Re: [PATCH V2 2/3] audit: bail ASAP on syscall entry

2018-02-14 Thread Paul Moore 
On Fri, Feb 9, 2018 at 9:40 PM, Richard Guy Briggs  wrote:
> Since removing the audit entry filter, test for early return before
> setting up any context state.
>
> Signed-off-by: Richard Guy Briggs 
> ---
>  kernel/auditsc.c | 18 +-
>  1 file changed, 9 insertions(+), 9 deletions(-)

Sigh.

First off, thanks for making the changes, I think the end result of
1/3+2/3 is better than the v1 patch.

However, this really didn't need to be two patches, please combine 1/3
and 2/3 and resubmit.  I know I've done the patch squashing for you in
the past, but I think it's time to start pushing some of this work
back to you.

Moving forward, if I provide feedback and do not explicitly suggest
creating a new patch, please incorporate the changes into the existing
patches.

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9348302..bc534bf 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long 
> a1, unsigned long a2,
> if (!audit_enabled)
> return;
>
> -   context->arch   = syscall_get_arch();
> -   context->major  = major;
> -   context->argv[0]= a1;
> -   context->argv[1]= a2;
> -   context->argv[2]= a3;
> -   context->argv[3]= a4;
> -
> state = context->state;
> +   if (state == AUDIT_DISABLED)
> +   return;
> +
> context->dummy = !audit_n_rules;
> if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
> context->prio = 0;
> if (auditd_test_task(tsk))
> return;
> }
> -   if (state == AUDIT_DISABLED)
> -   return;
>
> +   context->arch   = syscall_get_arch();
> +   context->major  = major;
> +   context->argv[0]= a1;
> +   context->argv[1]= a2;
> +   context->argv[2]= a3;
> +   context->argv[3]= a4;
> context->serial = 0;
> context->ctime = current_kernel_time64();
> context->in_syscall = 1;
> --
> 1.8.3.1
>



-- 
paul moore
www.paul-moore.com

Re: [PATCH V2 2/3] audit: bail ASAP on syscall entry

2018-02-14 Thread Paul Moore 
On Fri, Feb 9, 2018 at 9:40 PM, Richard Guy Briggs  wrote:
> Since removing the audit entry filter, test for early return before
> setting up any context state.
>
> Signed-off-by: Richard Guy Briggs 
> ---
>  kernel/auditsc.c | 18 +-
>  1 file changed, 9 insertions(+), 9 deletions(-)

Sigh.

First off, thanks for making the changes, I think the end result of
1/3+2/3 is better than the v1 patch.

However, this really didn't need to be two patches, please combine 1/3
and 2/3 and resubmit.  I know I've done the patch squashing for you in
the past, but I think it's time to start pushing some of this work
back to you.

Moving forward, if I provide feedback and do not explicitly suggest
creating a new patch, please incorporate the changes into the existing
patches.

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9348302..bc534bf 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long 
> a1, unsigned long a2,
> if (!audit_enabled)
> return;
>
> -   context->arch   = syscall_get_arch();
> -   context->major  = major;
> -   context->argv[0]= a1;
> -   context->argv[1]= a2;
> -   context->argv[2]= a3;
> -   context->argv[3]= a4;
> -
> state = context->state;
> +   if (state == AUDIT_DISABLED)
> +   return;
> +
> context->dummy = !audit_n_rules;
> if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
> context->prio = 0;
> if (auditd_test_task(tsk))
> return;
> }
> -   if (state == AUDIT_DISABLED)
> -   return;
>
> +   context->arch   = syscall_get_arch();
> +   context->major  = major;
> +   context->argv[0]= a1;
> +   context->argv[1]= a2;
> +   context->argv[2]= a3;
> +   context->argv[3]= a4;
> context->serial = 0;
> context->ctime = current_kernel_time64();
> context->in_syscall = 1;
> --
> 1.8.3.1
>



-- 
paul moore
www.paul-moore.com

[PATCH V2 2/3] audit: bail ASAP on syscall entry

2018-02-09 Thread Richard Guy Briggs 
Since removing the audit entry filter, test for early return before
setting up any context state.

Signed-off-by: Richard Guy Briggs 
---
 kernel/auditsc.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9348302..bc534bf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long a1, 
unsigned long a2,
if (!audit_enabled)
return;
 
-   context->arch   = syscall_get_arch();
-   context->major  = major;
-   context->argv[0]= a1;
-   context->argv[1]= a2;
-   context->argv[2]= a3;
-   context->argv[3]= a4;
-
state = context->state;
+   if (state == AUDIT_DISABLED)
+   return;
+
context->dummy = !audit_n_rules;
if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
context->prio = 0;
if (auditd_test_task(tsk))
return;
}
-   if (state == AUDIT_DISABLED)
-   return;
 
+   context->arch   = syscall_get_arch();
+   context->major  = major;
+   context->argv[0]= a1;
+   context->argv[1]= a2;
+   context->argv[2]= a3;
+   context->argv[3]= a4;
context->serial = 0;
context->ctime = current_kernel_time64();
context->in_syscall = 1;
-- 
1.8.3.1

[PATCH V2 2/3] audit: bail ASAP on syscall entry

2018-02-09 Thread Richard Guy Briggs 
Since removing the audit entry filter, test for early return before
setting up any context state.

Signed-off-by: Richard Guy Briggs 
---
 kernel/auditsc.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9348302..bc534bf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1519,23 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long a1, 
unsigned long a2,
if (!audit_enabled)
return;
 
-   context->arch   = syscall_get_arch();
-   context->major  = major;
-   context->argv[0]= a1;
-   context->argv[1]= a2;
-   context->argv[2]= a3;
-   context->argv[3]= a4;
-
state = context->state;
+   if (state == AUDIT_DISABLED)
+   return;
+
context->dummy = !audit_n_rules;
if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
context->prio = 0;
if (auditd_test_task(tsk))
return;
}
-   if (state == AUDIT_DISABLED)
-   return;
 
+   context->arch   = syscall_get_arch();
+   context->major  = major;
+   context->argv[0]= a1;
+   context->argv[1]= a2;
+   context->argv[2]= a3;
+   context->argv[3]= a4;
context->serial = 0;
context->ctime = current_kernel_time64();
context->in_syscall = 1;
-- 
1.8.3.1