Re: [PATCH v35 25/29] Audit: Allow multiple records in an audit_buffer

From: John Johansen <john.johansen@canonical.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
	casey.schaufler@intel.com, jmorris@namei.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: linux-audit@redhat.com, keescook@chromium.org,
	penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v35 25/29] Audit: Allow multiple records in an audit_buffer
Date: Mon, 25 Apr 2022 18:06:13 -0700	[thread overview]
Message-ID: <81c9f88f-7e8f-0ca6-56b8-049571af6809@canonical.com> (raw)
In-Reply-To: <20220418145945.38797-26-casey@schaufler-ca.com>

On 4/18/22 07:59, Casey Schaufler wrote:
> Replace the single skb pointer in an audit_buffer with
> a list of skb pointers. Add the audit_stamp information
> to the audit_buffer as there's no guarantee that there
> will be an audit_context containing the stamp associated
> with the event. At audit_log_end() time create auxiliary
> records (none are currently defined) as have been added
> to the list.
> 
> Suggested-by: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

I agree with Paul that audit_buffer_aux_new() and
audit_buffer_aux_end() belong in this patch

> ---
>  kernel/audit.c | 62 +++++++++++++++++++++++++++++++-------------------
>  1 file changed, 39 insertions(+), 23 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 6b6c089512f7..4d44c05053b0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -197,8 +197,10 @@ static struct audit_ctl_mutex {
>   * to place it on a transmit queue.  Multiple audit_buffers can be in
>   * use simultaneously. */
>  struct audit_buffer {
> -	struct sk_buff       *skb;	/* formatted skb ready to send */
> +	struct sk_buff       *skb;	/* the skb for audit_log functions */
> +	struct sk_buff_head  skb_list;	/* formatted skbs, ready to send */
>  	struct audit_context *ctx;	/* NULL or associated context */
> +	struct audit_stamp   stamp;	/* audit stamp for these records */
>  	gfp_t		     gfp_mask;
>  };
>  
> @@ -1765,10 +1767,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set);
>  
>  static void audit_buffer_free(struct audit_buffer *ab)
>  {
> +	struct sk_buff *skb;
> +
>  	if (!ab)
>  		return;
>  
> -	kfree_skb(ab->skb);
> +	while((skb = skb_dequeue(&ab->skb_list)))
> +		kfree_skb(skb);

we still have and ab->skb can we have a debug check that its freed by walking the queue?

>  	kmem_cache_free(audit_buffer_cache, ab);
>  }
>  
> @@ -1784,8 +1789,12 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
>  	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
>  	if (!ab->skb)
>  		goto err;
> +
> +	skb_queue_head_init(&ab->skb_list);
> +	skb_queue_tail(&ab->skb_list, ab->skb);
> +
>  	if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
> -		goto err;
> +		kfree_skb(ab->skb);

why is this no longer an error?

>  
>  	ab->ctx = ctx;
>  	ab->gfp_mask = gfp_mask;
> @@ -1849,7 +1858,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  				     int type)
>  {
>  	struct audit_buffer *ab;
> -	struct audit_stamp stamp;
>  
>  	if (audit_initialized != AUDIT_INITIALIZED)
>  		return NULL;
> @@ -1904,14 +1912,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  		return NULL;
>  	}
>  
> -	audit_get_stamp(ab->ctx, &stamp);
> +	audit_get_stamp(ab->ctx, &ab->stamp);
>  	/* cancel dummy context to enable supporting records */
>  	if (ctx)
>  		ctx->dummy = 0;
>  	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
> -			 (unsigned long long)stamp.ctime.tv_sec,
> -			 stamp.ctime.tv_nsec/1000000,
> -			 stamp.serial);
> +			 (unsigned long long)ab->stamp.ctime.tv_sec,
> +			 ab->stamp.ctime.tv_nsec/1000000,
> +			 ab->stamp.serial);
>  
>  	return ab;
>  }
> @@ -2402,26 +2410,14 @@ int audit_signal_info(int sig, struct task_struct *t)
>  }
>  
>  /**
> - * audit_log_end - end one audit record
> - * @ab: the audit_buffer
> - *
> - * We can not do a netlink send inside an irq context because it blocks (last
> - * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
> - * queue and a kthread is scheduled to remove them from the queue outside the
> - * irq context.  May be called in any context.
> + * __audit_log_end - enqueue one audit record
> + * @skb: the buffer to send
>   */
> -void audit_log_end(struct audit_buffer *ab)
> +static void __audit_log_end(struct sk_buff *skb)
>  {
> -	struct sk_buff *skb;
>  	struct nlmsghdr *nlh;
>  
> -	if (!ab)
> -		return;
> -
>  	if (audit_rate_check()) {
> -		skb = ab->skb;
> -		ab->skb = NULL;
> -
>  		/* setup the netlink header, see the comments in
>  		 * kauditd_send_multicast_skb() for length quirks */
>  		nlh = nlmsg_hdr(skb);
> @@ -2432,6 +2428,26 @@ void audit_log_end(struct audit_buffer *ab)
>  		wake_up_interruptible(&kauditd_wait);
>  	} else
>  		audit_log_lost("rate limit exceeded");
> +}
> +
> +/**
> + * audit_log_end - end one audit record
> + * @ab: the audit_buffer
> + *
> + * We can not do a netlink send inside an irq context because it blocks (last
> + * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
> + * queue and a kthread is scheduled to remove them from the queue outside the
> + * irq context.  May be called in any context.
> + */
> +void audit_log_end(struct audit_buffer *ab)
> +{
> +	struct sk_buff *skb;
> +
> +	if (!ab)
> +		return;
> +
> +	while ((skb = skb_dequeue(&ab->skb_list)))
> +		__audit_log_end(skb);
>  
>  	audit_buffer_free(ab);
>  }