From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org
Subject: [PATCH v37 26/33] Audit: Allow multiple records in an audit_buffer
Date: Mon, 27 Jun 2022 17:56:04 -0700 [thread overview]
Message-ID: <20220628005611.13106-27-casey@schaufler-ca.com> (raw)
In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com>
Replace the single skb pointer in an audit_buffer with
a list of skb pointers. Add the audit_stamp information
to the audit_buffer as there's no guarantee that there
will be an audit_context containing the stamp associated
with the event. At audit_log_end() time create auxiliary
records (none are currently defined) as have been added
to the list. Functions are created to manage the skb list
in the audit_buffer.
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
kernel/audit.c | 111 +++++++++++++++++++++++++++++++++++++++----------
1 file changed, 89 insertions(+), 22 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e4ee8ee63484..e4cd2cdda7f5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -197,8 +197,10 @@ static struct audit_ctl_mutex {
* to place it on a transmit queue. Multiple audit_buffers can be in
* use simultaneously. */
struct audit_buffer {
- struct sk_buff *skb; /* formatted skb ready to send */
+ struct sk_buff *skb; /* the skb for audit_log functions */
+ struct sk_buff_head skb_list; /* formatted skbs, ready to send */
struct audit_context *ctx; /* NULL or associated context */
+ struct audit_stamp stamp; /* audit stamp for these records */
gfp_t gfp_mask;
};
@@ -1765,10 +1767,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set);
static void audit_buffer_free(struct audit_buffer *ab)
{
+ struct sk_buff *skb;
+
if (!ab)
return;
- kfree_skb(ab->skb);
+ while ((skb = skb_dequeue(&ab->skb_list)))
+ kfree_skb(skb);
kmem_cache_free(audit_buffer_cache, ab);
}
@@ -1784,6 +1789,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
if (!ab->skb)
goto err;
+
+ skb_queue_head_init(&ab->skb_list);
+ skb_queue_tail(&ab->skb_list, ab->skb);
+
if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
goto err;
@@ -1849,7 +1858,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
int type)
{
struct audit_buffer *ab;
- struct audit_stamp stamp;
if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
@@ -1904,14 +1912,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
return NULL;
}
- audit_get_stamp(ab->ctx, &stamp);
+ audit_get_stamp(ab->ctx, &ab->stamp);
/* cancel dummy context to enable supporting records */
if (ctx)
ctx->dummy = 0;
audit_log_format(ab, "audit(%llu.%03lu:%u): ",
- (unsigned long long)stamp.ctime.tv_sec,
- stamp.ctime.tv_nsec/1000000,
- stamp.serial);
+ (unsigned long long)ab->stamp.ctime.tv_sec,
+ ab->stamp.ctime.tv_nsec/1000000,
+ ab->stamp.serial);
return ab;
}
@@ -2167,6 +2175,57 @@ void audit_log_key(struct audit_buffer *ab, char *key)
audit_log_format(ab, "(null)");
}
+/**
+ * audit_buffer_aux_new - Add an aux record buffer to the skb list
+ * @ab: audit_buffer
+ * @type: message type
+ *
+ * Aux records are allocated and added to the skb list of
+ * the "main" record. The ab->skb is reset to point to the
+ * aux record on its creation. When the aux record in complete
+ * ab->skb has to be reset to point to the "main" record.
+ * This allows the audit_log_ functions to be ignorant of
+ * which kind of record it is logging to. It also avoids adding
+ * special data for aux records.
+ *
+ * On success ab->skb will point to the new aux record.
+ * Returns 0 on success, -ENOMEM should allocation fail.
+ */
+static int audit_buffer_aux_new(struct audit_buffer *ab, int type)
+{
+ WARN_ON(ab->skb != skb_peek(&ab->skb_list));
+
+ ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask);
+ if (!ab->skb)
+ goto err;
+ if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
+ goto err;
+ skb_queue_tail(&ab->skb_list, ab->skb);
+
+ audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+ (unsigned long long)ab->stamp.ctime.tv_sec,
+ ab->stamp.ctime.tv_nsec/1000000,
+ ab->stamp.serial);
+
+ return 0;
+
+err:
+ kfree_skb(ab->skb);
+ ab->skb = skb_peek(&ab->skb_list);
+ return -ENOMEM;
+}
+
+/**
+ * audit_buffer_aux_end - Switch back to the "main" record from an aux record
+ * @ab: audit_buffer
+ *
+ * Restores the "main" audit record to ab->skb.
+ */
+static void audit_buffer_aux_end(struct audit_buffer *ab)
+{
+ ab->skb = skb_peek(&ab->skb_list);
+}
+
int audit_log_task_context(struct audit_buffer *ab)
{
int error;
@@ -2402,26 +2461,14 @@ int audit_signal_info(int sig, struct task_struct *t)
}
/**
- * audit_log_end - end one audit record
- * @ab: the audit_buffer
- *
- * We can not do a netlink send inside an irq context because it blocks (last
- * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
- * queue and a kthread is scheduled to remove them from the queue outside the
- * irq context. May be called in any context.
+ * __audit_log_end - enqueue one audit record
+ * @skb: the buffer to send
*/
-void audit_log_end(struct audit_buffer *ab)
+static void __audit_log_end(struct sk_buff *skb)
{
- struct sk_buff *skb;
struct nlmsghdr *nlh;
- if (!ab)
- return;
-
if (audit_rate_check()) {
- skb = ab->skb;
- ab->skb = NULL;
-
/* setup the netlink header, see the comments in
* kauditd_send_multicast_skb() for length quirks */
nlh = nlmsg_hdr(skb);
@@ -2432,6 +2479,26 @@ void audit_log_end(struct audit_buffer *ab)
wake_up_interruptible(&kauditd_wait);
} else
audit_log_lost("rate limit exceeded");
+}
+
+/**
+ * audit_log_end - end one audit record
+ * @ab: the audit_buffer
+ *
+ * We can not do a netlink send inside an irq context because it blocks (last
+ * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
+ * queue and a kthread is scheduled to remove them from the queue outside the
+ * irq context. May be called in any context.
+ */
+void audit_log_end(struct audit_buffer *ab)
+{
+ struct sk_buff *skb;
+
+ if (!ab)
+ return;
+
+ while ((skb = skb_dequeue(&ab->skb_list)))
+ __audit_log_end(skb);
audit_buffer_free(ab);
}
--
2.36.1
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org,
linux-audit@redhat.com
Subject: [PATCH v37 26/33] Audit: Allow multiple records in an audit_buffer
Date: Mon, 27 Jun 2022 17:56:04 -0700 [thread overview]
Message-ID: <20220628005611.13106-27-casey@schaufler-ca.com> (raw)
In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com>
Replace the single skb pointer in an audit_buffer with
a list of skb pointers. Add the audit_stamp information
to the audit_buffer as there's no guarantee that there
will be an audit_context containing the stamp associated
with the event. At audit_log_end() time create auxiliary
records (none are currently defined) as have been added
to the list. Functions are created to manage the skb list
in the audit_buffer.
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
kernel/audit.c | 111 +++++++++++++++++++++++++++++++++++++++----------
1 file changed, 89 insertions(+), 22 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e4ee8ee63484..e4cd2cdda7f5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -197,8 +197,10 @@ static struct audit_ctl_mutex {
* to place it on a transmit queue. Multiple audit_buffers can be in
* use simultaneously. */
struct audit_buffer {
- struct sk_buff *skb; /* formatted skb ready to send */
+ struct sk_buff *skb; /* the skb for audit_log functions */
+ struct sk_buff_head skb_list; /* formatted skbs, ready to send */
struct audit_context *ctx; /* NULL or associated context */
+ struct audit_stamp stamp; /* audit stamp for these records */
gfp_t gfp_mask;
};
@@ -1765,10 +1767,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set);
static void audit_buffer_free(struct audit_buffer *ab)
{
+ struct sk_buff *skb;
+
if (!ab)
return;
- kfree_skb(ab->skb);
+ while ((skb = skb_dequeue(&ab->skb_list)))
+ kfree_skb(skb);
kmem_cache_free(audit_buffer_cache, ab);
}
@@ -1784,6 +1789,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
if (!ab->skb)
goto err;
+
+ skb_queue_head_init(&ab->skb_list);
+ skb_queue_tail(&ab->skb_list, ab->skb);
+
if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
goto err;
@@ -1849,7 +1858,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
int type)
{
struct audit_buffer *ab;
- struct audit_stamp stamp;
if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
@@ -1904,14 +1912,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
return NULL;
}
- audit_get_stamp(ab->ctx, &stamp);
+ audit_get_stamp(ab->ctx, &ab->stamp);
/* cancel dummy context to enable supporting records */
if (ctx)
ctx->dummy = 0;
audit_log_format(ab, "audit(%llu.%03lu:%u): ",
- (unsigned long long)stamp.ctime.tv_sec,
- stamp.ctime.tv_nsec/1000000,
- stamp.serial);
+ (unsigned long long)ab->stamp.ctime.tv_sec,
+ ab->stamp.ctime.tv_nsec/1000000,
+ ab->stamp.serial);
return ab;
}
@@ -2167,6 +2175,57 @@ void audit_log_key(struct audit_buffer *ab, char *key)
audit_log_format(ab, "(null)");
}
+/**
+ * audit_buffer_aux_new - Add an aux record buffer to the skb list
+ * @ab: audit_buffer
+ * @type: message type
+ *
+ * Aux records are allocated and added to the skb list of
+ * the "main" record. The ab->skb is reset to point to the
+ * aux record on its creation. When the aux record in complete
+ * ab->skb has to be reset to point to the "main" record.
+ * This allows the audit_log_ functions to be ignorant of
+ * which kind of record it is logging to. It also avoids adding
+ * special data for aux records.
+ *
+ * On success ab->skb will point to the new aux record.
+ * Returns 0 on success, -ENOMEM should allocation fail.
+ */
+static int audit_buffer_aux_new(struct audit_buffer *ab, int type)
+{
+ WARN_ON(ab->skb != skb_peek(&ab->skb_list));
+
+ ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask);
+ if (!ab->skb)
+ goto err;
+ if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
+ goto err;
+ skb_queue_tail(&ab->skb_list, ab->skb);
+
+ audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+ (unsigned long long)ab->stamp.ctime.tv_sec,
+ ab->stamp.ctime.tv_nsec/1000000,
+ ab->stamp.serial);
+
+ return 0;
+
+err:
+ kfree_skb(ab->skb);
+ ab->skb = skb_peek(&ab->skb_list);
+ return -ENOMEM;
+}
+
+/**
+ * audit_buffer_aux_end - Switch back to the "main" record from an aux record
+ * @ab: audit_buffer
+ *
+ * Restores the "main" audit record to ab->skb.
+ */
+static void audit_buffer_aux_end(struct audit_buffer *ab)
+{
+ ab->skb = skb_peek(&ab->skb_list);
+}
+
int audit_log_task_context(struct audit_buffer *ab)
{
int error;
@@ -2402,26 +2461,14 @@ int audit_signal_info(int sig, struct task_struct *t)
}
/**
- * audit_log_end - end one audit record
- * @ab: the audit_buffer
- *
- * We can not do a netlink send inside an irq context because it blocks (last
- * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
- * queue and a kthread is scheduled to remove them from the queue outside the
- * irq context. May be called in any context.
+ * __audit_log_end - enqueue one audit record
+ * @skb: the buffer to send
*/
-void audit_log_end(struct audit_buffer *ab)
+static void __audit_log_end(struct sk_buff *skb)
{
- struct sk_buff *skb;
struct nlmsghdr *nlh;
- if (!ab)
- return;
-
if (audit_rate_check()) {
- skb = ab->skb;
- ab->skb = NULL;
-
/* setup the netlink header, see the comments in
* kauditd_send_multicast_skb() for length quirks */
nlh = nlmsg_hdr(skb);
@@ -2432,6 +2479,26 @@ void audit_log_end(struct audit_buffer *ab)
wake_up_interruptible(&kauditd_wait);
} else
audit_log_lost("rate limit exceeded");
+}
+
+/**
+ * audit_log_end - end one audit record
+ * @ab: the audit_buffer
+ *
+ * We can not do a netlink send inside an irq context because it blocks (last
+ * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
+ * queue and a kthread is scheduled to remove them from the queue outside the
+ * irq context. May be called in any context.
+ */
+void audit_log_end(struct audit_buffer *ab)
+{
+ struct sk_buff *skb;
+
+ if (!ab)
+ return;
+
+ while ((skb = skb_dequeue(&ab->skb_list)))
+ __audit_log_end(skb);
audit_buffer_free(ab);
}
--
2.36.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-06-28 1:12 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220628005611.13106-1-casey.ref@schaufler-ca.com>
2022-06-28 0:55 ` [PATCH v37 00/33] LSM: Module stacking for AppArmor Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 01/33] integrity: disassociate ima_filter_rule from security_audit_rule Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 02/33] LSM: Infrastructure management of the sock security Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 03/33] LSM: Add the lsmblob data structure Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 04/33] LSM: provide lsm name and id slot mappings Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 05/33] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 06/33] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 07/33] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 08/33] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 09/33] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 10/33] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 11/33] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 12/33] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 13/33] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 14/33] LSM: Specify which LSM to display Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 15/33] LSM: Ensure the correct LSM context releaser Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 16/33] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 17/33] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 18/33] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 5:36 ` kernel test robot
2022-06-28 5:36 ` kernel test robot
2022-06-28 8:44 ` kernel test robot
2022-06-28 8:44 ` kernel test robot
2022-06-28 11:24 ` kernel test robot
2022-06-28 11:24 ` kernel test robot
2022-06-28 0:55 ` [PATCH v37 19/33] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 20/33] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 21/33] binder: Pass LSM identifier for confirmation Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 22/33] LSM: security_secid_to_secctx module selection Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 23/33] Audit: Keep multiple LSM data in audit_names Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 24/33] Audit: Create audit_stamp structure Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 25/33] LSM: Add a function to report multiple LSMs Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler [this message]
2022-06-28 0:56 ` [PATCH v37 26/33] Audit: Allow multiple records in an audit_buffer Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 27/33] Audit: Add record for multiple task security contexts Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 28/33] audit: multiple subject lsm values for netlabel Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 29/33] Audit: Add record for multiple object contexts Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 30/33] netlabel: Use a struct lsmblob in audit data Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 31/33] LSM: Removed scaffolding function lsmcontext_init Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 32/33] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 33/33] AppArmor: Remove the exclusive flag Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-07-12 21:42 ` [PATCH v37 00/33] LSM: Module stacking for AppArmor John Johansen
2022-07-12 21:42 ` John Johansen
2022-07-12 21:58 ` Casey Schaufler
2022-07-12 21:58 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220628005611.13106-27-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.