On 02/04, Andy Lutomirski wrote: > > On Tue, Feb 4, 2014 at 8:50 AM, Oleg Nesterov <o...@redhat.com> wrote: > > On 02/03, Andy Lutomirski wrote: > >> > >> +void audit_inc_n_rules() > >> +{ > >> + struct task_struct *p, *g; > >> + unsigned long flags; > >> + > >> + read_lock_irqsave(&tasklist_lock, flags); > > > > Confused... read_lock(tasklist) doesn't need to disable irqs. > > > > (ftrace does this for no reason too, perhaps I should resend the patch) > > Is this because there are no interrupt handlers that write_lock(tasklist)?
Yes. > > > >> + if (audit_n_rules++ == 0) { > > > > probably this can be done outside of read_lock? > > I don't think so. I'm cheating and using the tasklist_lock to prevent > audit_sync_flags Ah, yes, you are right. > >> + do_each_thread(g, p) { > > > > for_each_process_thread ;) do_each_thread will die, I hope. > > > > Sorry, forgot to mention: where is this mythical > for_each_process_thread? In Linus's tree, please see 0c740d0afc3bff. > or you > just hate do_each_thread so much that you imagined up an alternative > :) sort of ;) > I think I'll wait for Eric to chime in. I suspect that the real > solution is to simplify all this stuff by relying on the fact that the > syscall nr and args are saved by the (fast path and slow path) entry > code, so the audit entry hook may be entirely unnecessary. Perhaps... but even in this case we need to do something with, say, __audit_log_bprm_fcaps(). At least this list should not grow indefinitely if the task skips __audit_syscall_exit(). Although at first glance this can be probably cleanuped too. Oleg. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit