* [PATCH] audit: skip klog-fowarding if mcasts were sent
@ 2014-12-31 12:20 David Herrmann
2015-11-05 20:38 ` Niels Ole Salscheider
0 siblings, 1 reply; 2+ messages in thread
From: David Herrmann @ 2014-12-31 12:20 UTC (permalink / raw)
To: linux-kernel; +Cc: Eric Paris, Lennart Poettering, David Herrmann
We currently skip forwarding audit messages to the kernel-log if auditd is
running. However, if auditd is not running, but there are multicast
listeners, we still forward those messages to the kerne-log. This causes
generic log-daemons to get audit messages twice if auditd is not running.
Once via the multicast message, and once via the kernel-log. As the
kernel-log is much less convenient to parse, compared to netlink audit
messages, we'd like to avoid dropping netlink support again.
Therefore, this patch makes the audit infrastructure forward audit
messages only to the kernel-log if neither auditd nor a multicast
listener is present.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
---
kernel/audit.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 80983df..c087c6a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -429,14 +429,9 @@ static void kauditd_send_skb(struct sk_buff *skb)
* This function doesn't consume an skb as might be expected since it has to
* copy it anyways.
*/
-static void kauditd_send_multicast_skb(struct sk_buff *skb)
+static void kauditd_send_multicast_skb(struct sock *sock, struct sk_buff *skb)
{
struct sk_buff *copy;
- struct audit_net *aunet = net_generic(&init_net, audit_net_id);
- struct sock *sock = aunet->nlsk;
-
- if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
- return;
/*
* The seemingly wasteful skb_copy() rather than bumping the refcount
@@ -1947,9 +1942,14 @@ void audit_log_end(struct audit_buffer *ab)
audit_log_lost("rate limit exceeded");
} else {
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+ struct audit_net *aunet = net_generic(&init_net, audit_net_id);
+ struct sock *sock = aunet->nlsk;
+ bool has_mc = netlink_has_listeners(sock, AUDIT_NLGRP_READLOG);
nlh->nlmsg_len = ab->skb->len;
- kauditd_send_multicast_skb(ab->skb);
+
+ if (has_mc)
+ kauditd_send_multicast_skb(sock, ab->skb);
/*
* The original kaudit unicast socket sends up messages with
@@ -1965,8 +1965,10 @@ void audit_log_end(struct audit_buffer *ab)
if (audit_pid) {
skb_queue_tail(&audit_skb_queue, ab->skb);
wake_up_interruptible(&kauditd_wait);
- } else {
+ } else if (!has_mc) {
audit_printk_skb(ab->skb);
+ } else {
+ audit_hold_skb(ab->skb);
}
ab->skb = NULL;
}
--
2.2.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] audit: skip klog-fowarding if mcasts were sent
2014-12-31 12:20 [PATCH] audit: skip klog-fowarding if mcasts were sent David Herrmann
@ 2015-11-05 20:38 ` Niels Ole Salscheider
0 siblings, 0 replies; 2+ messages in thread
From: Niels Ole Salscheider @ 2015-11-05 20:38 UTC (permalink / raw)
To: dh.herrmann; +Cc: linux-kernel, niels_ole
Any news on this?
> We currently skip forwarding audit messages to the kernel-log if auditd is
> running. However, if auditd is not running, but there are multicast
> listeners, we still forward those messages to the kerne-log. This causes
> generic log-daemons to get audit messages twice if auditd is not running.
> Once via the multicast message, and once via the kernel-log. As the
> kernel-log is much less convenient to parse, compared to netlink audit
> messages, we'd like to avoid dropping netlink support again.
>
> Therefore, this patch makes the audit infrastructure forward audit
> messages only to the kernel-log if neither auditd nor a multicast
> listener is present.
>
> Signed-off-by: David Herrmann <dh.herrmann <at> gmail.com>
> ---
>
> kernel/audit.c | 18 ++++++++++--------
> 1 file changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 80983df..c087c6a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
>
> <at> <at> -429,14 +429,9 <at> <at> static void kauditd_send_skb(struct
> sk_buff *skb)>
> * This function doesn't consume an skb as might be expected since it has
> to
> * copy it anyways.
> */
>
> -static void kauditd_send_multicast_skb(struct sk_buff *skb)
> +static void kauditd_send_multicast_skb(struct sock *sock, struct sk_buff
> *skb)>
> {
>
> struct sk_buff *copy;
>
> - struct audit_net *aunet = net_generic(&init_net, audit_net_id);
> - struct sock *sock = aunet->nlsk;
> -
> - if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
> - return;
>
> /*
>
> * The seemingly wasteful skb_copy() rather than bumping the refcount
>
> <at> <at> -1947,9 +1942,14 <at> <at> void audit_log_end(struct
> audit_buffer *ab)>
> audit_log_lost("rate limit exceeded");
>
> } else {
>
> struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
>
> + struct audit_net *aunet = net_generic(&init_net, audit_net_id);
> + struct sock *sock = aunet->nlsk;
> + bool has_mc = netlink_has_listeners(sock, AUDIT_NLGRP_READLOG);
>
> nlh->nlmsg_len = ab->skb->len;
>
> - kauditd_send_multicast_skb(ab->skb);
> +
> + if (has_mc)
> + kauditd_send_multicast_skb(sock, ab->skb);
>
> /*
>
> * The original kaudit unicast socket sends up messages with
>
> <at> <at> -1965,8 +1965,10 <at> <at> void audit_log_end(struct
> audit_buffer *ab)>
> if (audit_pid) {
>
> skb_queue_tail(&audit_skb_queue, ab->skb);
> wake_up_interruptible(&kauditd_wait);
>
> - } else {
> + } else if (!has_mc) {
>
> audit_printk_skb(ab->skb);
>
> + } else {
> + audit_hold_skb(ab->skb);
>
> }
> ab->skb = NULL;
>
> }
>
> --
> 2.2.1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-11-05 20:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-31 12:20 [PATCH] audit: skip klog-fowarding if mcasts were sent David Herrmann
2015-11-05 20:38 ` Niels Ole Salscheider
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).