openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

AUDIT: Send netlink messages from a separate kernel thread 

netlink_unicast() will attempt to reallocate and will free messages if
the socket's rcvbuf limit is reached unless we give it an infinite 
timeout. So do that, from a kernel thread which is dedicated to spewing
stuff up the netlink socket.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
David Woodhouse 2005-05-19 10:56:58 +01:00
parent 168b717395
commit b7d1125817
1 changed files with 70 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
kernel/audit.c
View File

@ -46,6 +46,8 @@
#include <asm/types.h> #include <asm/types.h>
#include <linux/mm.h> #include <linux/mm.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/err.h>
#include <linux/kthread.h>
#include <linux/audit.h> #include <linux/audit.h>
@ -77,7 +79,6 @@ static int audit_rate_limit;
/* Number of outstanding audit_buffers allowed. */ /* Number of outstanding audit_buffers allowed. */
static int audit_backlog_limit = 64; static int audit_backlog_limit = 64;
static atomic_t audit_backlog = ATOMIC_INIT(0);
/* The identity of the user shutting down the audit system. */ /* The identity of the user shutting down the audit system. */
uid_t audit_sig_uid = -1; uid_t audit_sig_uid = -1;
@ -95,19 +96,17 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */ /* The netlink socket. */
static struct sock *audit_sock; static struct sock *audit_sock;
/* There are two lists of audit buffers. The txlist contains audit /* The audit_freelist is a list of pre-allocated audit buffers (if more
* buffers that cannot be sent immediately to the netlink device because
* we are in an irq context (these are sent later in a tasklet).
*
* The second list is a list of pre-allocated audit buffers (if more
* than AUDIT_MAXFREE are in use, the audit buffer is freed instead of * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
* being placed on the freelist). */ * being placed on the freelist). */
static DEFINE_SPINLOCK(audit_txlist_lock);
static DEFINE_SPINLOCK(audit_freelist_lock); static DEFINE_SPINLOCK(audit_freelist_lock);
static int audit_freelist_count = 0; static int audit_freelist_count = 0;
static LIST_HEAD(audit_txlist);
static LIST_HEAD(audit_freelist); static LIST_HEAD(audit_freelist);
static struct sk_buff_head audit_skb_queue;
static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
/* There are three lists of rules -- one to search at task creation /* There are three lists of rules -- one to search at task creation
* time, one to search at syscall entry time, and another to search at * time, one to search at syscall entry time, and another to search at
* syscall exit time. */ * syscall exit time. */
@ -151,9 +150,6 @@ struct audit_entry {
struct audit_rule rule; struct audit_rule rule;
}; };
static void audit_log_end_irq(struct audit_buffer *ab);
static void audit_log_end_fast(struct audit_buffer *ab);
static void audit_panic(const char *message) static void audit_panic(const char *message)
{ {
switch (audit_failure) switch (audit_failure)
@ -224,10 +220,8 @@ void audit_log_lost(const char *message)
if (print) { if (print) {
printk(KERN_WARNING printk(KERN_WARNING
"audit: audit_lost=%d audit_backlog=%d" "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
" audit_rate_limit=%d audit_backlog_limit=%d\n",
atomic_read(&audit_lost), atomic_read(&audit_lost),
atomic_read(&audit_backlog),
audit_rate_limit, audit_rate_limit,
audit_backlog_limit); audit_backlog_limit);
audit_panic(message); audit_panic(message);
@ -281,6 +275,38 @@ static int audit_set_failure(int state, uid_t loginuid)
return old; return old;
} }
int kauditd_thread(void *dummy)
{
struct sk_buff *skb;
while (1) {
skb = skb_dequeue(&audit_skb_queue);
if (skb) {
if (audit_pid) {
int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
if (err < 0) {
BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
audit_pid = 0;
}
} else {
printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
kfree_skb(skb);
}
} else {
DECLARE_WAITQUEUE(wait, current);
set_current_state(TASK_INTERRUPTIBLE);
add_wait_queue(&kauditd_wait, &wait);
if (!skb_queue_len(&audit_skb_queue))
schedule();
__set_current_state(TASK_RUNNING);
remove_wait_queue(&kauditd_wait, &wait);
}
}
}
void audit_send_reply(int pid, int seq, int type, int done, int multi, void audit_send_reply(int pid, int seq, int type, int done, int multi,
void *payload, int size) void *payload, int size)
{ {
@ -293,13 +319,16 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
skb = alloc_skb(len, GFP_KERNEL); skb = alloc_skb(len, GFP_KERNEL);
if (!skb) if (!skb)
goto nlmsg_failure; return;
nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); nlh = NLMSG_PUT(skb, pid, seq, t, size);
nlh->nlmsg_flags = flags; nlh->nlmsg_flags = flags;
data = NLMSG_DATA(nlh); data = NLMSG_DATA(nlh);
memcpy(data, payload, size); memcpy(data, payload, size);
netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT);
/* Ignore failure. It'll only happen if the sender goes away,
because our timeout is set to infinite. */
netlink_unicast(audit_sock, skb, pid, 0);
return; return;
nlmsg_failure: /* Used by NLMSG_PUT */ nlmsg_failure: /* Used by NLMSG_PUT */
@ -351,6 +380,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err) if (err)
return err; return err;
/* As soon as there's any sign of userspace auditd, start kauditd to talk to it */
if (!kauditd_task)
kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
if (IS_ERR(kauditd_task)) {
err = PTR_ERR(kauditd_task);
kauditd_task = NULL;
return err;
}
pid = NETLINK_CREDS(skb)->pid; pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid; uid = NETLINK_CREDS(skb)->uid;
loginuid = NETLINK_CB(skb).loginuid; loginuid = NETLINK_CB(skb).loginuid;
@ -365,7 +403,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
status_set.rate_limit = audit_rate_limit; status_set.rate_limit = audit_rate_limit;
status_set.backlog_limit = audit_backlog_limit; status_set.backlog_limit = audit_backlog_limit;
status_set.lost = atomic_read(&audit_lost); status_set.lost = atomic_read(&audit_lost);
status_set.backlog = atomic_read(&audit_backlog); status_set.backlog = skb_queue_len(&audit_skb_queue);
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
&status_set, sizeof(status_set)); &status_set, sizeof(status_set));
break; break;
@ -471,44 +509,6 @@ static void audit_receive(struct sock *sk, int length)
up(&audit_netlink_sem); up(&audit_netlink_sem);
} }
/* Grab skbuff from the audit_buffer and send to user space. */
static inline int audit_log_drain(struct audit_buffer *ab)
{
struct sk_buff *skb = ab->skb;
if (skb) {
int retval = 0;
if (audit_pid) {
struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
nlh->nlmsg_len = skb->len - NLMSG_SPACE(0);
skb_get(skb); /* because netlink_* frees */
retval = netlink_unicast(audit_sock, skb, audit_pid,
MSG_DONTWAIT);
}
if (retval == -EAGAIN &&
(atomic_read(&audit_backlog)) < audit_backlog_limit) {
audit_log_end_irq(ab);
return 1;
}
if (retval < 0) {
if (retval == -ECONNREFUSED) {
printk(KERN_ERR
"audit: *NO* daemon at audit_pid=%d\n",
audit_pid);
audit_pid = 0;
} else
audit_log_lost("netlink socket too busy");
}
if (!audit_pid) { /* No daemon */
int offset = NLMSG_SPACE(0);
int len = skb->len - offset;
skb->data[offset + len] = '\0';
printk(KERN_ERR "%s\n", skb->data + offset);
}
}
return 0;
}
/* Initialize audit support at boot time. */ /* Initialize audit support at boot time. */
static int __init audit_init(void) static int __init audit_init(void)
@ -519,6 +519,8 @@ static int __init audit_init(void)
if (!audit_sock) if (!audit_sock)
audit_panic("cannot initialize netlink socket"); audit_panic("cannot initialize netlink socket");
audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
skb_queue_head_init(&audit_skb_queue);
audit_initialized = 1; audit_initialized = 1;
audit_enabled = audit_default; audit_enabled = audit_default;
audit_log(NULL, AUDIT_KERNEL, "initialized"); audit_log(NULL, AUDIT_KERNEL, "initialized");
@ -549,7 +551,7 @@ static void audit_buffer_free(struct audit_buffer *ab)
if (ab->skb) if (ab->skb)
kfree_skb(ab->skb); kfree_skb(ab->skb);
atomic_dec(&audit_backlog);
spin_lock_irqsave(&audit_freelist_lock, flags); spin_lock_irqsave(&audit_freelist_lock, flags);
if (++audit_freelist_count > AUDIT_MAXFREE) if (++audit_freelist_count > AUDIT_MAXFREE)
kfree(ab); kfree(ab);
@ -579,13 +581,12 @@ static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
if (!ab) if (!ab)
goto err; goto err;
} }
atomic_inc(&audit_backlog);
ab->skb = alloc_skb(AUDIT_BUFSIZ, gfp_mask); ab->skb = alloc_skb(AUDIT_BUFSIZ, gfp_mask);
if (!ab->skb) if (!ab->skb)
goto err; goto err;
ab->ctx = ctx; ab->ctx = ctx;
nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
nlh->nlmsg_type = type; nlh->nlmsg_type = type;
nlh->nlmsg_flags = 0; nlh->nlmsg_flags = 0;
@ -612,18 +613,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
if (!audit_initialized) if (!audit_initialized)
return NULL; return NULL;
if (audit_backlog_limit
&& atomic_read(&audit_backlog) > audit_backlog_limit) {
if (audit_rate_check())
printk(KERN_WARNING
"audit: audit_backlog=%d > "
"audit_backlog_limit=%d\n",
atomic_read(&audit_backlog),
audit_backlog_limit);
audit_log_lost("backlog limit exceeded");
return NULL;
}
ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type); ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
if (!ab) { if (!ab) {
audit_log_lost("out of memory in audit_log_start"); audit_log_lost("out of memory in audit_log_start");
@ -784,70 +773,30 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
kfree(path); kfree(path);
} }
/* Remove queued messages from the audit_txlist and send them to user space. */
static void audit_tasklet_handler(unsigned long arg)
{
LIST_HEAD(list);
struct audit_buffer *ab;
unsigned long flags;
spin_lock_irqsave(&audit_txlist_lock, flags);
list_splice_init(&audit_txlist, &list);
spin_unlock_irqrestore(&audit_txlist_lock, flags);
while (!list_empty(&list)) {
ab = list_entry(list.next, struct audit_buffer, list);
list_del(&ab->list);
audit_log_end_fast(ab);
}
}
static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0);
/* The netlink_* functions cannot be called inside an irq context, so /* The netlink_* functions cannot be called inside an irq context, so
* the audit buffer is places on a queue and a tasklet is scheduled to * the audit buffer is places on a queue and a tasklet is scheduled to
* remove them from the queue outside the irq context. May be called in * remove them from the queue outside the irq context. May be called in
* any context. */ * any context. */
static void audit_log_end_irq(struct audit_buffer *ab) void audit_log_end(struct audit_buffer *ab)
{ {
unsigned long flags;
if (!ab)
return;
spin_lock_irqsave(&audit_txlist_lock, flags);
list_add_tail(&ab->list, &audit_txlist);
spin_unlock_irqrestore(&audit_txlist_lock, flags);
tasklet_schedule(&audit_tasklet);
}
/* Send the message in the audit buffer directly to user space. May not
* be called in an irq context. */
static void audit_log_end_fast(struct audit_buffer *ab)
{
BUG_ON(in_irq());
if (!ab) if (!ab)
return; return;
if (!audit_rate_check()) { if (!audit_rate_check()) {
audit_log_lost("rate limit exceeded"); audit_log_lost("rate limit exceeded");
} else { } else {
if (audit_log_drain(ab)) if (audit_pid) {
return; struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
printk("%s\n", ab->skb->data + NLMSG_SPACE(0));
}
} }
audit_buffer_free(ab); audit_buffer_free(ab);
} }
/* Send or queue the message in the audit buffer, depending on the
* current context. (A convenience function that may be called in any
* context.) */
void audit_log_end(struct audit_buffer *ab)
{
if (in_irq())
audit_log_end_irq(ab);
else
audit_log_end_fast(ab);
}
/* Log an audit record. This is a convenience function that calls /* Log an audit record. This is a convenience function that calls
* audit_log_start, audit_log_vformat, and audit_log_end. It may be * audit_log_start, audit_log_vformat, and audit_log_end. It may be
* called in any context. */ * called in any context. */