tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit

Pull audit updates from Paul Moore:
"Seven audit patches for 4.5, all very minor despite the diffstat.

The diffstat churn for linux/audit.h can be attributed to needing to
reshuffle the linux/audit.h header to fix the seccomp auditing issue
(see the commit description for details).

Besides the seccomp/audit fix, most of the fixes are around trying to
improve the connection with the audit daemon and a Kconfig
simplification. Nothing crazy, and everything passes our little
audit-testsuite"

* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: always enable syscall auditing when supported and audit is enabled
audit: force seccomp event logging to honor the audit_enabled flag
audit: Delete unnecessary checks before two function calls
audit: wake up threads if queue switched from limited to unlimited
audit: include auditd's threads in audit_log_start() wait exception
audit: remove audit_backlog_wait_overflow
audit: don't needlessly reset valid wait time

Linus Torvalds 2d663b55 25eedabe

+114 -118
+104 -100
include/linux/audit.h
··· 113 113 114 114 extern void audit_log_session_info(struct audit_buffer *ab); 115 115 116 + #ifdef CONFIG_AUDIT 117 + /* These are defined in audit.c */ 118 + /* Public API */ 119 + extern __printf(4, 5) 120 + void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 121 + const char *fmt, ...); 122 + 123 + extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 124 + extern __printf(2, 3) 125 + void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 126 + extern void audit_log_end(struct audit_buffer *ab); 127 + extern bool audit_string_contains_control(const char *string, 128 + size_t len); 129 + extern void audit_log_n_hex(struct audit_buffer *ab, 130 + const unsigned char *buf, 131 + size_t len); 132 + extern void audit_log_n_string(struct audit_buffer *ab, 133 + const char *buf, 134 + size_t n); 135 + extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 136 + const char *string, 137 + size_t n); 138 + extern void audit_log_untrustedstring(struct audit_buffer *ab, 139 + const char *string); 140 + extern void audit_log_d_path(struct audit_buffer *ab, 141 + const char *prefix, 142 + const struct path *path); 143 + extern void audit_log_key(struct audit_buffer *ab, 144 + char *key); 145 + extern void audit_log_link_denied(const char *operation, 146 + struct path *link); 147 + extern void audit_log_lost(const char *message); 148 + #ifdef CONFIG_SECURITY 149 + extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 150 + #else 151 + static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 152 + { } 153 + #endif 154 + 155 + extern int audit_log_task_context(struct audit_buffer *ab); 156 + extern void audit_log_task_info(struct audit_buffer *ab, 157 + struct task_struct *tsk); 158 + 159 + extern int audit_update_lsm_rules(void); 160 + 161 + /* Private API (for audit.c only) */ 162 + extern int audit_filter_user(int type); 163 + extern int audit_filter_type(int type); 164 + extern int audit_rule_change(int type, __u32 portid, int seq, 165 + void *data, size_t datasz); 166 + extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 167 + 168 + extern u32 audit_enabled; 169 + #else /* CONFIG_AUDIT */ 170 + static inline __printf(4, 5) 171 + void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 172 + const char *fmt, ...) 173 + { } 174 + static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 175 + gfp_t gfp_mask, int type) 176 + { 177 + return NULL; 178 + } 179 + static inline __printf(2, 3) 180 + void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 181 + { } 182 + static inline void audit_log_end(struct audit_buffer *ab) 183 + { } 184 + static inline void audit_log_n_hex(struct audit_buffer *ab, 185 + const unsigned char *buf, size_t len) 186 + { } 187 + static inline void audit_log_n_string(struct audit_buffer *ab, 188 + const char *buf, size_t n) 189 + { } 190 + static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 191 + const char *string, size_t n) 192 + { } 193 + static inline void audit_log_untrustedstring(struct audit_buffer *ab, 194 + const char *string) 195 + { } 196 + static inline void audit_log_d_path(struct audit_buffer *ab, 197 + const char *prefix, 198 + const struct path *path) 199 + { } 200 + static inline void audit_log_key(struct audit_buffer *ab, char *key) 201 + { } 202 + static inline void audit_log_link_denied(const char *string, 203 + const struct path *link) 204 + { } 205 + static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 206 + { } 207 + static inline int audit_log_task_context(struct audit_buffer *ab) 208 + { 209 + return 0; 210 + } 211 + static inline void audit_log_task_info(struct audit_buffer *ab, 212 + struct task_struct *tsk) 213 + { } 214 + #define audit_enabled 0 215 + #endif /* CONFIG_AUDIT */ 216 + 116 217 #ifdef CONFIG_AUDIT_COMPAT_GENERIC 117 218 #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 118 219 #else ··· 313 212 314 213 static inline void audit_seccomp(unsigned long syscall, long signr, int code) 315 214 { 215 + if (!audit_enabled) 216 + return; 217 + 316 218 /* Force a record to be reported if a signal was delivered. */ 317 219 if (signr || unlikely(!audit_dummy_context())) 318 220 __audit_seccomp(syscall, signr, code); ··· 550 446 return uid_valid(audit_get_loginuid(tsk)); 551 447 } 552 448 553 - #ifdef CONFIG_AUDIT 554 - /* These are defined in audit.c */ 555 - /* Public API */ 556 - extern __printf(4, 5) 557 - void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 558 - const char *fmt, ...); 559 - 560 - extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 561 - extern __printf(2, 3) 562 - void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 563 - extern void audit_log_end(struct audit_buffer *ab); 564 - extern bool audit_string_contains_control(const char *string, 565 - size_t len); 566 - extern void audit_log_n_hex(struct audit_buffer *ab, 567 - const unsigned char *buf, 568 - size_t len); 569 - extern void audit_log_n_string(struct audit_buffer *ab, 570 - const char *buf, 571 - size_t n); 572 - extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 573 - const char *string, 574 - size_t n); 575 - extern void audit_log_untrustedstring(struct audit_buffer *ab, 576 - const char *string); 577 - extern void audit_log_d_path(struct audit_buffer *ab, 578 - const char *prefix, 579 - const struct path *path); 580 - extern void audit_log_key(struct audit_buffer *ab, 581 - char *key); 582 - extern void audit_log_link_denied(const char *operation, 583 - struct path *link); 584 - extern void audit_log_lost(const char *message); 585 - #ifdef CONFIG_SECURITY 586 - extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 587 - #else 588 - static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 589 - { } 590 - #endif 591 - 592 - extern int audit_log_task_context(struct audit_buffer *ab); 593 - extern void audit_log_task_info(struct audit_buffer *ab, 594 - struct task_struct *tsk); 595 - 596 - extern int audit_update_lsm_rules(void); 597 - 598 - /* Private API (for audit.c only) */ 599 - extern int audit_filter_user(int type); 600 - extern int audit_filter_type(int type); 601 - extern int audit_rule_change(int type, __u32 portid, int seq, 602 - void *data, size_t datasz); 603 - extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 604 - 605 - extern u32 audit_enabled; 606 - #else /* CONFIG_AUDIT */ 607 - static inline __printf(4, 5) 608 - void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 609 - const char *fmt, ...) 610 - { } 611 - static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 612 - gfp_t gfp_mask, int type) 613 - { 614 - return NULL; 615 - } 616 - static inline __printf(2, 3) 617 - void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 618 - { } 619 - static inline void audit_log_end(struct audit_buffer *ab) 620 - { } 621 - static inline void audit_log_n_hex(struct audit_buffer *ab, 622 - const unsigned char *buf, size_t len) 623 - { } 624 - static inline void audit_log_n_string(struct audit_buffer *ab, 625 - const char *buf, size_t n) 626 - { } 627 - static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 628 - const char *string, size_t n) 629 - { } 630 - static inline void audit_log_untrustedstring(struct audit_buffer *ab, 631 - const char *string) 632 - { } 633 - static inline void audit_log_d_path(struct audit_buffer *ab, 634 - const char *prefix, 635 - const struct path *path) 636 - { } 637 - static inline void audit_log_key(struct audit_buffer *ab, char *key) 638 - { } 639 - static inline void audit_log_link_denied(const char *string, 640 - const struct path *link) 641 - { } 642 - static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 643 - { } 644 - static inline int audit_log_task_context(struct audit_buffer *ab) 645 - { 646 - return 0; 647 - } 648 - static inline void audit_log_task_info(struct audit_buffer *ab, 649 - struct task_struct *tsk) 650 - { } 651 - #define audit_enabled 0 652 - #endif /* CONFIG_AUDIT */ 653 449 static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 654 450 { 655 451 audit_log_n_string(ab, buf, strlen(buf));
+3 -8
init/Kconfig
··· 299 299 help 300 300 Enable auditing infrastructure that can be used with another 301 301 kernel subsystem, such as SELinux (which requires this for 302 - logging of avc messages output). Does not do system-call 303 - auditing without CONFIG_AUDITSYSCALL. 302 + logging of avc messages output). System call auditing is included 303 + on architectures which support it. 304 304 305 305 config HAVE_ARCH_AUDITSYSCALL 306 306 bool 307 307 308 308 config AUDITSYSCALL 309 - bool "Enable system-call auditing support" 309 + def_bool y 310 310 depends on AUDIT && HAVE_ARCH_AUDITSYSCALL 311 - default y if SECURITY_SELINUX 312 - help 313 - Enable low-overhead system-call auditing infrastructure that 314 - can be used independently or with another kernel subsystem, 315 - such as SELinux. 316 311 317 312 config AUDIT_WATCH 318 313 def_bool y
+7 -10
kernel/audit.c
··· 110 110 #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) 111 111 static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME; 112 112 static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; 113 - static u32 audit_backlog_wait_overflow = 0; 114 113 115 114 /* The identity of the user shutting down the audit system. */ 116 115 kuid_t audit_sig_uid = INVALID_UID; ··· 508 509 * if auditd just disappeared but we 509 510 * dequeued an skb we need to drop ref 510 511 */ 511 - if (skb) 512 - consume_skb(skb); 512 + consume_skb(skb); 513 513 } 514 514 515 515 static int kauditd_thread(void *dummy) ··· 522 524 skb = skb_dequeue(&audit_skb_queue); 523 525 524 526 if (skb) { 525 - if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit) 527 + if (!audit_backlog_limit || 528 + (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)) 526 529 wake_up(&audit_backlog_wait); 527 530 if (audit_pid) 528 531 kauditd_send_skb(skb); ··· 1231 1232 if (!ab) 1232 1233 return; 1233 1234 1234 - if (ab->skb) 1235 - kfree_skb(ab->skb); 1236 - 1235 + kfree_skb(ab->skb); 1237 1236 spin_lock_irqsave(&audit_freelist_lock, flags); 1238 1237 if (audit_freelist_count > AUDIT_MAXFREE) 1239 1238 kfree(ab); ··· 1369 1372 return NULL; 1370 1373 1371 1374 if (gfp_mask & __GFP_DIRECT_RECLAIM) { 1372 - if (audit_pid && audit_pid == current->pid) 1375 + if (audit_pid && audit_pid == current->tgid) 1373 1376 gfp_mask &= ~__GFP_DIRECT_RECLAIM; 1374 1377 else 1375 1378 reserve = 0; ··· 1392 1395 skb_queue_len(&audit_skb_queue), 1393 1396 audit_backlog_limit); 1394 1397 audit_log_lost("backlog limit exceeded"); 1395 - audit_backlog_wait_time = audit_backlog_wait_overflow; 1398 + audit_backlog_wait_time = 0; 1396 1399 wake_up(&audit_backlog_wait); 1397 1400 return NULL; 1398 1401 } 1399 1402 1400 - if (!reserve) 1403 + if (!reserve && !audit_backlog_wait_time) 1401 1404 audit_backlog_wait_time = audit_backlog_wait_time_master; 1402 1405 1403 1406 ab = audit_buffer_alloc(ctx, gfp_mask, type);