linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH V3 0/2] audit: speed up audit syscall entry
@ 2018-02-15  2:47 Richard Guy Briggs
  2018-02-15  2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-02-15  2:47 UTC (permalink / raw)
  To: Linux-Audit Mailing List, LKML
  Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs

These fixes should speed up audit syscall entry by doing away with the
audit entry filter check, moving up the valid connection check before
filling in the context and not caring if there is a bug when audit is
disabled.

Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/6

v3:
  - squash patch 1 and 2
v2:
  - bail earlier to avoid setting up unneeded state
  - don't bother checking for bug when disabled

Richard Guy Briggs (2):
  audit: deprecate the AUDIT_FILTER_ENTRY filter
  audit: bail before bug check if audit disabled

 kernel/auditfilter.c |  4 ++--
 kernel/auditsc.c     | 22 ++++++++++------------
 2 files changed, 12 insertions(+), 14 deletions(-)

-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter
  2018-02-15  2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
@ 2018-02-15  2:47 ` Richard Guy Briggs
  2018-02-15  2:47 ` [PATCH V3 2/2] audit: bail before bug check if audit disabled Richard Guy Briggs
  2018-02-15 19:50 ` [PATCH V3 0/2] audit: speed up audit syscall entry Paul Moore
  2 siblings, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-02-15  2:47 UTC (permalink / raw)
  To: Linux-Audit Mailing List, LKML
  Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs

The audit entry filter has been long deprecated with userspace support
finally removed in audit-v2.6.7 and plans to remove kernel support have
existed since kernel-v2.6.31.
Remove it.

Since removing the audit entry filter, test for early return before
setting up any context state.

Passes audit-testsuite.

See: https://github.com/linux-audit/audit-kernel/issues/6
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/auditfilter.c |  4 ++--
 kernel/auditsc.c     | 21 +++++++++++----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 4a1758a..1bbf5de 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -258,8 +258,8 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
 		goto exit_err;
 #ifdef CONFIG_AUDITSYSCALL
 	case AUDIT_FILTER_ENTRY:
-		if (rule->action == AUDIT_ALWAYS)
-			goto exit_err;
+		pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
+		goto exit_err;
 	case AUDIT_FILTER_EXIT:
 	case AUDIT_FILTER_TASK:
 #endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e80459f..bc534bf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1519,22 +1519,23 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
 	if (!audit_enabled)
 		return;
 
-	context->arch	    = syscall_get_arch();
-	context->major      = major;
-	context->argv[0]    = a1;
-	context->argv[1]    = a2;
-	context->argv[2]    = a3;
-	context->argv[3]    = a4;
-
 	state = context->state;
+	if (state == AUDIT_DISABLED)
+		return;
+
 	context->dummy = !audit_n_rules;
 	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
 		context->prio = 0;
-		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
+		if (auditd_test_task(tsk))
+			return;
 	}
-	if (state == AUDIT_DISABLED)
-		return;
 
+	context->arch	    = syscall_get_arch();
+	context->major      = major;
+	context->argv[0]    = a1;
+	context->argv[1]    = a2;
+	context->argv[2]    = a3;
+	context->argv[3]    = a4;
 	context->serial     = 0;
 	context->ctime = current_kernel_time64();
 	context->in_syscall = 1;
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH V3 2/2] audit: bail before bug check if audit disabled
  2018-02-15  2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
  2018-02-15  2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
@ 2018-02-15  2:47 ` Richard Guy Briggs
  2018-02-15 19:50 ` [PATCH V3 0/2] audit: speed up audit syscall entry Paul Moore
  2 siblings, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-02-15  2:47 UTC (permalink / raw)
  To: Linux-Audit Mailing List, LKML
  Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs

If audit is disabled, who cares if there is a bug indicating syscall in
process or names already recorded.  Bail immediately on audit disabled.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/auditsc.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bc534bf..4e0a4ac 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1511,14 +1511,11 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
 	struct audit_context *context = tsk->audit_context;
 	enum audit_state     state;
 
-	if (!context)
+	if (!audit_enabled || !context)
 		return;
 
 	BUG_ON(context->in_syscall || context->name_count);
 
-	if (!audit_enabled)
-		return;
-
 	state = context->state;
 	if (state == AUDIT_DISABLED)
 		return;
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH V3 0/2] audit: speed up audit syscall entry
  2018-02-15  2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
  2018-02-15  2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
  2018-02-15  2:47 ` [PATCH V3 2/2] audit: bail before bug check if audit disabled Richard Guy Briggs
@ 2018-02-15 19:50 ` Paul Moore
  2 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2018-02-15 19:50 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: Linux-Audit Mailing List, LKML, Eric Paris, Steve Grubb

On Wed, Feb 14, 2018 at 9:47 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> These fixes should speed up audit syscall entry by doing away with the
> audit entry filter check, moving up the valid connection check before
> filling in the context and not caring if there is a bug when audit is
> disabled.
>
> Passes audit-testsuite.
> See: https://github.com/linux-audit/audit-kernel/issues/6
>
> v3:
>   - squash patch 1 and 2
> v2:
>   - bail earlier to avoid setting up unneeded state
>   - don't bother checking for bug when disabled
>
> Richard Guy Briggs (2):
>   audit: deprecate the AUDIT_FILTER_ENTRY filter
>   audit: bail before bug check if audit disabled
>
>  kernel/auditfilter.c |  4 ++--
>  kernel/auditsc.c     | 22 ++++++++++------------
>  2 files changed, 12 insertions(+), 14 deletions(-)

Both patches merged into audit/next, thanks.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-02-15 19:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-15  2:47 [PATCH V3 0/2] audit: speed up audit syscall entry Richard Guy Briggs
2018-02-15  2:47 ` [PATCH V3 1/2] audit: deprecate the AUDIT_FILTER_ENTRY filter Richard Guy Briggs
2018-02-15  2:47 ` [PATCH V3 2/2] audit: bail before bug check if audit disabled Richard Guy Briggs
2018-02-15 19:50 ` [PATCH V3 0/2] audit: speed up audit syscall entry Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).