Re: [PATCH V2 2/3] audit: bail ASAP on syscall entry
On Fri, Feb 9, 2018 at 9:40 PM, Richard Guy Briggswrote: > Since removing the audit entry filter, test for early return before > setting up any context state. > > Signed-off-by: Richard Guy Briggs > --- > kernel/auditsc.c | 18 +- > 1 file changed, 9 insertions(+), 9 deletions(-) Sigh. First off, thanks for making the changes, I think the end result of 1/3+2/3 is better than the v1 patch. However, this really didn't need to be two patches, please combine 1/3 and 2/3 and resubmit. I know I've done the patch squashing for you in the past, but I think it's time to start pushing some of this work back to you. Moving forward, if I provide feedback and do not explicitly suggest creating a new patch, please incorporate the changes into the existing patches. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 9348302..bc534bf 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long > a1, unsigned long a2, > if (!audit_enabled) > return; > > - context->arch = syscall_get_arch(); > - context->major = major; > - context->argv[0]= a1; > - context->argv[1]= a2; > - context->argv[2]= a3; > - context->argv[3]= a4; > - > state = context->state; > + if (state == AUDIT_DISABLED) > + return; > + > context->dummy = !audit_n_rules; > if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { > context->prio = 0; > if (auditd_test_task(tsk)) > return; > } > - if (state == AUDIT_DISABLED) > - return; > > + context->arch = syscall_get_arch(); > + context->major = major; > + context->argv[0]= a1; > + context->argv[1]= a2; > + context->argv[2]= a3; > + context->argv[3]= a4; > context->serial = 0; > context->ctime = current_kernel_time64(); > context->in_syscall = 1; > -- > 1.8.3.1 > -- paul moore www.paul-moore.com
Re: [PATCH V2 2/3] audit: bail ASAP on syscall entry
On Fri, Feb 9, 2018 at 9:40 PM, Richard Guy Briggs wrote: > Since removing the audit entry filter, test for early return before > setting up any context state. > > Signed-off-by: Richard Guy Briggs > --- > kernel/auditsc.c | 18 +- > 1 file changed, 9 insertions(+), 9 deletions(-) Sigh. First off, thanks for making the changes, I think the end result of 1/3+2/3 is better than the v1 patch. However, this really didn't need to be two patches, please combine 1/3 and 2/3 and resubmit. I know I've done the patch squashing for you in the past, but I think it's time to start pushing some of this work back to you. Moving forward, if I provide feedback and do not explicitly suggest creating a new patch, please incorporate the changes into the existing patches. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 9348302..bc534bf 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long > a1, unsigned long a2, > if (!audit_enabled) > return; > > - context->arch = syscall_get_arch(); > - context->major = major; > - context->argv[0]= a1; > - context->argv[1]= a2; > - context->argv[2]= a3; > - context->argv[3]= a4; > - > state = context->state; > + if (state == AUDIT_DISABLED) > + return; > + > context->dummy = !audit_n_rules; > if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { > context->prio = 0; > if (auditd_test_task(tsk)) > return; > } > - if (state == AUDIT_DISABLED) > - return; > > + context->arch = syscall_get_arch(); > + context->major = major; > + context->argv[0]= a1; > + context->argv[1]= a2; > + context->argv[2]= a3; > + context->argv[3]= a4; > context->serial = 0; > context->ctime = current_kernel_time64(); > context->in_syscall = 1; > -- > 1.8.3.1 > -- paul moore www.paul-moore.com
[PATCH V2 2/3] audit: bail ASAP on syscall entry
Since removing the audit entry filter, test for early return before setting up any context state. Signed-off-by: Richard Guy Briggs--- kernel/auditsc.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9348302..bc534bf 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, if (!audit_enabled) return; - context->arch = syscall_get_arch(); - context->major = major; - context->argv[0]= a1; - context->argv[1]= a2; - context->argv[2]= a3; - context->argv[3]= a4; - state = context->state; + if (state == AUDIT_DISABLED) + return; + context->dummy = !audit_n_rules; if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { context->prio = 0; if (auditd_test_task(tsk)) return; } - if (state == AUDIT_DISABLED) - return; + context->arch = syscall_get_arch(); + context->major = major; + context->argv[0]= a1; + context->argv[1]= a2; + context->argv[2]= a3; + context->argv[3]= a4; context->serial = 0; context->ctime = current_kernel_time64(); context->in_syscall = 1; -- 1.8.3.1
[PATCH V2 2/3] audit: bail ASAP on syscall entry
Since removing the audit entry filter, test for early return before setting up any context state. Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9348302..bc534bf 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, if (!audit_enabled) return; - context->arch = syscall_get_arch(); - context->major = major; - context->argv[0]= a1; - context->argv[1]= a2; - context->argv[2]= a3; - context->argv[3]= a4; - state = context->state; + if (state == AUDIT_DISABLED) + return; + context->dummy = !audit_n_rules; if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { context->prio = 0; if (auditd_test_task(tsk)) return; } - if (state == AUDIT_DISABLED) - return; + context->arch = syscall_get_arch(); + context->major = major; + context->argv[0]= a1; + context->argv[1]= a2; + context->argv[2]= a3; + context->argv[3]= a4; context->serial = 0; context->ctime = current_kernel_time64(); context->in_syscall = 1; -- 1.8.3.1