On 4/18/22 07:59, Casey Schaufler wrote:
> Replace the single skb pointer in an audit_buffer with
> a list of skb pointers. Add the audit_stamp information
> to the audit_buffer as there's no guarantee that there
> will be an audit_context containing the stamp associated
> with the event. At audit_log_end() time create auxiliary
> records (none are currently defined) as have been added
> to the list.
>
> Suggested-by: Paul Moore <[email protected]>
> Signed-off-by: Casey Schaufler <[email protected]>
I agree with Paul that audit_buffer_aux_new() and
audit_buffer_aux_end() belong in this patch
> ---
> kernel/audit.c | 62 +++++++++++++++++++++++++++++++-------------------
> 1 file changed, 39 insertions(+), 23 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 6b6c089512f7..4d44c05053b0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -197,8 +197,10 @@ static struct audit_ctl_mutex {
> * to place it on a transmit queue. Multiple audit_buffers can be in
> * use simultaneously. */
> struct audit_buffer {
> - struct sk_buff *skb; /* formatted skb ready to send */
> + struct sk_buff *skb; /* the skb for audit_log functions */
> + struct sk_buff_head skb_list; /* formatted skbs, ready to send */
> struct audit_context *ctx; /* NULL or associated context */
> + struct audit_stamp stamp; /* audit stamp for these records */
> gfp_t gfp_mask;
> };
>
> @@ -1765,10 +1767,13 @@ __setup("audit_backlog_limit=",
> audit_backlog_limit_set);
>
> static void audit_buffer_free(struct audit_buffer *ab)
> {
> + struct sk_buff *skb;
> +
> if (!ab)
> return;
>
> - kfree_skb(ab->skb);
> + while((skb = skb_dequeue(&ab->skb_list)))
> + kfree_skb(skb);
we still have and ab->skb can we have a debug check that its freed by walking
the queue?
> kmem_cache_free(audit_buffer_cache, ab);
> }
>
> @@ -1784,8 +1789,12 @@ static struct audit_buffer *audit_buffer_alloc(struct
> audit_context *ctx,
> ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
> if (!ab->skb)
> goto err;
> +
> + skb_queue_head_init(&ab->skb_list);
> + skb_queue_tail(&ab->skb_list, ab->skb);
> +
> if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
> - goto err;
> + kfree_skb(ab->skb);
why is this no longer an error?
>
> ab->ctx = ctx;
> ab->gfp_mask = gfp_mask;
> @@ -1849,7 +1858,6 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask,
> int type)
> {
> struct audit_buffer *ab;
> - struct audit_stamp stamp;
>
> if (audit_initialized != AUDIT_INITIALIZED)
> return NULL;
> @@ -1904,14 +1912,14 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask,
> return NULL;
> }
>
> - audit_get_stamp(ab->ctx, &stamp);
> + audit_get_stamp(ab->ctx, &ab->stamp);
> /* cancel dummy context to enable supporting records */
> if (ctx)
> ctx->dummy = 0;
> audit_log_format(ab, "audit(%llu.%03lu:%u): ",
> - (unsigned long long)stamp.ctime.tv_sec,
> - stamp.ctime.tv_nsec/1000000,
> - stamp.serial);
> + (unsigned long long)ab->stamp.ctime.tv_sec,
> + ab->stamp.ctime.tv_nsec/1000000,
> + ab->stamp.serial);
>
> return ab;
> }
> @@ -2402,26 +2410,14 @@ int audit_signal_info(int sig, struct task_struct *t)
> }
>
> /**
> - * audit_log_end - end one audit record
> - * @ab: the audit_buffer
> - *
> - * We can not do a netlink send inside an irq context because it blocks (last
> - * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on
> a
> - * queue and a kthread is scheduled to remove them from the queue outside the
> - * irq context. May be called in any context.
> + * __audit_log_end - enqueue one audit record
> + * @skb: the buffer to send
> */
> -void audit_log_end(struct audit_buffer *ab)
> +static void __audit_log_end(struct sk_buff *skb)
> {
> - struct sk_buff *skb;
> struct nlmsghdr *nlh;
>
> - if (!ab)
> - return;
> -
> if (audit_rate_check()) {
> - skb = ab->skb;
> - ab->skb = NULL;
> -
> /* setup the netlink header, see the comments in
> * kauditd_send_multicast_skb() for length quirks */
> nlh = nlmsg_hdr(skb);
> @@ -2432,6 +2428,26 @@ void audit_log_end(struct audit_buffer *ab)
> wake_up_interruptible(&kauditd_wait);
> } else
> audit_log_lost("rate limit exceeded");
> +}
> +
> +/**
> + * audit_log_end - end one audit record
> + * @ab: the audit_buffer
> + *
> + * We can not do a netlink send inside an irq context because it blocks (last
> + * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on
> a
> + * queue and a kthread is scheduled to remove them from the queue outside the
> + * irq context. May be called in any context.
> + */
> +void audit_log_end(struct audit_buffer *ab)
> +{
> + struct sk_buff *skb;
> +
> + if (!ab)
> + return;
> +
> + while ((skb = skb_dequeue(&ab->skb_list)))
> + __audit_log_end(skb);
>
> audit_buffer_free(ab);
> }
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
