.c > >> +++ b/kernel/auditsc.c > >> @@ -927,11 +927,13 @@ static inline void audit_free_aux(struct > >> audit_context *context) > >>} > >> } > >> > >> -static inline struct audit_context *audit_alloc_context(enum audit_state > >> state) > >> +static inline struct audit_context *audit_alloc_context(enum audit_state > >> state, > >> + gfp_t gfpflags) > >> { > >>struct audit_context *context; > >> > >> - context = kzalloc(sizeof(*context), GFP_KERNEL); > >> + /* We can be called in atomic context via audit_tg() */ > >> + context = kzalloc(sizeof(*context), gfpflags); > >>if (!context) > >>return NULL; > >>context->state = state; > >> @@ -967,7 +969,8 @@ int audit_alloc(struct task_struct *tsk) > >>return 0; > >>} > >> > >> - if (!(context = audit_alloc_context(state))) { > >> + context = audit_alloc_context(state, GFP_KERNEL); > >> + if (!context) { > >>kfree(key); > >>audit_log_lost("out of memory in audit_alloc"); > >>return -ENOMEM; > >> @@ -979,8 +982,27 @@ int audit_alloc(struct task_struct *tsk) > >>return 0; > >> } > >> > >> -static inline void audit_free_context(struct audit_context *context) > >> +struct audit_context *audit_alloc_local(gfp_t gfpflags) > >> { > >> + struct audit_context
Re: [PATCH v24 21/25] audit: add support for non-syscall auxiliary records
On 1/26/2021 10:42 AM, Richard Guy Briggs wrote: > On 2021-01-26 08:41, Casey Schaufler wrote: >> Standalone audit records have the timestamp and serial number generated >> on the fly and as such are unique, making them standalone. This new >> function audit_alloc_local() generates a local audit context that will >> be used only for a standalone record and its auxiliary record(s). The >> context is discarded immediately after the local associated records are >> produced. >> >> Signed-off-by: Richard Guy Briggs >> Signed-off-by: Casey Schaufler >> Cc: linux-au...@redhat.com >> To: Richard Guy Briggs > This has been minorly bothering me for several revisions... Is there a > way for the development/authorship to be accurately reflected > if/when this patch is merged before the contid patch set? I don't know the right way to do that because I had to pull some of what was in the original patch out. Any way you would like it done is fine with me. > >> --- >> include/linux/audit.h | 8 >> kernel/audit.h| 1 + >> kernel/auditsc.c | 33 - >> 3 files changed, 37 insertions(+), 5 deletions(-) >> >> diff --git a/include/linux/audit.h b/include/linux/audit.h >> index 418a485af114..97cd7471e572 100644 >> --- a/include/linux/audit.h >> +++ b/include/linux/audit.h >> @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct >> task_struct *t) >> /* Public API */ >> extern int audit_alloc(struct task_struct *task); >> extern void __audit_free(struct task_struct *task); >> +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); >> +extern void audit_free_context(struct audit_context *context); >> extern void __audit_syscall_entry(int major, unsigned long a0, unsigned >> long a1, >>unsigned long a2, unsigned long a3); >> extern void __audit_syscall_exit(int ret_success, long ret_value); >> @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, u8 >> af, >> extern int audit_n_rules; >> extern int audit_signals; >> #else /* CONFIG_AUDITSYSCALL */ >> ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) >> +{ >> +return NULL; >> +} >> +static inline void audit_free_context(struct audit_context *context) >> +{ } >> static inline int audit_alloc(struct task_struct *task) >> { >> return 0; >> diff --git a/kernel/audit.h b/kernel/audit.h >> index ce41886807bb..3f2285e1c6e0 100644 >> --- a/kernel/audit.h >> +++ b/kernel/audit.h >> @@ -99,6 +99,7 @@ struct audit_proctitle { >> struct audit_context { >> int dummy; /* must be the first element */ >> int in_syscall; /* 1 if task is in a syscall */ >> +boollocal; /* local context needed */ >> enum audit_statestate, current_state; >> unsigned intserial; /* serial number for record */ >> int major; /* syscall number */ >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c >> index de2b2ecb3aea..479b3933d788 100644 >> --- a/kernel/auditsc.c >> +++ b/kernel/auditsc.c >> @@ -927,11 +927,13 @@ static inline void audit_free_aux(struct audit_context >> *context) >> } >> } >> >> -static inline struct audit_context *audit_alloc_context(enum audit_state >> state) >> +static inline struct audit_context *audit_alloc_context(enum audit_state >> state, >> +gfp_t gfpflags) >> { >> struct audit_context *context; >> >> -context = kzalloc(sizeof(*context), GFP_KERNEL); >> +/* We can be called in atomic context via audit_tg() */ >> +context = kzalloc(sizeof(*context), gfpflags); >> if (!context) >> return NULL; >> context->state = state; >> @@ -967,7 +969,8 @@ int audit_alloc(struct task_struct *tsk) >> return 0; >> } >> >> -if (!(context = audit_alloc_context(state))) { >> +context = audit_alloc_context(state, GFP_KERNEL); >> +if (!context) { >> kfree(key); >> audit_log_lost("out of memory in audit_alloc"); >> return -ENOMEM; >> @@ -979,8 +982,27 @@ int audit_alloc(struct task_struct *tsk) >> return 0; >> } >> >> -static inline void audit_free_context(struct audit_context *context) >> +struct audit_context *audit_alloc_local(gfp_t gfpflags) >> { >> +struct audit_context *context = NULL; >> + >> +context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags); >> +if (!context) { >> +audit_log_lost("out of memory in audit_alloc_local"); >> +goto out; >> +} >> +context->serial = audit_serial(); >> +ktime_get_coarse_real_ts64(>ctime); >> +context->local = true; >> +out: >> +return context; >> +} >> +EXPORT_SYMBOL(audit_alloc_local); >> + >> +void audit_free_context(struct audit_context *context) >> +{ >> +if (!context) >> +return;
Re: [PATCH v24 21/25] audit: add support for non-syscall auxiliary records
On 2021-01-26 08:41, Casey Schaufler wrote: > Standalone audit records have the timestamp and serial number generated > on the fly and as such are unique, making them standalone. This new > function audit_alloc_local() generates a local audit context that will > be used only for a standalone record and its auxiliary record(s). The > context is discarded immediately after the local associated records are > produced. > > Signed-off-by: Richard Guy Briggs > Signed-off-by: Casey Schaufler > Cc: linux-au...@redhat.com > To: Richard Guy Briggs This has been minorly bothering me for several revisions... Is there a way for the development/authorship to be accurately reflected if/when this patch is merged before the contid patch set? > --- > include/linux/audit.h | 8 > kernel/audit.h| 1 + > kernel/auditsc.c | 33 - > 3 files changed, 37 insertions(+), 5 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 418a485af114..97cd7471e572 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct > task_struct *t) > /* Public API */ > extern int audit_alloc(struct task_struct *task); > extern void __audit_free(struct task_struct *task); > +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); > +extern void audit_free_context(struct audit_context *context); > extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long > a1, > unsigned long a2, unsigned long a3); > extern void __audit_syscall_exit(int ret_success, long ret_value); > @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, u8 > af, > extern int audit_n_rules; > extern int audit_signals; > #else /* CONFIG_AUDITSYSCALL */ > ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) > +{ > + return NULL; > +} > +static inline void audit_free_context(struct audit_context *context) > +{ } > static inline int audit_alloc(struct task_struct *task) > { > return 0; > diff --git a/kernel/audit.h b/kernel/audit.h > index ce41886807bb..3f2285e1c6e0 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -99,6 +99,7 @@ struct audit_proctitle { > struct audit_context { > int dummy; /* must be the first element */ > int in_syscall; /* 1 if task is in a syscall */ > + boollocal; /* local context needed */ > enum audit_statestate, current_state; > unsigned intserial; /* serial number for record */ > int major; /* syscall number */ > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index de2b2ecb3aea..479b3933d788 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -927,11 +927,13 @@ static inline void audit_free_aux(struct audit_context > *context) > } > } > > -static inline struct audit_context *audit_alloc_context(enum audit_state > state) > +static inline struct audit_context *audit_alloc_context(enum audit_state > state, > + gfp_t gfpflags) > { > struct audit_context *context; > > - context = kzalloc(sizeof(*context), GFP_KERNEL); > + /* We can be called in atomic context via audit_tg() */ > + context = kzalloc(sizeof(*context), gfpflags); > if (!context) > return NULL; > context->state = state; > @@ -967,7 +969,8 @@ int audit_alloc(struct task_struct *tsk) > return 0; > } > > - if (!(context = audit_alloc_context(state))) { > + context = audit_alloc_context(state, GFP_KERNEL); > + if (!context) { > kfree(key); > audit_log_lost("out of memory in audit_alloc"); > return -ENOMEM; > @@ -979,8 +982,27 @@ int audit_alloc(struct task_struct *tsk) > return 0; > } > > -static inline void audit_free_context(struct audit_context *context) > +struct audit_context *audit_alloc_local(gfp_t gfpflags) > { > + struct audit_context *context = NULL; > + > + context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags); > + if (!context) { > + audit_log_lost("out of memory in audit_alloc_local"); > + goto out; > + } > + context->serial = audit_serial(); > + ktime_get_coarse_real_ts64(>ctime); > + context->local = true; > +out: > + return context; > +} > +EXPORT_SYMBOL(audit_alloc_local); > + > +void audit_free_context(struct audit_context *context) > +{ > + if (!context) > + return; > audit_free_module(context); > audit_free_names(context); > unroll_tree_refs(context, NULL, 0); > @@ -991,6 +1013,7 @@ static inline void audit_free_context(struct > audit_context *context) > audit_proctitle_free(context); > kfree(context); > } >
[PATCH v24 21/25] audit: add support for non-syscall auxiliary records
Standalone audit records have the timestamp and serial number generated on the fly and as such are unique, making them standalone. This new function audit_alloc_local() generates a local audit context that will be used only for a standalone record and its auxiliary record(s). The context is discarded immediately after the local associated records are produced. Signed-off-by: Richard Guy Briggs Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com To: Richard Guy Briggs --- include/linux/audit.h | 8 kernel/audit.h| 1 + kernel/auditsc.c | 33 - 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 418a485af114..97cd7471e572 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct task_struct *t) /* Public API */ extern int audit_alloc(struct task_struct *task); extern void __audit_free(struct task_struct *task); +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); +extern void audit_free_context(struct audit_context *context); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af, extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) +{ + return NULL; +} +static inline void audit_free_context(struct audit_context *context) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/kernel/audit.h b/kernel/audit.h index ce41886807bb..3f2285e1c6e0 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,7 @@ struct audit_proctitle { struct audit_context { int dummy; /* must be the first element */ int in_syscall; /* 1 if task is in a syscall */ + boollocal; /* local context needed */ enum audit_statestate, current_state; unsigned intserial; /* serial number for record */ int major; /* syscall number */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index de2b2ecb3aea..479b3933d788 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -927,11 +927,13 @@ static inline void audit_free_aux(struct audit_context *context) } } -static inline struct audit_context *audit_alloc_context(enum audit_state state) +static inline struct audit_context *audit_alloc_context(enum audit_state state, + gfp_t gfpflags) { struct audit_context *context; - context = kzalloc(sizeof(*context), GFP_KERNEL); + /* We can be called in atomic context via audit_tg() */ + context = kzalloc(sizeof(*context), gfpflags); if (!context) return NULL; context->state = state; @@ -967,7 +969,8 @@ int audit_alloc(struct task_struct *tsk) return 0; } - if (!(context = audit_alloc_context(state))) { + context = audit_alloc_context(state, GFP_KERNEL); + if (!context) { kfree(key); audit_log_lost("out of memory in audit_alloc"); return -ENOMEM; @@ -979,8 +982,27 @@ int audit_alloc(struct task_struct *tsk) return 0; } -static inline void audit_free_context(struct audit_context *context) +struct audit_context *audit_alloc_local(gfp_t gfpflags) { + struct audit_context *context = NULL; + + context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags); + if (!context) { + audit_log_lost("out of memory in audit_alloc_local"); + goto out; + } + context->serial = audit_serial(); + ktime_get_coarse_real_ts64(>ctime); + context->local = true; +out: + return context; +} +EXPORT_SYMBOL(audit_alloc_local); + +void audit_free_context(struct audit_context *context) +{ + if (!context) + return; audit_free_module(context); audit_free_names(context); unroll_tree_refs(context, NULL, 0); @@ -991,6 +1013,7 @@ static inline void audit_free_context(struct audit_context *context) audit_proctitle_free(context); kfree(context); } +EXPORT_SYMBOL(audit_free_context); static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, @@ -2214,7 +2237,7 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); int auditsc_get_stamp(struct audit_context *ctx, struct timespec64 *t, unsigned int *serial) { - if (!ctx->in_syscall) + if