Merge branch 'stable-4.11' of git://git.infradead.org/users/pcmoore/audit

+393 -244

kernel/audit.c

··· 54 54 #include <linux/kthread.h> 55 55 #include <linux/kernel.h> 56 56 #include <linux/syscalls.h> 57 + #include <linux/spinlock.h> 58 + #include <linux/rcupdate.h> 59 + #include <linux/mutex.h> 60 + #include <linux/gfp.h> 57 61 58 62 #include <linux/audit.h> 59 63 ··· 94 90 /* If auditing cannot proceed, audit_failure selects what happens. */ 95 91 static u32 audit_failure = AUDIT_FAIL_PRINTK; 96 92 97 - /* 98 - * If audit records are to be written to the netlink socket, audit_pid 99 - * contains the pid of the auditd process and audit_nlk_portid contains 100 - * the portid to use to send netlink messages to that process. 93 + /* private audit network namespace index */ 94 + static unsigned int audit_net_id; 95 + 96 + /** 97 + * struct audit_net - audit private network namespace data 98 + * @sk: communication socket 101 99 */ 102 - int audit_pid; 103 - static __u32 audit_nlk_portid; 100 + struct audit_net { 101 + struct sock *sk; 102 + }; 103 + 104 + /** 105 + * struct auditd_connection - kernel/auditd connection state 106 + * @pid: auditd PID 107 + * @portid: netlink portid 108 + * @net: the associated network namespace 109 + * @lock: spinlock to protect write access 110 + * 111 + * Description: 112 + * This struct is RCU protected; you must either hold the RCU lock for reading 113 + * or the included spinlock for writing. 114 + */ 115 + static struct auditd_connection { 116 + int pid; 117 + u32 portid; 118 + struct net *net; 119 + spinlock_t lock; 120 + } auditd_conn; 104 121 105 122 /* If audit_rate_limit is non-zero, limit the rate of sending audit records 106 123 * to that number per second. This prevents DoS attacks, but results in ··· 148 123 */ 149 124 static atomic_t audit_lost = ATOMIC_INIT(0); 150 125 151 - /* The netlink socket. */ 152 - static struct sock *audit_sock; 153 - static unsigned int audit_net_id; 154 - 155 126 /* Hash for inode-based rules */ 156 127 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; 157 128 ··· 160 139 161 140 /* queue msgs to send via kauditd_task */ 162 141 static struct sk_buff_head audit_queue; 142 + static void kauditd_hold_skb(struct sk_buff *skb); 163 143 /* queue msgs due to temporary unicast send problems */ 164 144 static struct sk_buff_head audit_retry_queue; 165 145 /* queue msgs waiting for new auditd connection */ ··· 214 192 struct sk_buff *skb; 215 193 }; 216 194 195 + /** 196 + * auditd_test_task - Check to see if a given task is an audit daemon 197 + * @task: the task to check 198 + * 199 + * Description: 200 + * Return 1 if the task is a registered audit daemon, 0 otherwise. 201 + */ 202 + int auditd_test_task(const struct task_struct *task) 203 + { 204 + int rc; 205 + 206 + rcu_read_lock(); 207 + rc = (auditd_conn.pid && task->tgid == auditd_conn.pid ? 1 : 0); 208 + rcu_read_unlock(); 209 + 210 + return rc; 211 + } 212 + 213 + /** 214 + * audit_get_sk - Return the audit socket for the given network namespace 215 + * @net: the destination network namespace 216 + * 217 + * Description: 218 + * Returns the sock pointer if valid, NULL otherwise. The caller must ensure 219 + * that a reference is held for the network namespace while the sock is in use. 220 + */ 221 + static struct sock *audit_get_sk(const struct net *net) 222 + { 223 + struct audit_net *aunet; 224 + 225 + if (!net) 226 + return NULL; 227 + 228 + aunet = net_generic(net, audit_net_id); 229 + return aunet->sk; 230 + } 231 + 217 232 static void audit_set_portid(struct audit_buffer *ab, __u32 portid) 218 233 { 219 234 if (ab) { ··· 269 210 pr_err("%s\n", message); 270 211 break; 271 212 case AUDIT_FAIL_PANIC: 272 - /* test audit_pid since printk is always losey, why bother? */ 273 - if (audit_pid) 274 - panic("audit: %s\n", message); 213 + panic("audit: %s\n", message); 275 214 break; 276 215 } 277 216 } ··· 427 370 return audit_do_config_change("audit_failure", &audit_failure, state); 428 371 } 429 372 430 - /* 431 - * For one reason or another this nlh isn't getting delivered to the userspace 432 - * audit daemon, just send it to printk. 373 + /** 374 + * auditd_set - Set/Reset the auditd connection state 375 + * @pid: auditd PID 376 + * @portid: auditd netlink portid 377 + * @net: auditd network namespace pointer 378 + * 379 + * Description: 380 + * This function will obtain and drop network namespace references as 381 + * necessary. 382 + */ 383 + static void auditd_set(int pid, u32 portid, struct net *net) 384 + { 385 + unsigned long flags; 386 + 387 + spin_lock_irqsave(&auditd_conn.lock, flags); 388 + auditd_conn.pid = pid; 389 + auditd_conn.portid = portid; 390 + if (auditd_conn.net) 391 + put_net(auditd_conn.net); 392 + if (net) 393 + auditd_conn.net = get_net(net); 394 + else 395 + auditd_conn.net = NULL; 396 + spin_unlock_irqrestore(&auditd_conn.lock, flags); 397 + } 398 + 399 + /** 400 + * auditd_reset - Disconnect the auditd connection 401 + * 402 + * Description: 403 + * Break the auditd/kauditd connection and move all the queued records into the 404 + * hold queue in case auditd reconnects. 405 + */ 406 + static void auditd_reset(void) 407 + { 408 + struct sk_buff *skb; 409 + 410 + /* if it isn't already broken, break the connection */ 411 + rcu_read_lock(); 412 + if (auditd_conn.pid) 413 + auditd_set(0, 0, NULL); 414 + rcu_read_unlock(); 415 + 416 + /* flush all of the main and retry queues to the hold queue */ 417 + while ((skb = skb_dequeue(&audit_retry_queue))) 418 + kauditd_hold_skb(skb); 419 + while ((skb = skb_dequeue(&audit_queue))) 420 + kauditd_hold_skb(skb); 421 + } 422 + 423 + /** 424 + * kauditd_print_skb - Print the audit record to the ring buffer 425 + * @skb: audit record 426 + * 427 + * Whatever the reason, this packet may not make it to the auditd connection 428 + * so write it via printk so the information isn't completely lost. 433 429 */ 434 430 static void kauditd_printk_skb(struct sk_buff *skb) 435 431 { 436 432 struct nlmsghdr *nlh = nlmsg_hdr(skb); 437 433 char *data = nlmsg_data(nlh); 438 434 439 - if (nlh->nlmsg_type != AUDIT_EOE) { 440 - if (printk_ratelimit()) 441 - pr_notice("type=%d %s\n", nlh->nlmsg_type, data); 442 - else 443 - audit_log_lost("printk limit exceeded"); 444 - } 435 + if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit()) 436 + pr_notice("type=%d %s\n", nlh->nlmsg_type, data); 437 + } 438 + 439 + /** 440 + * kauditd_rehold_skb - Handle a audit record send failure in the hold queue 441 + * @skb: audit record 442 + * 443 + * Description: 444 + * This should only be used by the kauditd_thread when it fails to flush the 445 + * hold queue. 446 + */ 447 + static void kauditd_rehold_skb(struct sk_buff *skb) 448 + { 449 + /* put the record back in the queue at the same place */ 450 + skb_queue_head(&audit_hold_queue, skb); 451 + 452 + /* fail the auditd connection */ 453 + auditd_reset(); 445 454 } 446 455 447 456 /** ··· 544 421 /* we have no other options - drop the message */ 545 422 audit_log_lost("kauditd hold queue overflow"); 546 423 kfree_skb(skb); 424 + 425 + /* fail the auditd connection */ 426 + auditd_reset(); 547 427 } 548 428 549 429 /** ··· 567 441 } 568 442 569 443 /** 570 - * auditd_reset - Disconnect the auditd connection 444 + * auditd_send_unicast_skb - Send a record via unicast to auditd 445 + * @skb: audit record 571 446 * 572 447 * Description: 573 - * Break the auditd/kauditd connection and move all the records in the retry 574 - * queue into the hold queue in case auditd reconnects. The audit_cmd_mutex 575 - * must be held when calling this function. 448 + * Send a skb to the audit daemon, returns positive/zero values on success and 449 + * negative values on failure; in all cases the skb will be consumed by this 450 + * function. If the send results in -ECONNREFUSED the connection with auditd 451 + * will be reset. This function may sleep so callers should not hold any locks 452 + * where this would cause a problem. 576 453 */ 577 - static void auditd_reset(void) 454 + static int auditd_send_unicast_skb(struct sk_buff *skb) 578 455 { 579 - struct sk_buff *skb; 456 + int rc; 457 + u32 portid; 458 + struct net *net; 459 + struct sock *sk; 580 460 581 - /* break the connection */ 582 - if (audit_sock) { 583 - sock_put(audit_sock); 584 - audit_sock = NULL; 461 + /* NOTE: we can't call netlink_unicast while in the RCU section so 462 + * take a reference to the network namespace and grab local 463 + * copies of the namespace, the sock, and the portid; the 464 + * namespace and sock aren't going to go away while we hold a 465 + * reference and if the portid does become invalid after the RCU 466 + * section netlink_unicast() should safely return an error */ 467 + 468 + rcu_read_lock(); 469 + if (!auditd_conn.pid) { 470 + rcu_read_unlock(); 471 + rc = -ECONNREFUSED; 472 + goto err; 585 473 } 586 - audit_pid = 0; 587 - audit_nlk_portid = 0; 474 + net = auditd_conn.net; 475 + get_net(net); 476 + sk = audit_get_sk(net); 477 + portid = auditd_conn.portid; 478 + rcu_read_unlock(); 588 479 589 - /* flush all of the retry queue to the hold queue */ 590 - while ((skb = skb_dequeue(&audit_retry_queue))) 591 - kauditd_hold_skb(skb); 480 + rc = netlink_unicast(sk, skb, portid, 0); 481 + put_net(net); 482 + if (rc < 0) 483 + goto err; 484 + 485 + return rc; 486 + 487 + err: 488 + if (rc == -ECONNREFUSED) 489 + auditd_reset(); 490 + return rc; 592 491 } 593 492 594 493 /** 595 - * kauditd_send_unicast_skb - Send a record via unicast to auditd 596 - * @skb: audit record 494 + * kauditd_send_queue - Helper for kauditd_thread to flush skb queues 495 + * @sk: the sending sock 496 + * @portid: the netlink destination 497 + * @queue: the skb queue to process 498 + * @retry_limit: limit on number of netlink unicast failures 499 + * @skb_hook: per-skb hook for additional processing 500 + * @err_hook: hook called if the skb fails the netlink unicast send 501 + * 502 + * Description: 503 + * Run through the given queue and attempt to send the audit records to auditd, 504 + * returns zero on success, negative values on failure. It is up to the caller 505 + * to ensure that the @sk is valid for the duration of this function. 506 + * 597 507 */ 598 - static int kauditd_send_unicast_skb(struct sk_buff *skb) 508 + static int kauditd_send_queue(struct sock *sk, u32 portid, 509 + struct sk_buff_head *queue, 510 + unsigned int retry_limit, 511 + void (*skb_hook)(struct sk_buff *skb), 512 + void (*err_hook)(struct sk_buff *skb)) 599 513 { 600 - int rc; 514 + int rc = 0; 515 + struct sk_buff *skb; 516 + static unsigned int failed = 0; 601 517 602 - /* if we know nothing is connected, don't even try the netlink call */ 603 - if (!audit_pid) 604 - return -ECONNREFUSED; 518 + /* NOTE: kauditd_thread takes care of all our locking, we just use 519 + * the netlink info passed to us (e.g. sk and portid) */ 605 520 606 - /* get an extra skb reference in case we fail to send */ 607 - skb_get(skb); 608 - rc = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); 609 - if (rc >= 0) { 610 - consume_skb(skb); 611 - rc = 0; 521 + while ((skb = skb_dequeue(queue))) { 522 + /* call the skb_hook for each skb we touch */ 523 + if (skb_hook) 524 + (*skb_hook)(skb); 525 + 526 + /* can we send to anyone via unicast? */ 527 + if (!sk) { 528 + if (err_hook) 529 + (*err_hook)(skb); 530 + continue; 531 + } 532 + 533 + /* grab an extra skb reference in case of error */ 534 + skb_get(skb); 535 + rc = netlink_unicast(sk, skb, portid, 0); 536 + if (rc < 0) { 537 + /* fatal failure for our queue flush attempt? */ 538 + if (++failed >= retry_limit || 539 + rc == -ECONNREFUSED || rc == -EPERM) { 540 + /* yes - error processing for the queue */ 541 + sk = NULL; 542 + if (err_hook) 543 + (*err_hook)(skb); 544 + if (!skb_hook) 545 + goto out; 546 + /* keep processing with the skb_hook */ 547 + continue; 548 + } else 549 + /* no - requeue to preserve ordering */ 550 + skb_queue_head(queue, skb); 551 + } else { 552 + /* it worked - drop the extra reference and continue */ 553 + consume_skb(skb); 554 + failed = 0; 555 + } 612 556 } 613 557 614 - return rc; 558 + out: 559 + return (rc >= 0 ? 0 : rc); 615 560 } 616 561 617 562 /* ··· 690 493 * @skb: audit record 691 494 * 692 495 * Description: 693 - * This function doesn't consume an skb as might be expected since it has to 694 - * copy it anyways. 496 + * Write a multicast message to anyone listening in the initial network 497 + * namespace. This function doesn't consume an skb as might be expected since 498 + * it has to copy it anyways. 695 499 */ 696 500 static void kauditd_send_multicast_skb(struct sk_buff *skb) 697 501 { 698 502 struct sk_buff *copy; 699 - struct audit_net *aunet = net_generic(&init_net, audit_net_id); 700 - struct sock *sock = aunet->nlsk; 503 + struct sock *sock = audit_get_sk(&init_net); 701 504 struct nlmsghdr *nlh; 505 + 506 + /* NOTE: we are not taking an additional reference for init_net since 507 + * we don't have to worry about it going away */ 702 508 703 509 if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG)) 704 510 return; ··· 726 526 } 727 527 728 528 /** 729 - * kauditd_wake_condition - Return true when it is time to wake kauditd_thread 730 - * 731 - * Description: 732 - * This function is for use by the wait_event_freezable() call in 733 - * kauditd_thread(). 529 + * kauditd_thread - Worker thread to send audit records to userspace 530 + * @dummy: unused 734 531 */ 735 - static int kauditd_wake_condition(void) 736 - { 737 - static int pid_last = 0; 738 - int rc; 739 - int pid = audit_pid; 740 - 741 - /* wake on new messages or a change in the connected auditd */ 742 - rc = skb_queue_len(&audit_queue) || (pid && pid != pid_last); 743 - if (rc) 744 - pid_last = pid; 745 - 746 - return rc; 747 - } 748 - 749 532 static int kauditd_thread(void *dummy) 750 533 { 751 534 int rc; 752 - int auditd = 0; 753 - int reschedule = 0; 754 - struct sk_buff *skb; 755 - struct nlmsghdr *nlh; 535 + u32 portid = 0; 536 + struct net *net = NULL; 537 + struct sock *sk = NULL; 756 538 757 539 #define UNICAST_RETRIES 5 758 - #define AUDITD_BAD(x,y) \ 759 - ((x) == -ECONNREFUSED || (x) == -EPERM || ++(y) >= UNICAST_RETRIES) 760 - 761 - /* NOTE: we do invalidate the auditd connection flag on any sending 762 - * errors, but we only "restore" the connection flag at specific places 763 - * in the loop in order to help ensure proper ordering of audit 764 - * records */ 765 540 766 541 set_freezable(); 767 542 while (!kthread_should_stop()) { 768 - /* NOTE: possible area for future improvement is to look at 769 - * the hold and retry queues, since only this thread 770 - * has access to these queues we might be able to do 771 - * our own queuing and skip some/all of the locking */ 772 - 773 - /* NOTE: it might be a fun experiment to split the hold and 774 - * retry queue handling to another thread, but the 775 - * synchronization issues and other overhead might kill 776 - * any performance gains */ 543 + /* NOTE: see the lock comments in auditd_send_unicast_skb() */ 544 + rcu_read_lock(); 545 + if (!auditd_conn.pid) { 546 + rcu_read_unlock(); 547 + goto main_queue; 548 + } 549 + net = auditd_conn.net; 550 + get_net(net); 551 + sk = audit_get_sk(net); 552 + portid = auditd_conn.portid; 553 + rcu_read_unlock(); 777 554 778 555 /* attempt to flush the hold queue */ 779 - while (auditd && (skb = skb_dequeue(&audit_hold_queue))) { 780 - rc = kauditd_send_unicast_skb(skb); 781 - if (rc) { 782 - /* requeue to the same spot */ 783 - skb_queue_head(&audit_hold_queue, skb); 784 - 785 - auditd = 0; 786 - if (AUDITD_BAD(rc, reschedule)) { 787 - mutex_lock(&audit_cmd_mutex); 788 - auditd_reset(); 789 - mutex_unlock(&audit_cmd_mutex); 790 - reschedule = 0; 791 - } 792 - } else 793 - /* we were able to send successfully */ 794 - reschedule = 0; 556 + rc = kauditd_send_queue(sk, portid, 557 + &audit_hold_queue, UNICAST_RETRIES, 558 + NULL, kauditd_rehold_skb); 559 + if (rc < 0) { 560 + sk = NULL; 561 + goto main_queue; 795 562 } 796 563 797 564 /* attempt to flush the retry queue */ 798 - while (auditd && (skb = skb_dequeue(&audit_retry_queue))) { 799 - rc = kauditd_send_unicast_skb(skb); 800 - if (rc) { 801 - auditd = 0; 802 - if (AUDITD_BAD(rc, reschedule)) { 803 - kauditd_hold_skb(skb); 804 - mutex_lock(&audit_cmd_mutex); 805 - auditd_reset(); 806 - mutex_unlock(&audit_cmd_mutex); 807 - reschedule = 0; 808 - } else 809 - /* temporary problem (we hope), queue 810 - * to the same spot and retry */ 811 - skb_queue_head(&audit_retry_queue, skb); 812 - } else 813 - /* we were able to send successfully */ 814 - reschedule = 0; 565 + rc = kauditd_send_queue(sk, portid, 566 + &audit_retry_queue, UNICAST_RETRIES, 567 + NULL, kauditd_hold_skb); 568 + if (rc < 0) { 569 + sk = NULL; 570 + goto main_queue; 815 571 } 816 572 817 - /* standard queue processing, try to be as quick as possible */ 818 - quick_loop: 819 - skb = skb_dequeue(&audit_queue); 820 - if (skb) { 821 - /* setup the netlink header, see the comments in 822 - * kauditd_send_multicast_skb() for length quirks */ 823 - nlh = nlmsg_hdr(skb); 824 - nlh->nlmsg_len = skb->len - NLMSG_HDRLEN; 573 + main_queue: 574 + /* process the main queue - do the multicast send and attempt 575 + * unicast, dump failed record sends to the retry queue; if 576 + * sk == NULL due to previous failures we will just do the 577 + * multicast send and move the record to the retry queue */ 578 + kauditd_send_queue(sk, portid, &audit_queue, 1, 579 + kauditd_send_multicast_skb, 580 + kauditd_retry_skb); 825 581 826 - /* attempt to send to any multicast listeners */ 827 - kauditd_send_multicast_skb(skb); 828 - 829 - /* attempt to send to auditd, queue on failure */ 830 - if (auditd) { 831 - rc = kauditd_send_unicast_skb(skb); 832 - if (rc) { 833 - auditd = 0; 834 - if (AUDITD_BAD(rc, reschedule)) { 835 - mutex_lock(&audit_cmd_mutex); 836 - auditd_reset(); 837 - mutex_unlock(&audit_cmd_mutex); 838 - reschedule = 0; 839 - } 840 - 841 - /* move to the retry queue */ 842 - kauditd_retry_skb(skb); 843 - } else 844 - /* everything is working so go fast! */ 845 - goto quick_loop; 846 - } else if (reschedule) 847 - /* we are currently having problems, move to 848 - * the retry queue */ 849 - kauditd_retry_skb(skb); 850 - else 851 - /* dump the message via printk and hold it */ 852 - kauditd_hold_skb(skb); 853 - } else { 854 - /* we have flushed the backlog so wake everyone */ 855 - wake_up(&audit_backlog_wait); 856 - 857 - /* if everything is okay with auditd (if present), go 858 - * to sleep until there is something new in the queue 859 - * or we have a change in the connected auditd; 860 - * otherwise simply reschedule to give things a chance 861 - * to recover */ 862 - if (reschedule) { 863 - set_current_state(TASK_INTERRUPTIBLE); 864 - schedule(); 865 - } else 866 - wait_event_freezable(kauditd_wait, 867 - kauditd_wake_condition()); 868 - 869 - /* update the auditd connection status */ 870 - auditd = (audit_pid ? 1 : 0); 582 + /* drop our netns reference, no auditd sends past this line */ 583 + if (net) { 584 + put_net(net); 585 + net = NULL; 871 586 } 587 + sk = NULL; 588 + 589 + /* we have processed all the queues so wake everyone */ 590 + wake_up(&audit_backlog_wait); 591 + 592 + /* NOTE: we want to wake up if there is anything on the queue, 593 + * regardless of if an auditd is connected, as we need to 594 + * do the multicast send and rotate records from the 595 + * main queue to the retry/hold queues */ 596 + wait_event_freezable(kauditd_wait, 597 + (skb_queue_len(&audit_queue) ? 1 : 0)); 872 598 } 873 599 874 600 return 0; ··· 804 678 { 805 679 struct audit_netlink_list *dest = _dest; 806 680 struct sk_buff *skb; 807 - struct net *net = dest->net; 808 - struct audit_net *aunet = net_generic(net, audit_net_id); 681 + struct sock *sk = audit_get_sk(dest->net); 809 682 810 683 /* wait for parent to finish and send an ACK */ 811 684 mutex_lock(&audit_cmd_mutex); 812 685 mutex_unlock(&audit_cmd_mutex); 813 686 814 687 while ((skb = __skb_dequeue(&dest->q)) != NULL) 815 - netlink_unicast(aunet->nlsk, skb, dest->portid, 0); 688 + netlink_unicast(sk, skb, dest->portid, 0); 816 689 817 - put_net(net); 690 + put_net(dest->net); 818 691 kfree(dest); 819 692 820 693 return 0; ··· 847 722 static int audit_send_reply_thread(void *arg) 848 723 { 849 724 struct audit_reply *reply = (struct audit_reply *)arg; 850 - struct net *net = reply->net; 851 - struct audit_net *aunet = net_generic(net, audit_net_id); 725 + struct sock *sk = audit_get_sk(reply->net); 852 726 853 727 mutex_lock(&audit_cmd_mutex); 854 728 mutex_unlock(&audit_cmd_mutex); 855 729 856 730 /* Ignore failure. It'll only happen if the sender goes away, 857 731 because our timeout is set to infinite. */ 858 - netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); 859 - put_net(net); 732 + netlink_unicast(sk, reply->skb, reply->portid, 0); 733 + put_net(reply->net); 860 734 kfree(reply); 861 735 return 0; 862 736 } ··· 1073 949 1074 950 static int audit_replace(pid_t pid) 1075 951 { 1076 - struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0, 1077 - &pid, sizeof(pid)); 952 + struct sk_buff *skb; 1078 953 954 + skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0, &pid, sizeof(pid)); 1079 955 if (!skb) 1080 956 return -ENOMEM; 1081 - return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); 957 + return auditd_send_unicast_skb(skb); 1082 958 } 1083 959 1084 960 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ··· 1105 981 memset(&s, 0, sizeof(s)); 1106 982 s.enabled = audit_enabled; 1107 983 s.failure = audit_failure; 1108 - s.pid = audit_pid; 984 + rcu_read_lock(); 985 + s.pid = auditd_conn.pid; 986 + rcu_read_unlock(); 1109 987 s.rate_limit = audit_rate_limit; 1110 988 s.backlog_limit = audit_backlog_limit; 1111 989 s.lost = atomic_read(&audit_lost); ··· 1140 1014 * from the initial pid namespace, but something 1141 1015 * to keep in mind if this changes */ 1142 1016 int new_pid = s.pid; 1017 + pid_t auditd_pid; 1143 1018 pid_t requesting_pid = task_tgid_vnr(current); 1144 1019 1145 - if ((!new_pid) && (requesting_pid != audit_pid)) { 1146 - audit_log_config_change("audit_pid", new_pid, audit_pid, 0); 1020 + /* test the auditd connection */ 1021 + audit_replace(requesting_pid); 1022 + 1023 + rcu_read_lock(); 1024 + auditd_pid = auditd_conn.pid; 1025 + /* only the current auditd can unregister itself */ 1026 + if ((!new_pid) && (requesting_pid != auditd_pid)) { 1027 + rcu_read_unlock(); 1028 + audit_log_config_change("audit_pid", new_pid, 1029 + auditd_pid, 0); 1147 1030 return -EACCES; 1148 1031 } 1149 - if (audit_pid && new_pid && 1150 - audit_replace(requesting_pid) != -ECONNREFUSED) { 1151 - audit_log_config_change("audit_pid", new_pid, audit_pid, 0); 1032 + /* replacing a healthy auditd is not allowed */ 1033 + if (auditd_pid && new_pid) { 1034 + rcu_read_unlock(); 1035 + audit_log_config_change("audit_pid", new_pid, 1036 + auditd_pid, 0); 1152 1037 return -EEXIST; 1153 1038 } 1039 + rcu_read_unlock(); 1040 + 1154 1041 if (audit_enabled != AUDIT_OFF) 1155 - audit_log_config_change("audit_pid", new_pid, audit_pid, 1); 1042 + audit_log_config_change("audit_pid", new_pid, 1043 + auditd_pid, 1); 1044 + 1156 1045 if (new_pid) { 1157 - if (audit_sock) 1158 - sock_put(audit_sock); 1159 - audit_pid = new_pid; 1160 - audit_nlk_portid = NETLINK_CB(skb).portid; 1161 - sock_hold(skb->sk); 1162 - audit_sock = skb->sk; 1163 - } else { 1046 + /* register a new auditd connection */ 1047 + auditd_set(new_pid, 1048 + NETLINK_CB(skb).portid, 1049 + sock_net(NETLINK_CB(skb).sk)); 1050 + /* try to process any backlog */ 1051 + wake_up_interruptible(&kauditd_wait); 1052 + } else 1053 + /* unregister the auditd connection */ 1164 1054 auditd_reset(); 1165 - } 1166 - wake_up_interruptible(&kauditd_wait); 1167 1055 } 1168 1056 if (s.mask & AUDIT_STATUS_RATE_LIMIT) { 1169 1057 err = audit_set_rate_limit(s.rate_limit); ··· 1230 1090 if (err) 1231 1091 break; 1232 1092 } 1233 - mutex_unlock(&audit_cmd_mutex); 1234 1093 audit_log_common_recv_msg(&ab, msg_type); 1235 1094 if (msg_type != AUDIT_USER_TTY) 1236 1095 audit_log_format(ab, " msg='%.*s'", ··· 1247 1108 } 1248 1109 audit_set_portid(ab, NETLINK_CB(skb).portid); 1249 1110 audit_log_end(ab); 1250 - mutex_lock(&audit_cmd_mutex); 1251 1111 } 1252 1112 break; 1253 1113 case AUDIT_ADD_RULE: ··· 1436 1298 1437 1299 struct audit_net *aunet = net_generic(net, audit_net_id); 1438 1300 1439 - aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); 1440 - if (aunet->nlsk == NULL) { 1301 + aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); 1302 + if (aunet->sk == NULL) { 1441 1303 audit_panic("cannot initialize netlink socket in namespace"); 1442 1304 return -ENOMEM; 1443 1305 } 1444 - aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; 1306 + aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; 1307 + 1445 1308 return 0; 1446 1309 } 1447 1310 1448 1311 static void __net_exit audit_net_exit(struct net *net) 1449 1312 { 1450 1313 struct audit_net *aunet = net_generic(net, audit_net_id); 1451 - struct sock *sock = aunet->nlsk; 1452 - mutex_lock(&audit_cmd_mutex); 1453 - if (sock == audit_sock) 1454 - auditd_reset(); 1455 - mutex_unlock(&audit_cmd_mutex); 1456 1314 1457 - netlink_kernel_release(sock); 1458 - aunet->nlsk = NULL; 1315 + rcu_read_lock(); 1316 + if (net == auditd_conn.net) 1317 + auditd_reset(); 1318 + rcu_read_unlock(); 1319 + 1320 + netlink_kernel_release(aunet->sk); 1459 1321 } 1460 1322 1461 1323 static struct pernet_operations audit_net_ops __net_initdata = { ··· 1473 1335 if (audit_initialized == AUDIT_DISABLED) 1474 1336 return 0; 1475 1337 1476 - pr_info("initializing netlink subsys (%s)\n", 1477 - audit_default ? "enabled" : "disabled"); 1478 - register_pernet_subsys(&audit_net_ops); 1338 + memset(&auditd_conn, 0, sizeof(auditd_conn)); 1339 + spin_lock_init(&auditd_conn.lock); 1479 1340 1480 1341 skb_queue_head_init(&audit_queue); 1481 1342 skb_queue_head_init(&audit_retry_queue); 1482 1343 skb_queue_head_init(&audit_hold_queue); 1483 - audit_initialized = AUDIT_INITIALIZED; 1484 - audit_enabled = audit_default; 1485 - audit_ever_enabled |= !!audit_default; 1486 1344 1487 1345 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) 1488 1346 INIT_LIST_HEAD(&audit_inode_hash[i]); 1347 + 1348 + pr_info("initializing netlink subsys (%s)\n", 1349 + audit_default ? "enabled" : "disabled"); 1350 + register_pernet_subsys(&audit_net_ops); 1351 + 1352 + audit_initialized = AUDIT_INITIALIZED; 1353 + audit_enabled = audit_default; 1354 + audit_ever_enabled |= !!audit_default; 1489 1355 1490 1356 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); 1491 1357 if (IS_ERR(kauditd_task)) { ··· 1661 1519 if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE))) 1662 1520 return NULL; 1663 1521 1664 - /* don't ever fail/sleep on these two conditions: 1522 + /* NOTE: don't ever fail/sleep on these two conditions: 1665 1523 * 1. auditd generated record - since we need auditd to drain the 1666 1524 * queue; also, when we are checking for auditd, compare PIDs using 1667 1525 * task_tgid_vnr() since auditd_pid is set in audit_receive_msg() 1668 1526 * using a PID anchored in the caller's namespace 1669 - * 2. audit command message - record types 1000 through 1099 inclusive 1670 - * are command messages/records used to manage the kernel subsystem 1671 - * and the audit userspace, blocking on these messages could cause 1672 - * problems under load so don't do it (note: not all of these 1673 - * command types are valid as record types, but it is quicker to 1674 - * just check two ints than a series of ints in a if/switch stmt) */ 1675 - if (!((audit_pid && audit_pid == task_tgid_vnr(current)) || 1676 - (type >= 1000 && type <= 1099))) { 1677 - long sleep_time = audit_backlog_wait_time; 1527 + * 2. generator holding the audit_cmd_mutex - we don't want to block 1528 + * while holding the mutex */ 1529 + if (!(auditd_test_task(current) || 1530 + (current == __mutex_owner(&audit_cmd_mutex)))) { 1531 + long stime = audit_backlog_wait_time; 1678 1532 1679 1533 while (audit_backlog_limit && 1680 1534 (skb_queue_len(&audit_queue) > audit_backlog_limit)) { ··· 1679 1541 1680 1542 /* sleep if we are allowed and we haven't exhausted our 1681 1543 * backlog wait limit */ 1682 - if ((gfp_mask & __GFP_DIRECT_RECLAIM) && 1683 - (sleep_time > 0)) { 1544 + if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) { 1684 1545 DECLARE_WAITQUEUE(wait, current); 1685 1546 1686 1547 add_wait_queue_exclusive(&audit_backlog_wait, 1687 1548 &wait); 1688 1549 set_current_state(TASK_UNINTERRUPTIBLE); 1689 - sleep_time = schedule_timeout(sleep_time); 1550 + stime = schedule_timeout(stime); 1690 1551 remove_wait_queue(&audit_backlog_wait, &wait); 1691 1552 } else { 1692 1553 if (audit_rate_check() && printk_ratelimit()) ··· 2264 2127 */ 2265 2128 void audit_log_end(struct audit_buffer *ab) 2266 2129 { 2130 + struct sk_buff *skb; 2131 + struct nlmsghdr *nlh; 2132 + 2267 2133 if (!ab) 2268 2134 return; 2269 - if (!audit_rate_check()) { 2270 - audit_log_lost("rate limit exceeded"); 2271 - } else { 2272 - skb_queue_tail(&audit_queue, ab->skb); 2273 - wake_up_interruptible(&kauditd_wait); 2135 + 2136 + if (audit_rate_check()) { 2137 + skb = ab->skb; 2274 2138 ab->skb = NULL; 2275 - } 2139 + 2140 + /* setup the netlink header, see the comments in 2141 + * kauditd_send_multicast_skb() for length quirks */ 2142 + nlh = nlmsg_hdr(skb); 2143 + nlh->nlmsg_len = skb->len - NLMSG_HDRLEN; 2144 + 2145 + /* queue the netlink packet and poke the kauditd thread */ 2146 + skb_queue_tail(&audit_queue, skb); 2147 + wake_up_interruptible(&kauditd_wait); 2148 + } else 2149 + audit_log_lost("rate limit exceeded"); 2150 + 2276 2151 audit_buffer_free(ab); 2277 2152 } 2278 2153

+2 -7

kernel/audit.h

··· 218 218 struct audit_names *n, const struct path *path, 219 219 int record_num, int *call_panic); 220 220 221 - extern int audit_pid; 221 + extern int auditd_test_task(const struct task_struct *task); 222 222 223 223 #define AUDIT_INODE_BUCKETS 32 224 224 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; ··· 249 249 }; 250 250 251 251 int audit_send_list(void *); 252 - 253 - struct audit_net { 254 - struct sock *nlsk; 255 - }; 256 252 257 253 extern int selinux_audit_rule_update(void); 258 254 ··· 336 340 extern int __audit_signal_info(int sig, struct task_struct *t); 337 341 static inline int audit_signal_info(int sig, struct task_struct *t) 338 342 { 339 - if (unlikely((audit_pid && t->tgid == audit_pid) || 340 - (audit_signals && !audit_dummy_context()))) 343 + if (auditd_test_task(t) || (audit_signals && !audit_dummy_context())) 341 344 return __audit_signal_info(sig, t); 342 345 return 0; 343 346 }

+3 -3

kernel/auditsc.c

··· 762 762 struct audit_entry *e; 763 763 enum audit_state state; 764 764 765 - if (audit_pid && tsk->tgid == audit_pid) 765 + if (auditd_test_task(tsk)) 766 766 return AUDIT_DISABLED; 767 767 768 768 rcu_read_lock(); ··· 816 816 { 817 817 struct audit_names *n; 818 818 819 - if (audit_pid && tsk->tgid == audit_pid) 819 + if (auditd_test_task(tsk)) 820 820 return; 821 821 822 822 rcu_read_lock(); ··· 2256 2256 struct audit_context *ctx = tsk->audit_context; 2257 2257 kuid_t uid = current_uid(), t_uid = task_uid(t); 2258 2258 2259 - if (audit_pid && t->tgid == audit_pid) { 2259 + if (auditd_test_task(t)) { 2260 2260 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { 2261 2261 audit_sig_pid = task_tgid_nr(tsk); 2262 2262 if (uid_valid(tsk->loginuid))

Configure Feed

Configure Feed