* [PATCH V3 0/2] audit: speed up audit syscall entry
@ 2018-02-15 2:47 Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-02-15 2:47 UTC (permalink / raw)
To: Linux-Audit Mailing List, LKML
Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs
These fixes should speed up audit syscall entry by doing away with the
audit entry filter check, moving up the valid connection check before
filling in the context and not caring if there is a bug when audit is
disabled.
Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/6
v3:
- squash patch 1 and 2
v2:
- bail earlier to avoid setting up unneeded state
- don't bother checking for bug when disabled
Richard Guy Briggs (2):
audit: deprecate the AUDIT_FILTER_ENTRY filter
audit: bail before bug check if audit disabled
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 22 ++++++++++------------
2 files changed, 12 insertions(+), 14 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter
2018-02-15 2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
@ 2018-02-15 2:47 ` Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 2/2] audit: bail before bug check if audit disabled Richard Guy Briggs
2018-02-15 19:50 ` [PATCH V3 0/2] audit: speed up audit syscall entry Paul Moore
2 siblings, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-02-15 2:47 UTC (permalink / raw)
To: Linux-Audit Mailing List, LKML
Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs
The audit entry filter has been long deprecated with userspace support
finally removed in audit-v2.6.7 and plans to remove kernel support have
existed since kernel-v2.6.31.
Remove it.
Since removing the audit entry filter, test for early return before
setting up any context state.
Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/6
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 21 +++++++++++----------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 4a1758a..1bbf5de 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -258,8 +258,8 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
goto exit_err;
#ifdef CONFIG_AUDITSYSCALL
case AUDIT_FILTER_ENTRY:
- if (rule->action == AUDIT_ALWAYS)
- goto exit_err;
+ pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
+ goto exit_err;
case AUDIT_FILTER_EXIT:
case AUDIT_FILTER_TASK:
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e80459f..bc534bf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1519,22 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
if (!audit_enabled)
return;
- context->arch = syscall_get_arch();
- context->major = major;
- context->argv[0] = a1;
- context->argv[1] = a2;
- context->argv[2] = a3;
- context->argv[3] = a4;
-
state = context->state;
+ if (state == AUDIT_DISABLED)
+ return;
+
context->dummy = !audit_n_rules;
if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
context->prio = 0;
- state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
+ if (auditd_test_task(tsk))
+ return;
}
- if (state == AUDIT_DISABLED)
- return;
+ context->arch = syscall_get_arch();
+ context->major = major;
+ context->argv[0] = a1;
+ context->argv[1] = a2;
+ context->argv[2] = a3;
+ context->argv[3] = a4;
context->serial = 0;
context->ctime = current_kernel_time64();
context->in_syscall = 1;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH V3 2/2] audit: bail before bug check if audit disabled
2018-02-15 2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
@ 2018-02-15 2:47 ` Richard Guy Briggs
2018-02-15 19:50 ` [PATCH V3 0/2] audit: speed up audit syscall entry Paul Moore
2 siblings, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-02-15 2:47 UTC (permalink / raw)
To: Linux-Audit Mailing List, LKML
Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs
If audit is disabled, who cares if there is a bug indicating syscall in
process or names already recorded. Bail immediately on audit disabled.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/auditsc.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bc534bf..4e0a4ac 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1511,14 +1511,11 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
struct audit_context *context = tsk->audit_context;
enum audit_state state;
- if (!context)
+ if (!audit_enabled || !context)
return;
BUG_ON(context->in_syscall || context->name_count);
- if (!audit_enabled)
- return;
-
state = context->state;
if (state == AUDIT_DISABLED)
return;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH V3 0/2] audit: speed up audit syscall entry
2018-02-15 2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 2/2] audit: bail before bug check if audit disabled Richard Guy Briggs
@ 2018-02-15 19:50 ` Paul Moore
2 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2018-02-15 19:50 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Linux-Audit Mailing List, LKML, Eric Paris, Steve Grubb
On Wed, Feb 14, 2018 at 9:47 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> These fixes should speed up audit syscall entry by doing away with the
> audit entry filter check, moving up the valid connection check before
> filling in the context and not caring if there is a bug when audit is
> disabled.
>
> Passes audit-testsuite.
> See: https://github.com/linux-audit/audit-kernel/issues/6
>
> v3:
> - squash patch 1 and 2
> v2:
> - bail earlier to avoid setting up unneeded state
> - don't bother checking for bug when disabled
>
> Richard Guy Briggs (2):
> audit: deprecate the AUDIT_FILTER_ENTRY filter
> audit: bail before bug check if audit disabled
>
> kernel/auditfilter.c | 4 ++--
> kernel/auditsc.c | 22 ++++++++++------------
> 2 files changed, 12 insertions(+), 14 deletions(-)
Both patches merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-02-15 19:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-15 2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
2018-02-15 2:47 ` [PATCH V3 2/2] audit: bail before bug check if audit disabled Richard Guy Briggs
2018-02-15 19:50 ` [PATCH V3 0/2] audit: speed up audit syscall entry Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).