From: Anton Blanchard <anton@samba.org> To: eparis@redhat.com, viro@zeniv.linux.org.uk, benh@kernel.crashing.org, paulus@samba.org Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Subject: [PATCH 1/4] audit: Syscall rules are not applied to existing processes on non-x86 Date: Wed, 9 Jan 2013 10:46:17 +1100 [thread overview] Message-ID: <20130109104617.74e995a5@kryten> (raw) Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce burden on archs) changed audit_syscall_entry to check for a dummy context before calling __audit_syscall_entry. Unfortunately the dummy context state is maintained in __audit_syscall_entry so once set it never gets cleared, even if the audit rules change. As a result, if there are no auditing rules when a process starts then it will never be subject to any rules added later. x86 doesn't see this because it has an assembly fast path that calls directly into __audit_syscall_entry. I noticed this issue when working on audit performance optimisations. I wrote a set of simple test cases available at: http://ozlabs.org/~anton/junkcode/audit_tests.tar.gz 02_new_rule.py fails without the patch and passes with it. The test case clears all rules, starts a process, adds a rule then verifies the process produces a syscall audit record. Signed-off-by: Anton Blanchard <anton@samba.org> Cc: <stable@kernel.org> # 3.3+ --- Index: b/include/linux/audit.h =================================================================== --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -119,7 +119,7 @@ static inline void audit_syscall_entry(i unsigned long a1, unsigned long a2, unsigned long a3) { - if (unlikely(!audit_dummy_context())) + if (unlikely(current->audit_context)) __audit_syscall_entry(arch, major, a0, a1, a2, a3); } static inline void audit_syscall_exit(void *pt_regs)
WARNING: multiple messages have this Message-ID (diff)
From: Anton Blanchard <anton@samba.org> To: eparis@redhat.com, viro@zeniv.linux.org.uk, benh@kernel.crashing.org, paulus@samba.org Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/4] audit: Syscall rules are not applied to existing processes on non-x86 Date: Wed, 9 Jan 2013 10:46:17 +1100 [thread overview] Message-ID: <20130109104617.74e995a5@kryten> (raw) Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce burden on archs) changed audit_syscall_entry to check for a dummy context before calling __audit_syscall_entry. Unfortunately the dummy context state is maintained in __audit_syscall_entry so once set it never gets cleared, even if the audit rules change. As a result, if there are no auditing rules when a process starts then it will never be subject to any rules added later. x86 doesn't see this because it has an assembly fast path that calls directly into __audit_syscall_entry. I noticed this issue when working on audit performance optimisations. I wrote a set of simple test cases available at: http://ozlabs.org/~anton/junkcode/audit_tests.tar.gz 02_new_rule.py fails without the patch and passes with it. The test case clears all rules, starts a process, adds a rule then verifies the process produces a syscall audit record. Signed-off-by: Anton Blanchard <anton@samba.org> Cc: <stable@kernel.org> # 3.3+ --- Index: b/include/linux/audit.h =================================================================== --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -119,7 +119,7 @@ static inline void audit_syscall_entry(i unsigned long a1, unsigned long a2, unsigned long a3) { - if (unlikely(!audit_dummy_context())) + if (unlikely(current->audit_context)) __audit_syscall_entry(arch, major, a0, a1, a2, a3); } static inline void audit_syscall_exit(void *pt_regs)
next reply other threads:[~2013-01-08 23:46 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-01-08 23:46 Anton Blanchard [this message] 2013-01-08 23:46 ` [PATCH 1/4] audit: Syscall rules are not applied to existing processes on non-x86 Anton Blanchard 2013-01-08 23:47 ` [PATCH 2/4] powerpc: Remove static branch prediction in 64bit traced syscall path Anton Blanchard 2013-01-08 23:47 ` Anton Blanchard 2013-01-08 23:48 ` [PATCH 3/4] powerpc: Optimise 64bit syscall auditing entry path Anton Blanchard 2013-01-08 23:48 ` Anton Blanchard 2013-04-10 16:56 ` Eric Paris 2013-04-10 16:56 ` Eric Paris 2013-01-08 23:48 ` [PATCH 4/4] powerpc: Optimise 64bit syscall auditing exit path Anton Blanchard 2013-01-08 23:48 ` Anton Blanchard 2013-02-07 4:13 ` [PATCH 1/4] audit: Syscall rules are not applied to existing processes on non-x86 Anton Blanchard 2013-02-07 4:13 ` Anton Blanchard
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20130109104617.74e995a5@kryten \ --to=anton@samba.org \ --cc=benh@kernel.crashing.org \ --cc=eparis@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=paulus@samba.org \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.