tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull audit namespace fixes from Eric Biederman:
"Starting with 3.14-rc1 the audit code is faulty (think oopses and
races) with respect to how it computes the network namespace of which
socket to reply to, and I happened to notice by chance when reading
through the code.

My testing and the automated build bots don't find any problems with
these fixes"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
audit: Update kdoc for audit_send_reply and audit_list_rules_send
audit: Send replies in the proper network namespace.
audit: Use struct net not pid_t to remember the network namespce to reply in

Linus Torvalds adf961d7 09df7c4c

+26 -20
+2 -1
include/linux/audit.h
··· 43 43 struct mqstat; 44 44 struct audit_watch; 45 45 struct audit_tree; 46 + struct sk_buff; 46 47 47 48 struct audit_krule { 48 49 int vers_ops; ··· 464 463 extern int audit_filter_type(int type); 465 464 extern int audit_rule_change(int type, __u32 portid, int seq, 466 465 void *data, size_t datasz); 467 - extern int audit_list_rules_send(__u32 portid, int seq); 466 + extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 468 467 469 468 extern u32 audit_enabled; 470 469 #else /* CONFIG_AUDIT */
+16 -15
kernel/audit.c
··· 182 182 183 183 struct audit_reply { 184 184 __u32 portid; 185 - pid_t pid; 185 + struct net *net; 186 186 struct sk_buff *skb; 187 187 }; 188 188 ··· 500 500 { 501 501 struct audit_netlink_list *dest = _dest; 502 502 struct sk_buff *skb; 503 - struct net *net = get_net_ns_by_pid(dest->pid); 503 + struct net *net = dest->net; 504 504 struct audit_net *aunet = net_generic(net, audit_net_id); 505 505 506 506 /* wait for parent to finish and send an ACK */ ··· 510 510 while ((skb = __skb_dequeue(&dest->q)) != NULL) 511 511 netlink_unicast(aunet->nlsk, skb, dest->portid, 0); 512 512 513 + put_net(net); 513 514 kfree(dest); 514 515 515 516 return 0; ··· 544 543 static int audit_send_reply_thread(void *arg) 545 544 { 546 545 struct audit_reply *reply = (struct audit_reply *)arg; 547 - struct net *net = get_net_ns_by_pid(reply->pid); 546 + struct net *net = reply->net; 548 547 struct audit_net *aunet = net_generic(net, audit_net_id); 549 548 550 549 mutex_lock(&audit_cmd_mutex); ··· 553 552 /* Ignore failure. It'll only happen if the sender goes away, 554 553 because our timeout is set to infinite. */ 555 554 netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); 555 + put_net(net); 556 556 kfree(reply); 557 557 return 0; 558 558 } 559 559 /** 560 560 * audit_send_reply - send an audit reply message via netlink 561 - * @portid: netlink port to which to send reply 561 + * @request_skb: skb of request we are replying to (used to target the reply) 562 562 * @seq: sequence number 563 563 * @type: audit message type 564 564 * @done: done (last) flag ··· 570 568 * Allocates an skb, builds the netlink message, and sends it to the port id. 571 569 * No failure notifications. 572 570 */ 573 - static void audit_send_reply(__u32 portid, int seq, int type, int done, 571 + static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done, 574 572 int multi, const void *payload, int size) 575 573 { 574 + u32 portid = NETLINK_CB(request_skb).portid; 575 + struct net *net = sock_net(NETLINK_CB(request_skb).sk); 576 576 struct sk_buff *skb; 577 577 struct task_struct *tsk; 578 578 struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), ··· 587 583 if (!skb) 588 584 goto out; 589 585 586 + reply->net = get_net(net); 590 587 reply->portid = portid; 591 - reply->pid = task_pid_vnr(current); 592 588 reply->skb = skb; 593 589 594 590 tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); ··· 677 673 678 674 seq = nlmsg_hdr(skb)->nlmsg_seq; 679 675 680 - audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, 681 - &af, sizeof(af)); 676 + audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af)); 682 677 683 678 return 0; 684 679 } ··· 797 794 s.backlog = skb_queue_len(&audit_skb_queue); 798 795 s.version = AUDIT_VERSION_LATEST; 799 796 s.backlog_wait_time = audit_backlog_wait_time; 800 - audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, 801 - &s, sizeof(s)); 797 + audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s)); 802 798 break; 803 799 } 804 800 case AUDIT_SET: { ··· 907 905 seq, data, nlmsg_len(nlh)); 908 906 break; 909 907 case AUDIT_LIST_RULES: 910 - err = audit_list_rules_send(NETLINK_CB(skb).portid, seq); 908 + err = audit_list_rules_send(skb, seq); 911 909 break; 912 910 case AUDIT_TRIM: 913 911 audit_trim_trees(); ··· 972 970 memcpy(sig_data->ctx, ctx, len); 973 971 security_release_secctx(ctx, len); 974 972 } 975 - audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_SIGNAL_INFO, 976 - 0, 0, sig_data, sizeof(*sig_data) + len); 973 + audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, 974 + sig_data, sizeof(*sig_data) + len); 977 975 kfree(sig_data); 978 976 break; 979 977 case AUDIT_TTY_GET: { ··· 985 983 s.log_passwd = tsk->signal->audit_tty_log_passwd; 986 984 spin_unlock(&tsk->sighand->siglock); 987 985 988 - audit_send_reply(NETLINK_CB(skb).portid, seq, 989 - AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); 986 + audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); 990 987 break; 991 988 } 992 989 case AUDIT_TTY_SET: {
+1 -1
kernel/audit.h
··· 247 247 248 248 struct audit_netlink_list { 249 249 __u32 portid; 250 - pid_t pid; 250 + struct net *net; 251 251 struct sk_buff_head q; 252 252 }; 253 253
+7 -3
kernel/auditfilter.c
··· 29 29 #include <linux/sched.h> 30 30 #include <linux/slab.h> 31 31 #include <linux/security.h> 32 + #include <net/net_namespace.h> 33 + #include <net/sock.h> 32 34 #include "audit.h" 33 35 34 36 /* ··· 1067 1065 1068 1066 /** 1069 1067 * audit_list_rules_send - list the audit rules 1070 - * @portid: target portid for netlink audit messages 1068 + * @request_skb: skb of request we are replying to (used to target the reply) 1071 1069 * @seq: netlink audit message sequence (serial) number 1072 1070 */ 1073 - int audit_list_rules_send(__u32 portid, int seq) 1071 + int audit_list_rules_send(struct sk_buff *request_skb, int seq) 1074 1072 { 1073 + u32 portid = NETLINK_CB(request_skb).portid; 1074 + struct net *net = sock_net(NETLINK_CB(request_skb).sk); 1075 1075 struct task_struct *tsk; 1076 1076 struct audit_netlink_list *dest; 1077 1077 int err = 0; ··· 1087 1083 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1088 1084 if (!dest) 1089 1085 return -ENOMEM; 1086 + dest->net = get_net(net); 1090 1087 dest->portid = portid; 1091 - dest->pid = task_pid_vnr(current); 1092 1088 skb_queue_head_init(&dest->q); 1093 1089 1094 1090 mutex_lock(&audit_filter_mutex);