openkylin
/
platform_kernel-5.15
mirror of https://gitee.com/openkylin/platform_kernel-5.15.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

audit: hand taken context to audit_kill_trees for syscall logging 

Since the context is derived from the task parameter handed to
__audit_free(), hand the context to audit_kill_trees() so it can be used
to associate with a syscall record.  This requires adding the context
parameter to kill_rules() rather than using the current audit_context.

The callers of trim_marked() and evict_chunk() still have their context.

The EOE record was being issued prior to the pruning of the killed_tree
list.

Move the kill_trees call before the audit_log_exit call in
__audit_free() and __audit_syscall_exit() so that any pruned trees
CONFIG_CHANGE records are included with the associated syscall event by
the user library due to the EOE record flagging the end of the event.

See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed merge fuzz in kernel/audit_tree.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Richard Guy Briggs 2018-12-10 17:17:50 -05:00 committed by Paul Moore
parent 53fc7a01df
commit 9e36a5d49c
3 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
kernel/audit.h
View File

@ -314,7 +314,7 @@ extern void audit_trim_trees(void);
extern int audit_tag_tree(char *old, char *new); extern int audit_tag_tree(char *old, char *new);
extern const char *audit_tree_path(struct audit_tree *tree); extern const char *audit_tree_path(struct audit_tree *tree);
extern void audit_put_tree(struct audit_tree *tree); extern void audit_put_tree(struct audit_tree *tree);
extern void audit_kill_trees(struct list_head *list); extern void audit_kill_trees(struct audit_context *context);
#else #else
#define audit_remove_tree_rule(rule) BUG() #define audit_remove_tree_rule(rule) BUG()
#define audit_add_tree_rule(rule) -EINVAL #define audit_add_tree_rule(rule) -EINVAL
@ -323,7 +323,7 @@ extern void audit_kill_trees(struct list_head *list);
#define audit_put_tree(tree) (void)0 #define audit_put_tree(tree) (void)0
#define audit_tag_tree(old, new) -EINVAL #define audit_tag_tree(old, new) -EINVAL
#define audit_tree_path(rule) "" /* never called */ #define audit_tree_path(rule) "" /* never called */
#define audit_kill_trees(list) BUG() #define audit_kill_trees(context) BUG()
#endif #endif
extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);

19
kernel/audit_tree.c
View File

@ -524,13 +524,14 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
return 0; return 0;
} }
static void audit_tree_log_remove_rule(struct audit_krule *rule) static void audit_tree_log_remove_rule(struct audit_context *context,
struct audit_krule *rule)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
if (!audit_enabled) if (!audit_enabled)
return; return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_format(ab, "op=remove_rule dir="); audit_log_format(ab, "op=remove_rule dir=");
@ -540,7 +541,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
audit_log_end(ab); audit_log_end(ab);
} }
static void kill_rules(struct audit_tree *tree) static void kill_rules(struct audit_context *context, struct audit_tree *tree)
{ {
struct audit_krule *rule, *next; struct audit_krule *rule, *next;
struct audit_entry *entry; struct audit_entry *entry;
@ -551,7 +552,7 @@ static void kill_rules(struct audit_tree *tree)
list_del_init(&rule->rlist); list_del_init(&rule->rlist);
if (rule->tree) { if (rule->tree) {
/* not a half-baked one */ /* not a half-baked one */
audit_tree_log_remove_rule(rule); audit_tree_log_remove_rule(context, rule);
if (entry->rule.exe) if (entry->rule.exe)
audit_remove_mark(entry->rule.exe); audit_remove_mark(entry->rule.exe);
rule->tree = NULL; rule->tree = NULL;
@ -633,7 +634,7 @@ static void trim_marked(struct audit_tree *tree)
tree->goner = 1; tree->goner = 1;
spin_unlock(&hash_lock); spin_unlock(&hash_lock);
mutex_lock(&audit_filter_mutex); mutex_lock(&audit_filter_mutex);
kill_rules(tree); kill_rules(audit_context(), tree);
list_del_init(&tree->list); list_del_init(&tree->list);
mutex_unlock(&audit_filter_mutex); mutex_unlock(&audit_filter_mutex);
prune_one(tree); prune_one(tree);
@ -973,8 +974,10 @@ static void audit_schedule_prune(void)
* ... and that one is done if evict_chunk() decides to delay until the end * ... and that one is done if evict_chunk() decides to delay until the end
* of syscall. Runs synchronously. * of syscall. Runs synchronously.
*/ */
void audit_kill_trees(struct list_head *list) void audit_kill_trees(struct audit_context *context)
{ {
struct list_head *list = &context->killed_trees;
audit_ctl_lock(); audit_ctl_lock();
mutex_lock(&audit_filter_mutex); mutex_lock(&audit_filter_mutex);
@ -982,7 +985,7 @@ void audit_kill_trees(struct list_head *list)
struct audit_tree *victim; struct audit_tree *victim;
victim = list_entry(list->next, struct audit_tree, list); victim = list_entry(list->next, struct audit_tree, list);
kill_rules(victim); kill_rules(context, victim);
list_del_init(&victim->list); list_del_init(&victim->list);
mutex_unlock(&audit_filter_mutex); mutex_unlock(&audit_filter_mutex);
@ -1017,7 +1020,7 @@ static void evict_chunk(struct audit_chunk *chunk)
list_del_init(&owner->same_root); list_del_init(&owner->same_root);
spin_unlock(&hash_lock); spin_unlock(&hash_lock);
if (!postponed) { if (!postponed) {
kill_rules(owner); kill_rules(audit_context(), owner);
list_move(&owner->list, &prune_list); list_move(&owner->list, &prune_list);
need_prune = 1; need_prune = 1;
} else { } else {

12
kernel/auditsc.c
View File

@ -1444,6 +1444,9 @@ void __audit_free(struct task_struct *tsk)
if (!context) if (!context)
return; return;
if (!list_empty(&context->killed_trees))
audit_kill_trees(context);
/* We are called either by do_exit() or the fork() error handling code; /* We are called either by do_exit() or the fork() error handling code;
* in the former case tsk == current and in the latter tsk is a * in the former case tsk == current and in the latter tsk is a
* random task_struct that doesn't doesn't have any meaningful data we * random task_struct that doesn't doesn't have any meaningful data we
@ -1460,9 +1463,6 @@ void __audit_free(struct task_struct *tsk)
audit_log_exit(); audit_log_exit();
} }
if (!list_empty(&context->killed_trees))
audit_kill_trees(&context->killed_trees);
audit_set_context(tsk, NULL); audit_set_context(tsk, NULL);
audit_free_context(context); audit_free_context(context);
} }
@ -1537,6 +1537,9 @@ void __audit_syscall_exit(int success, long return_code)
if (!context) if (!context)
return; return;
if (!list_empty(&context->killed_trees))
audit_kill_trees(context);
if (!context->dummy && context->in_syscall) { if (!context->dummy && context->in_syscall) {
if (success) if (success)
context->return_valid = AUDITSC_SUCCESS; context->return_valid = AUDITSC_SUCCESS;
@ -1571,9 +1574,6 @@ void __audit_syscall_exit(int success, long return_code)
context->in_syscall = 0; context->in_syscall = 0;
context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
if (!list_empty(&context->killed_trees))
audit_kill_trees(&context->killed_trees);
audit_free_names(context); audit_free_names(context);
unroll_tree_refs(context, NULL, 0); unroll_tree_refs(context, NULL, 0);
audit_free_aux(context); audit_free_aux(context);