From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2FA0C433E6 for ; Tue, 9 Mar 2021 15:07:08 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 022FC6525F for ; Tue, 9 Mar 2021 15:07:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 022FC6525F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-559-sIYdQWG9MB2UoGIhLL3XEg-1; Tue, 09 Mar 2021 10:07:04 -0500 X-MC-Unique: sIYdQWG9MB2UoGIhLL3XEg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2A3C01940925; Tue, 9 Mar 2021 15:07:01 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 09E2460C13; Tue, 9 Mar 2021 15:07:01 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B8A601809C86; Tue, 9 Mar 2021 15:07:00 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 129F6OGj022486 for ; Tue, 9 Mar 2021 10:06:24 -0500 Received: by smtp.corp.redhat.com (Postfix) id 41C2A2156A21; Tue, 9 Mar 2021 15:06:24 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3AAB72156A36 for ; Tue, 9 Mar 2021 15:06:21 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 94DE11854CAF for ; Tue, 9 Mar 2021 15:06:21 +0000 (UTC) Received: from sonic309-26.consmr.mail.ne1.yahoo.com (sonic309-26.consmr.mail.ne1.yahoo.com [66.163.184.152]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-463-Ueqo2uJSMxudimGsibfL-Q-1; Tue, 09 Mar 2021 10:06:17 -0500 X-MC-Unique: Ueqo2uJSMxudimGsibfL-Q-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1615302376; bh=b2ogy89he/FMha1ep/xaAwy3UMDvA1y+ht1KeX4SwuT=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=cVQzljz3ipe58kOjYH/6RU9BvBy3cO785rYbBw0oRXjLdzOvvm22jWkm1aAlJ8QAL8zedPmVDOjetBzLH2/pP12dwBy0iMe+NBHcz6xLaNGiOQjf5EjMiGMcIUCGIhQStmshk3MPh8fzlE/cJcJgS39ddrRC3jnhGPpQfwmm1ZiJSah7YmumSzCFGsOrwIVbTwVO24GMOkuk+2KSHP0Ux5w7cksUC90NDe1Ta64DhuIy8+RPBKdPN/1VaI7TauNuKh77ygpoF6j9THP+3jg9JQkZ/aOS0jyzY89yroN34bgNal3QgoRhVJPw3IkMpVbsMJHLIwiHV80ES4ulTap7bw== X-YMail-OSG: 9PDwTAIVM1nQCPXPhBPIvk_VK_.co1ePCaaNm94JANFgL.M5pfB8VpCuLqyHIfK NelvJOSiPUMuEreJ_2qWBZJflHr18Hc.1vzZk8R6WPNBrACG.KB0SMquezXN3k5FaH8dioHvmwmv lcqV2e7K32GF5ZwF4KrveFjOpFc8fctbe_WOCE_9h3huypuegMdaleXzgKY4myGnHJQM_OEj4j91 cluGt9K0W4ARwBJ1pZwaUXQhlACtvbDq8N40Zamm08M8kO3Ewcjx9N5EA7m9322O6iTRnlnhQt5a 69naLO8TTD4W.CSUH0m3k.DPk07e.xOq9X9s.GcWmD0iML1yfdy27PrgpOg4vuLoiXYgCYiWOzpZ IgTTocXZjPBOvULPjO2xV4WbpqLrVkG71htE.SIRwDYwBlmUB7e6CyfvR2l7pXmQ2HG56ms_YTCY MKhFmlbjfFA9hpSoetIGZe5U0Za0IKQLvYE.eZcT233ZXDIooeSBjwWLb5W9TYHf5G5KavZbYTwD LDkGO1tcccsKE_bfflIjkkVY40iCdhZra0I_oQhUAmhxmwL8Vn2I1.l8mzt4YgTb0ivTlRZkRpNU aZCEJuwOT.oY.PbLR_1fYVpXApgMwL1S8c_V.o.IIPKv27S4WNubxz15qTZ_c2mzNAAUD_vcQiMI D5XjP6CJuG4KuRD6U2ohcV1t0s1k9GDXaWy.jRfp4Q0AdduxnIWzLY2LBTRquDzTqd6OTg94SO6x A97L6UTIlo9820UblpF_k_qjibOycZHiWzFRLWchfb5Dxoj3q0llIm0tT54JEOLRFVOZq76S.La. ZAu8FjnFILchMP1ap0ekhake9O7hODqO_hbSU6Tvh7TZff7expE4LQxun_kBU7nXIvNz7nAGC5hc r9XZquUsGmSJXrbfz3bJYfTNZWJ1ZdtdthpAt6AU7SnoTKq9E3c1vuid7s3sQxbuREI9C3t2TLVZ DWjVlqpANM7vN7T6yVQusPe_fkfzlqrZV_mbO5sxqp.9qDOqb6nq0lOXsQUY98XR6UdRR0e.I_UY 7DqkzHTb7egkIJz7de7nAqntyrGt1N0BJdxjltk_8192EXsKUaBhhsDc15qTIK9Gow5hUpyjXfE6 kGhkoY9nl8hS919PANi2OiKx92bNim5val7cp7rgmjfGS666H8IHE1uK0E5zsOYZ_wu4XKeeBNYD EjHkxaXBuF2IewDAGXJZrDHE7CBL1aF3tzzHBX0awL1Jo9PNV5EoqxgtKByXINDE2_8mLsADiPZv U72.xo7xNPQYR6zpw1KCyFcICJloYZ23KDoexPWZa_8m7dCU5N.ZC2CYLfYeZL_1bRu.W8rN0ocZ Qi3y889FMviGW7mGGyepEMJr6eSf2YjtUX2ONDrTkzwEP7QnnIcoCRNl3GRX0QtSSrK2k378Z5e4 qG.PRw9PxE2yVfnUidf0hsY9hHl5BzH9dEvTNn6JfYXURvh81uUFY77yDnMdYz6j42KjMkDvHZsK lm7tp0GnmGx8RF2EqNYyzGoBa07dpRQGmo7on3ENC2gZIDtRuHqEa_FAtzlf8jiuszBWyA4SLLQI VoFqcZpjqFhKMdpVf1ParQDeFPEvPdliWfPZ_bBWc3IlDLJ.N003n6sFbW9_PRGF.J3RV7HHwunH F_fKOWtn7NiyfG_Lpr6.vIOWMW6J0nRc8uzEYaAhY4X5v4bEKBqb7Xmhh.z2JmQlOZZLHtud6xek 2OXLonHJfvqqoK.XP..mM_KyzqTOyNuwL0UClX_olA4E4WeV2pibKYaMm_hKwtPKG5Mq3oOLLkeN SuY6_WzwUXDO3OXj3TxGALQt4Cdq1bBA9efpnWC.Q2NLSUXgms54zUW0U_RgF2dGcjd4gYV2VTdP ARMN3scxXxG8MJ_qKzukXorS2Zbji9sogJ_Xo1qNULdtqKdYso4TvJ5wUQQsUjv1JiMdV9MG9j4F oYeWDGSUw4SAFkhvQHS85GRFEW6Xl5FsGIusJSsvyh08y027yLVv0KisZypI2tcygrVqyH_BmUaY VXHFK0xKRhS91hJn9NW.B_vqme3aRx4qrkAXQo1AsU1hR_kz9AhHBHylAfNA0Cip2P0Ybx9T8wS1 RiNlfqr31MVy_dVcZvSWauWGa1CSbVtT8xIk6JfFoOy7CDVT_RPBBnkiWwAOd3a6kzTMU5z1MS4G CXJeXEKFXxEAAAfhyUXGyKO0Kk_UF4PzoXWWKUC_7UmN1N02RelQl0kiNpksHdE8faWNjCvnE9ym suWd4N3o0yhW2kdKFjtYY7Tm1CK4PMyzB0mkkoOuzk.VR6vrcr1W.UasTaUxCmEpwO3VxYirV2Sx vl74reLd09mnGUfJvViilZx7ssixV5gYZxhUb5P0SpEh9u4cbR0.Jv8cZmAYbOe0amqHwqum7ZMZ mELpaJADe.nth.nwQzKr0j6tOASfFW_F3_r0OeH9xCG5GH3lPbFG.z2_HmNo7fy3b9.VEmbncAoA UpcS2X1ZfKZNWWPvCtbLxIuLB4R5D4bZ1fJE3vKdHWGAvz4Q9w6mOGWC7lQPrVR1zEo5Yc5avTm5 i2kaZ3BvROhXkfU9QjtxK9INtb4yiXE8bSMXXThjL._CuAIcpGapi_rzzp1vQeWDcvovHp_4GpgS T5qZZswPbYLhZDYztxApGAvV0oSELx8YY7tCALekfR.GOM1FyGYgW5pFDZL75jRKWVumHTY0GuW3 n1nbrCkAK6UcbeUdHE7m7iocGHX301sEY_EzqbOYU6ny_AUPlUZD_T4dJeodTr6YsHFJhtMAb_gF D2R7aLrC3535kR164Vwc9Cb6nafDPsRWfwZkaMXp9GxT0bjEES7vMEiDEE41BY8f3RKMquua_JVB lV5phNTWn9BCzWKYfay6jknILPTFXPrjPQ3azAU1rMhx4a2J.1IV9IY91dGeaJVwwVIcstSeTmeX mh3qU_eWa9b6gLFRrzQjpWhLYL.2mve7dE.lmkPa1EkSwT9C_iZB4kYGQ209mOTIbGcIBTqSDD.H Q1_L8ZDLyB5sstz.uaKR_r8h_irUTNp6yDzGsGUejgl60lFG12KDCMKNjM32ghzsmr7OSyBfRrgG jlRVHetUrIAHjnanfeHwqAij6BHduqWBxQNKKRbRT6YAW_ASq8lbWAK4MBZzF1nVyde6cLwKF8YS vv.SfNJAtVwofLk99eOI_TO8d0q2_zFL653eDhZsqeDzLtEA4Y2szOWTs6gfmUEP7 X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Tue, 9 Mar 2021 15:06:16 +0000 Received: by smtp408.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 1727b5f267b5a9050c270c01787a4afe; Tue, 09 Mar 2021 15:06:11 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v25 21/25] audit: add support for non-syscall auxiliary records Date: Tue, 9 Mar 2021 06:42:39 -0800 Message-Id: <20210309144243.12519-22-casey@schaufler-ca.com> In-Reply-To: <20210309144243.12519-1-casey@schaufler-ca.com> References: <20210309144243.12519-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, Richard Guy Briggs , linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Standalone audit records have the timestamp and serial number generated on the fly and as such are unique, making them standalone. This new function audit_alloc_local() generates a local audit context that will be used only for a standalone record and its auxiliary record(s). The context is discarded immediately after the local associated records are produced. Signed-off-by: Richard Guy Briggs Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com To: Richard Guy Briggs --- include/linux/audit.h | 8 ++++++++ kernel/audit.h | 1 + kernel/auditsc.c | 33 ++++++++++++++++++++++++++++----- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 418a485af114..97cd7471e572 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct task_struct *t) /* Public API */ extern int audit_alloc(struct task_struct *task); extern void __audit_free(struct task_struct *task); +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); +extern void audit_free_context(struct audit_context *context); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af, extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) +{ + return NULL; +} +static inline void audit_free_context(struct audit_context *context) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/kernel/audit.h b/kernel/audit.h index ce41886807bb..3f2285e1c6e0 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,7 @@ struct audit_proctitle { struct audit_context { int dummy; /* must be the first element */ int in_syscall; /* 1 if task is in a syscall */ + bool local; /* local context needed */ enum audit_state state, current_state; unsigned int serial; /* serial number for record */ int major; /* syscall number */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3db1ec97720e..8994d4f4672e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -927,11 +927,13 @@ static inline void audit_free_aux(struct audit_context *context) } } -static inline struct audit_context *audit_alloc_context(enum audit_state state) +static inline struct audit_context *audit_alloc_context(enum audit_state state, + gfp_t gfpflags) { struct audit_context *context; - context = kzalloc(sizeof(*context), GFP_KERNEL); + /* We can be called in atomic context via audit_tg() */ + context = kzalloc(sizeof(*context), gfpflags); if (!context) return NULL; context->state = state; @@ -967,7 +969,8 @@ int audit_alloc(struct task_struct *tsk) return 0; } - if (!(context = audit_alloc_context(state))) { + context = audit_alloc_context(state, GFP_KERNEL); + if (!context) { kfree(key); audit_log_lost("out of memory in audit_alloc"); return -ENOMEM; @@ -979,8 +982,27 @@ int audit_alloc(struct task_struct *tsk) return 0; } -static inline void audit_free_context(struct audit_context *context) +struct audit_context *audit_alloc_local(gfp_t gfpflags) { + struct audit_context *context = NULL; + + context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags); + if (!context) { + audit_log_lost("out of memory in audit_alloc_local"); + goto out; + } + context->serial = audit_serial(); + ktime_get_coarse_real_ts64(&context->ctime); + context->local = true; +out: + return context; +} +EXPORT_SYMBOL(audit_alloc_local); + +void audit_free_context(struct audit_context *context) +{ + if (!context) + return; audit_free_module(context); audit_free_names(context); unroll_tree_refs(context, NULL, 0); @@ -991,6 +1013,7 @@ static inline void audit_free_context(struct audit_context *context) audit_proctitle_free(context); kfree(context); } +EXPORT_SYMBOL(audit_free_context); static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, @@ -2214,7 +2237,7 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); int auditsc_get_stamp(struct audit_context *ctx, struct timespec64 *t, unsigned int *serial) { - if (!ctx->in_syscall) + if (!ctx->in_syscall && !ctx->local) return 0; if (!ctx->serial) ctx->serial = audit_serial(); -- 2.29.2 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit