| Message ID | 8e617ab568df28a66dfbe3284452de186b42fb0f.1533065887.git.rgb@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | audit: implement container identifier | expand |
On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs <rgb@redhat.com> wrote: > The audit-related parameters in struct task_struct should ideally be > collected together and accessed through a standard audit API. > > Collect the existing loginuid, sessionid and audit_context together in a > new struct audit_task_info called "audit" in struct task_struct. > > Use kmem_cache to manage this pool of memory. > Un-inline audit_free() to be able to always recover that memory. > > See: https://github.com/linux-audit/audit-kernel/issues/81 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > include/linux/audit.h | 34 ++++++++++++++++++++++++---------- > include/linux/sched.h | 5 +---- > init/init_task.c | 3 +-- > init/main.c | 2 ++ > kernel/auditsc.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- > kernel/fork.c | 4 +++- > 6 files changed, 73 insertions(+), 26 deletions(-) ... > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 9334fbe..8964332 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -219,8 +219,15 @@ static inline void audit_log_task_info(struct audit_buffer *ab, > > /* These are defined in auditsc.c */ > /* Public API */ > +struct audit_task_info { > + kuid_t loginuid; > + unsigned int sessionid; > + struct audit_context *ctx; > +}; ... > diff --git a/include/linux/sched.h b/include/linux/sched.h > index 87bf02d..e117272 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -873,10 +872,8 @@ struct task_struct { > > struct callback_head *task_works; > > - struct audit_context *audit_context; > #ifdef CONFIG_AUDITSYSCALL > - kuid_t loginuid; > - unsigned int sessionid; > + struct audit_task_info *audit; > #endif > struct seccomp seccomp; Prior to this patch audit_context was available regardless of CONFIG_AUDITSYSCALL, after this patch the corresponding audit_context is only available when CONFIG_AUDITSYSCALL is defined. > diff --git a/init/main.c b/init/main.c > index 3b4ada1..6aba171 100644 > --- a/init/main.c > +++ b/init/main.c > @@ -92,6 +92,7 @@ > #include <linux/rodata_test.h> > #include <linux/jump_label.h> > #include <linux/mem_encrypt.h> > +#include <linux/audit.h> > > #include <asm/io.h> > #include <asm/bugs.h> > @@ -721,6 +722,7 @@ asmlinkage __visible void __init start_kernel(void) > nsfs_init(); > cpuset_init(); > cgroup_init(); > + audit_task_init(); > taskstats_init_early(); > delayacct_init(); It seems like we would need either init_struct_audit or audit_task_init(), but not both, yes? > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index fb20746..88779a7 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -841,7 +841,7 @@ static inline struct audit_context *audit_take_context(struct task_struct *tsk, > int return_valid, > long return_code) > { > - struct audit_context *context = tsk->audit_context; > + struct audit_context *context = tsk->audit->ctx; > > if (!context) > return NULL; > @@ -926,6 +926,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) > return context; > } > > +static struct kmem_cache *audit_task_cache; > + > +void __init audit_task_init(void) > +{ > + audit_task_cache = kmem_cache_create("audit_task", > + sizeof(struct audit_task_info), > + 0, SLAB_PANIC, NULL); > +} This is somewhat related to the CONFIG_AUDITSYSCALL comment above, but since the audit_task_info contains generic audit state (not just syscall related state), it seems like this, and the audit_task_info accessors/helpers, should live in kernel/audit.c. There are probably a few other things that should move to kernel/audit.c too, e.g. audit_alloc(). Have you verified that this builds/runs correctly on architectures that define CONFIG_AUDIT but not CONFIG_AUDITSYSCALL? > /** > * audit_alloc - allocate an audit context block for a task > * @tsk: task > @@ -940,17 +949,28 @@ int audit_alloc(struct task_struct *tsk) > struct audit_context *context; > enum audit_state state; > char *key = NULL; > + struct audit_task_info *info; > + > + info = kmem_cache_zalloc(audit_task_cache, GFP_KERNEL); > + if (!info) > + return -ENOMEM; > + info->loginuid = audit_get_loginuid(current); > + info->sessionid = audit_get_sessionid(current); > + tsk->audit = info; > > if (likely(!audit_ever_enabled)) > return 0; /* Return if not auditing. */ I don't view this as necessary for initial acceptance, and synchronization/locking might render this undesirable, but it would be curious to see if we could do something clever with refcnts and copy-on-write to minimize the number of kmem_cache objects in use in the !audit_ever_enabled (and possibly the AUDIT_DISABLED) case. > state = audit_filter_task(tsk, &key); > if (state == AUDIT_DISABLED) { > + audit_set_context(tsk, NULL); It's already NULL, isn't it? > clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); > return 0; > } > > if (!(context = audit_alloc_context(state))) { > + tsk->audit = NULL; > + kmem_cache_free(audit_task_cache, info); > kfree(key); > audit_log_lost("out of memory in audit_alloc"); > return -ENOMEM; > @@ -962,6 +982,12 @@ int audit_alloc(struct task_struct *tsk) > return 0; > } > > +struct audit_task_info init_struct_audit = { > + .loginuid = INVALID_UID, > + .sessionid = AUDIT_SID_UNSET, > + .ctx = NULL, > +}; > + > static inline void audit_free_context(struct audit_context *context) > { > audit_free_names(context); -- paul moore www.paul-moore.com
Hi Richard, On Tue, Jul 31, 2018 at 04:07:36PM -0400, Richard Guy Briggs wrote: > The audit-related parameters in struct task_struct should ideally be > collected together and accessed through a standard audit API. > > Collect the existing loginuid, sessionid and audit_context together in a > new struct audit_task_info called "audit" in struct task_struct. > > Use kmem_cache to manage this pool of memory. > Un-inline audit_free() to be able to always recover that memory. > > See: https://github.com/linux-audit/audit-kernel/issues/81 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Overall I am not sure if keeping task_struct a bit smaller is worth the added complexity, but I guess that is just me. Anyway, couple of nitpicks. Please feel free to ignore, and my apologies if some of all of the comments are duplicates. Guenter > --- > include/linux/audit.h | 34 ++++++++++++++++++++++++---------- > include/linux/sched.h | 5 +---- > init/init_task.c | 3 +-- > init/main.c | 2 ++ > kernel/auditsc.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- > kernel/fork.c | 4 +++- > 6 files changed, 73 insertions(+), 26 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 9334fbe..8964332 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -219,8 +219,15 @@ static inline void audit_log_task_info(struct audit_buffer *ab, > > /* These are defined in auditsc.c */ > /* Public API */ Not sure if the structure below belongs after "Public API". Is it part of the public API ? > +struct audit_task_info { > + kuid_t loginuid; > + unsigned int sessionid; > + struct audit_context *ctx; > +}; Add empty line ? > +extern struct audit_task_info init_struct_audit; > +extern void __init audit_task_init(void); > extern int audit_alloc(struct task_struct *task); > -extern void __audit_free(struct task_struct *task); > +extern void audit_free(struct task_struct *task); > extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, > unsigned long a2, unsigned long a3); > extern void __audit_syscall_exit(int ret_success, long ret_value); > @@ -242,12 +249,15 @@ extern void audit_seccomp_actions_logged(const char *names, > > static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) > { > - task->audit_context = ctx; > + task->audit->ctx = ctx; > } > > static inline struct audit_context *audit_context(void) > { > - return current->audit_context; > + if (current->audit) > + return current->audit->ctx; > + else > + return NULL; Unnecessary else (and static checkers may complain). > } > > static inline bool audit_dummy_context(void) > @@ -255,11 +265,7 @@ static inline bool audit_dummy_context(void) > void *p = audit_context(); > return !p || *(int *)p; > } > -static inline void audit_free(struct task_struct *task) > -{ > - if (unlikely(task->audit_context)) > - __audit_free(task); > -} > + > static inline void audit_syscall_entry(int major, unsigned long a0, > unsigned long a1, unsigned long a2, > unsigned long a3) > @@ -331,12 +337,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx, > > static inline kuid_t audit_get_loginuid(struct task_struct *tsk) > { > - return tsk->loginuid; > + if (tsk->audit) > + return tsk->audit->loginuid; > + else > + return INVALID_UID; Unnecessary else. > } > > static inline unsigned int audit_get_sessionid(struct task_struct *tsk) > { > - return tsk->sessionid; > + if (tsk->audit) > + return tsk->audit->sessionid; > + else > + return AUDIT_SID_UNSET; Unnecessary else. > } > > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); > @@ -461,6 +473,8 @@ static inline void audit_fanotify(unsigned int response) > extern int audit_n_rules; > extern int audit_signals; > #else /* CONFIG_AUDITSYSCALL */ > +static inline void __init audit_task_init(void) > +{ } > static inline int audit_alloc(struct task_struct *task) > { > return 0; > diff --git a/include/linux/sched.h b/include/linux/sched.h > index 87bf02d..e117272 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -30,7 +30,6 @@ > #include <linux/rseq.h> > > /* task_struct member predeclarations (sorted alphabetically): */ > -struct audit_context; > struct backing_dev_info; > struct bio_list; > struct blk_plug; > @@ -873,10 +872,8 @@ struct task_struct { > > struct callback_head *task_works; > > - struct audit_context *audit_context; > #ifdef CONFIG_AUDITSYSCALL > - kuid_t loginuid; > - unsigned int sessionid; > + struct audit_task_info *audit; > #endif > struct seccomp seccomp; > > diff --git a/init/init_task.c b/init/init_task.c > index 74f60ba..4058840 100644 > --- a/init/init_task.c > +++ b/init/init_task.c > @@ -119,8 +119,7 @@ struct task_struct init_task > .thread_group = LIST_HEAD_INIT(init_task.thread_group), > .thread_node = LIST_HEAD_INIT(init_signals.thread_head), > #ifdef CONFIG_AUDITSYSCALL > - .loginuid = INVALID_UID, > - .sessionid = AUDIT_SID_UNSET, > + .audit = &init_struct_audit, > #endif > #ifdef CONFIG_PERF_EVENTS > .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex), > diff --git a/init/main.c b/init/main.c > index 3b4ada1..6aba171 100644 > --- a/init/main.c > +++ b/init/main.c > @@ -92,6 +92,7 @@ > #include <linux/rodata_test.h> > #include <linux/jump_label.h> > #include <linux/mem_encrypt.h> > +#include <linux/audit.h> > > #include <asm/io.h> > #include <asm/bugs.h> > @@ -721,6 +722,7 @@ asmlinkage __visible void __init start_kernel(void) > nsfs_init(); > cpuset_init(); > cgroup_init(); > + audit_task_init(); > taskstats_init_early(); > delayacct_init(); > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index fb20746..88779a7 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -841,7 +841,7 @@ static inline struct audit_context *audit_take_context(struct task_struct *tsk, > int return_valid, > long return_code) > { > - struct audit_context *context = tsk->audit_context; > + struct audit_context *context = tsk->audit->ctx; > > if (!context) > return NULL; > @@ -926,6 +926,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) > return context; > } > > +static struct kmem_cache *audit_task_cache; > + > +void __init audit_task_init(void) > +{ > + audit_task_cache = kmem_cache_create("audit_task", > + sizeof(struct audit_task_info), > + 0, SLAB_PANIC, NULL); > +} > + > /** > * audit_alloc - allocate an audit context block for a task > * @tsk: task > @@ -940,17 +949,28 @@ int audit_alloc(struct task_struct *tsk) > struct audit_context *context; > enum audit_state state; > char *key = NULL; > + struct audit_task_info *info; > + > + info = kmem_cache_zalloc(audit_task_cache, GFP_KERNEL); > + if (!info) > + return -ENOMEM; > + info->loginuid = audit_get_loginuid(current); > + info->sessionid = audit_get_sessionid(current); > + tsk->audit = info; > > if (likely(!audit_ever_enabled)) > return 0; /* Return if not auditing. */ > > state = audit_filter_task(tsk, &key); > if (state == AUDIT_DISABLED) { > + audit_set_context(tsk, NULL); > clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); > return 0; > } > > if (!(context = audit_alloc_context(state))) { > + tsk->audit = NULL; > + kmem_cache_free(audit_task_cache, info); > kfree(key); > audit_log_lost("out of memory in audit_alloc"); > return -ENOMEM; > @@ -962,6 +982,12 @@ int audit_alloc(struct task_struct *tsk) > return 0; > } > > +struct audit_task_info init_struct_audit = { > + .loginuid = INVALID_UID, > + .sessionid = AUDIT_SID_UNSET, > + .ctx = NULL, > +}; > + > static inline void audit_free_context(struct audit_context *context) > { > audit_free_names(context); > @@ -1469,26 +1495,33 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts > } > > /** > - * __audit_free - free a per-task audit context > + * audit_free - free a per-task audit context > * @tsk: task whose audit context block to free > * > * Called from copy_process and do_exit > */ > -void __audit_free(struct task_struct *tsk) > +void audit_free(struct task_struct *tsk) > { > struct audit_context *context; > + struct audit_task_info *info; > > context = audit_take_context(tsk, 0, 0); > - if (!context) > - return; > - > /* Check for system calls that do not go through the exit > * function (e.g., exit_group), then free context block. > * We use GFP_ATOMIC here because we might be doing this > * in the context of the idle thread */ > /* that can happen only if we are called from do_exit() */ > - if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) > + if (context && context->in_syscall && > + context->current_state == AUDIT_RECORD_CONTEXT) > audit_log_exit(context, tsk); > + /* Freeing the audit_task_info struct must be performed after > + * audit_log_exit() due to need for loginuid and sessionid. > + */ > + info = tsk->audit; > + tsk->audit = NULL; > + kmem_cache_free(audit_task_cache, info); > + if (!context) > + return; > if (!list_empty(&context->killed_trees)) > audit_kill_trees(&context->killed_trees); Looks kind of terrible with the repeated check if context is NULL. Maybe reorder ? context = audit_take_context(tsk, 0, 0); if (context) { /* do all the context work */ } kmem_cache_free(audit_task_cache, tsk->audit); tsk->audit = NULL; // is that even necessary ? If "info" is really needed, ie if tsk (and tsk->audit) can be accessed from another thread in parallel, I'd be a bit concerned about the lack of sync() or similar after clearing tsk->audit. Another option might have been to separate audit_free() into audit_free_context() and audit_free_info(). > > @@ -2071,8 +2104,8 @@ int audit_set_loginuid(kuid_t loginuid) > sessionid = (unsigned int)atomic_inc_return(&session_id); > } > > - task->sessionid = sessionid; > - task->loginuid = loginuid; > + task->audit->sessionid = sessionid; > + task->audit->loginuid = loginuid; > out: > audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc); > return rc; > diff --git a/kernel/fork.c b/kernel/fork.c > index 9440d61..1bfb0ff 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -1721,7 +1721,9 @@ static __latent_entropy struct task_struct *copy_process( > p->start_time = ktime_get_ns(); > p->real_start_time = ktime_get_boot_ns(); > p->io_context = NULL; > - audit_set_context(p, NULL); > +#ifdef CONFIG_AUDITSYSCALL > + p->audit = NULL; > +#endif /* CONFIG_AUDITSYSCALL */ audit_alloc() is called a bit later and sets p->audit, so I don't think this is really necessary. > cgroup_fork(p); > #ifdef CONFIG_NUMA > p->mempolicy = mpol_dup(p->mempolicy);
On 2019-01-03 18:50, Guenter Roeck wrote: > Hi Richard, > > On Tue, Jul 31, 2018 at 04:07:36PM -0400, Richard Guy Briggs wrote: > > The audit-related parameters in struct task_struct should ideally be > > collected together and accessed through a standard audit API. > > > > Collect the existing loginuid, sessionid and audit_context together in a > > new struct audit_task_info called "audit" in struct task_struct. > > > > Use kmem_cache to manage this pool of memory. > > Un-inline audit_free() to be able to always recover that memory. > > > > See: https://github.com/linux-audit/audit-kernel/issues/81 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Overall I am not sure if keeping task_struct a bit smaller is worth > the added complexity, but I guess that is just me. The motivation was to consolidate all the audit bits into one pointer, isolating them from the rest of the kernel, restricting access only to helper functions to prevent abuse by other subsystems and trying to reduce kABI issues in the future. I agree it is a bit more complex. It was provoked by the need to add contid which seemed to make the most sense as a peer to loginuid and sessionid, and adding it to task_struct would have made it a bit too generic and available. This is addressed at some length by Paul Moore here in v2: https://lkml.org/lkml/2018/4/18/759 > Anyway, couple of nitpicks. Please feel free to ignore, and my apologies > if some of all of the comments are duplicates. Noted. They all look like reasonable improvements, particulaly the unnecessary else and default return. Thanks. The double context check may go away anyways based on the removal of audit_take_context() in Paul's 2a1fe215e730 ("audit: use current whenever possible") which has yet to be incorporated. > Guenter > > > --- > > include/linux/audit.h | 34 ++++++++++++++++++++++++---------- > > include/linux/sched.h | 5 +---- > > init/init_task.c | 3 +-- > > init/main.c | 2 ++ > > kernel/auditsc.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- > > kernel/fork.c | 4 +++- > > 6 files changed, 73 insertions(+), 26 deletions(-) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 9334fbe..8964332 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -219,8 +219,15 @@ static inline void audit_log_task_info(struct audit_buffer *ab, > > > > /* These are defined in auditsc.c */ > > /* Public API */ > > Not sure if the structure below belongs after "Public API". > Is it part of the public API ? > > > +struct audit_task_info { > > + kuid_t loginuid; > > + unsigned int sessionid; > > + struct audit_context *ctx; > > +}; > > Add empty line ? > > > +extern struct audit_task_info init_struct_audit; > > +extern void __init audit_task_init(void); > > extern int audit_alloc(struct task_struct *task); > > -extern void __audit_free(struct task_struct *task); > > +extern void audit_free(struct task_struct *task); > > extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, > > unsigned long a2, unsigned long a3); > > extern void __audit_syscall_exit(int ret_success, long ret_value); > > @@ -242,12 +249,15 @@ extern void audit_seccomp_actions_logged(const char *names, > > > > static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) > > { > > - task->audit_context = ctx; > > + task->audit->ctx = ctx; > > } > > > > static inline struct audit_context *audit_context(void) > > { > > - return current->audit_context; > > + if (current->audit) > > + return current->audit->ctx; > > + else > > + return NULL; > > Unnecessary else (and static checkers may complain). > > > } > > > > static inline bool audit_dummy_context(void) > > @@ -255,11 +265,7 @@ static inline bool audit_dummy_context(void) > > void *p = audit_context(); > > return !p || *(int *)p; > > } > > -static inline void audit_free(struct task_struct *task) > > -{ > > - if (unlikely(task->audit_context)) > > - __audit_free(task); > > -} > > + > > static inline void audit_syscall_entry(int major, unsigned long a0, > > unsigned long a1, unsigned long a2, > > unsigned long a3) > > @@ -331,12 +337,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx, > > > > static inline kuid_t audit_get_loginuid(struct task_struct *tsk) > > { > > - return tsk->loginuid; > > + if (tsk->audit) > > + return tsk->audit->loginuid; > > + else > > + return INVALID_UID; > > Unnecessary else. > > > } > > > > static inline unsigned int audit_get_sessionid(struct task_struct *tsk) > > { > > - return tsk->sessionid; > > + if (tsk->audit) > > + return tsk->audit->sessionid; > > + else > > + return AUDIT_SID_UNSET; > > Unnecessary else. > > > } > > > > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); > > @@ -461,6 +473,8 @@ static inline void audit_fanotify(unsigned int response) > > extern int audit_n_rules; > > extern int audit_signals; > > #else /* CONFIG_AUDITSYSCALL */ > > +static inline void __init audit_task_init(void) > > +{ } > > static inline int audit_alloc(struct task_struct *task) > > { > > return 0; > > diff --git a/include/linux/sched.h b/include/linux/sched.h > > index 87bf02d..e117272 100644 > > --- a/include/linux/sched.h > > +++ b/include/linux/sched.h > > @@ -30,7 +30,6 @@ > > #include <linux/rseq.h> > > > > /* task_struct member predeclarations (sorted alphabetically): */ > > -struct audit_context; > > struct backing_dev_info; > > struct bio_list; > > struct blk_plug; > > @@ -873,10 +872,8 @@ struct task_struct { > > > > struct callback_head *task_works; > > > > - struct audit_context *audit_context; > > #ifdef CONFIG_AUDITSYSCALL > > - kuid_t loginuid; > > - unsigned int sessionid; > > + struct audit_task_info *audit; > > #endif > > struct seccomp seccomp; > > > > diff --git a/init/init_task.c b/init/init_task.c > > index 74f60ba..4058840 100644 > > --- a/init/init_task.c > > +++ b/init/init_task.c > > @@ -119,8 +119,7 @@ struct task_struct init_task > > .thread_group = LIST_HEAD_INIT(init_task.thread_group), > > .thread_node = LIST_HEAD_INIT(init_signals.thread_head), > > #ifdef CONFIG_AUDITSYSCALL > > - .loginuid = INVALID_UID, > > - .sessionid = AUDIT_SID_UNSET, > > + .audit = &init_struct_audit, > > #endif > > #ifdef CONFIG_PERF_EVENTS > > .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex), > > diff --git a/init/main.c b/init/main.c > > index 3b4ada1..6aba171 100644 > > --- a/init/main.c > > +++ b/init/main.c > > @@ -92,6 +92,7 @@ > > #include <linux/rodata_test.h> > > #include <linux/jump_label.h> > > #include <linux/mem_encrypt.h> > > +#include <linux/audit.h> > > > > #include <asm/io.h> > > #include <asm/bugs.h> > > @@ -721,6 +722,7 @@ asmlinkage __visible void __init start_kernel(void) > > nsfs_init(); > > cpuset_init(); > > cgroup_init(); > > + audit_task_init(); > > taskstats_init_early(); > > delayacct_init(); > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index fb20746..88779a7 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -841,7 +841,7 @@ static inline struct audit_context *audit_take_context(struct task_struct *tsk, > > int return_valid, > > long return_code) > > { > > - struct audit_context *context = tsk->audit_context; > > + struct audit_context *context = tsk->audit->ctx; > > > > if (!context) > > return NULL; > > @@ -926,6 +926,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) > > return context; > > } > > > > +static struct kmem_cache *audit_task_cache; > > + > > +void __init audit_task_init(void) > > +{ > > + audit_task_cache = kmem_cache_create("audit_task", > > + sizeof(struct audit_task_info), > > + 0, SLAB_PANIC, NULL); > > +} > > + > > /** > > * audit_alloc - allocate an audit context block for a task > > * @tsk: task > > @@ -940,17 +949,28 @@ int audit_alloc(struct task_struct *tsk) > > struct audit_context *context; > > enum audit_state state; > > char *key = NULL; > > + struct audit_task_info *info; > > + > > + info = kmem_cache_zalloc(audit_task_cache, GFP_KERNEL); > > + if (!info) > > + return -ENOMEM; > > + info->loginuid = audit_get_loginuid(current); > > + info->sessionid = audit_get_sessionid(current); > > + tsk->audit = info; > > > > if (likely(!audit_ever_enabled)) > > return 0; /* Return if not auditing. */ > > > > state = audit_filter_task(tsk, &key); > > if (state == AUDIT_DISABLED) { > > + audit_set_context(tsk, NULL); > > clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); > > return 0; > > } > > > > if (!(context = audit_alloc_context(state))) { > > + tsk->audit = NULL; > > + kmem_cache_free(audit_task_cache, info); > > kfree(key); > > audit_log_lost("out of memory in audit_alloc"); > > return -ENOMEM; > > @@ -962,6 +982,12 @@ int audit_alloc(struct task_struct *tsk) > > return 0; > > } > > > > +struct audit_task_info init_struct_audit = { > > + .loginuid = INVALID_UID, > > + .sessionid = AUDIT_SID_UNSET, > > + .ctx = NULL, > > +}; > > + > > static inline void audit_free_context(struct audit_context *context) > > { > > audit_free_names(context); > > @@ -1469,26 +1495,33 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts > > } > > > > /** > > - * __audit_free - free a per-task audit context > > + * audit_free - free a per-task audit context > > * @tsk: task whose audit context block to free > > * > > * Called from copy_process and do_exit > > */ > > -void __audit_free(struct task_struct *tsk) > > +void audit_free(struct task_struct *tsk) > > { > > struct audit_context *context; > > + struct audit_task_info *info; > > > > context = audit_take_context(tsk, 0, 0); > > - if (!context) > > - return; > > - > > /* Check for system calls that do not go through the exit > > * function (e.g., exit_group), then free context block. > > * We use GFP_ATOMIC here because we might be doing this > > * in the context of the idle thread */ > > /* that can happen only if we are called from do_exit() */ > > - if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) > > + if (context && context->in_syscall && > > + context->current_state == AUDIT_RECORD_CONTEXT) > > audit_log_exit(context, tsk); > > + /* Freeing the audit_task_info struct must be performed after > > + * audit_log_exit() due to need for loginuid and sessionid. > > + */ > > + info = tsk->audit; > > + tsk->audit = NULL; > > + kmem_cache_free(audit_task_cache, info); > > + if (!context) > > + return; > > if (!list_empty(&context->killed_trees)) > > audit_kill_trees(&context->killed_trees); > > Looks kind of terrible with the repeated check if context is NULL. > Maybe reorder ? > > context = audit_take_context(tsk, 0, 0); > if (context) { > /* do all the context work */ > } > kmem_cache_free(audit_task_cache, tsk->audit); > tsk->audit = NULL; // is that even necessary ? > > If "info" is really needed, ie if tsk (and tsk->audit) can be accessed > from another thread in parallel, I'd be a bit concerned about the lack > of sync() or similar after clearing tsk->audit. > > Another option might have been to separate audit_free() into > audit_free_context() and audit_free_info(). > > > > > @@ -2071,8 +2104,8 @@ int audit_set_loginuid(kuid_t loginuid) > > sessionid = (unsigned int)atomic_inc_return(&session_id); > > } > > > > - task->sessionid = sessionid; > > - task->loginuid = loginuid; > > + task->audit->sessionid = sessionid; > > + task->audit->loginuid = loginuid; > > out: > > audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc); > > return rc; > > diff --git a/kernel/fork.c b/kernel/fork.c > > index 9440d61..1bfb0ff 100644 > > --- a/kernel/fork.c > > +++ b/kernel/fork.c > > @@ -1721,7 +1721,9 @@ static __latent_entropy struct task_struct *copy_process( > > p->start_time = ktime_get_ns(); > > p->real_start_time = ktime_get_boot_ns(); > > p->io_context = NULL; > > - audit_set_context(p, NULL); > > +#ifdef CONFIG_AUDITSYSCALL > > + p->audit = NULL; > > +#endif /* CONFIG_AUDITSYSCALL */ > > audit_alloc() is called a bit later and sets p->audit, so I don't think > this is really necessary. > > > cgroup_fork(p); > > #ifdef CONFIG_NUMA > > p->mempolicy = mpol_dup(p->mempolicy); - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
On Fri, Jan 04, 2019 at 09:57:35AM -0500, Richard Guy Briggs wrote: > On 2019-01-03 18:50, Guenter Roeck wrote: > > Hi Richard, > > > > On Tue, Jul 31, 2018 at 04:07:36PM -0400, Richard Guy Briggs wrote: > > > The audit-related parameters in struct task_struct should ideally be > > > collected together and accessed through a standard audit API. > > > > > > Collect the existing loginuid, sessionid and audit_context together in a > > > new struct audit_task_info called "audit" in struct task_struct. > > > > > > Use kmem_cache to manage this pool of memory. > > > Un-inline audit_free() to be able to always recover that memory. > > > > > > See: https://github.com/linux-audit/audit-kernel/issues/81 > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Overall I am not sure if keeping task_struct a bit smaller is worth > > the added complexity, but I guess that is just me. > > The motivation was to consolidate all the audit bits into one pointer, > isolating them from the rest of the kernel, restricting access only to > helper functions to prevent abuse by other subsystems and trying to > reduce kABI issues in the future. I agree it is a bit more complex. It > was provoked by the need to add contid which seemed to make the most > sense as a peer to loginuid and sessionid, and adding it to task_struct > would have made it a bit too generic and available. > > This is addressed at some length by Paul Moore here in v2: > https://lkml.org/lkml/2018/4/18/759 > That makes sense. Thanks a lot for the clarification. Guenter
diff --git a/include/linux/audit.h b/include/linux/audit.h index 9334fbe..8964332 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -219,8 +219,15 @@ static inline void audit_log_task_info(struct audit_buffer *ab, /* These are defined in auditsc.c */ /* Public API */ +struct audit_task_info { + kuid_t loginuid; + unsigned int sessionid; + struct audit_context *ctx; +}; +extern struct audit_task_info init_struct_audit; +extern void __init audit_task_init(void); extern int audit_alloc(struct task_struct *task); -extern void __audit_free(struct task_struct *task); +extern void audit_free(struct task_struct *task); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -242,12 +249,15 @@ extern void audit_seccomp_actions_logged(const char *names, static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) { - task->audit_context = ctx; + task->audit->ctx = ctx; } static inline struct audit_context *audit_context(void) { - return current->audit_context; + if (current->audit) + return current->audit->ctx; + else + return NULL; } static inline bool audit_dummy_context(void) @@ -255,11 +265,7 @@ static inline bool audit_dummy_context(void) void *p = audit_context(); return !p || *(int *)p; } -static inline void audit_free(struct task_struct *task) -{ - if (unlikely(task->audit_context)) - __audit_free(task); -} + static inline void audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3) @@ -331,12 +337,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx, static inline kuid_t audit_get_loginuid(struct task_struct *tsk) { - return tsk->loginuid; + if (tsk->audit) + return tsk->audit->loginuid; + else + return INVALID_UID; } static inline unsigned int audit_get_sessionid(struct task_struct *tsk) { - return tsk->sessionid; + if (tsk->audit) + return tsk->audit->sessionid; + else + return AUDIT_SID_UNSET; } extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); @@ -461,6 +473,8 @@ static inline void audit_fanotify(unsigned int response) extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ +static inline void __init audit_task_init(void) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/include/linux/sched.h b/include/linux/sched.h index 87bf02d..e117272 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -30,7 +30,6 @@ #include <linux/rseq.h> /* task_struct member predeclarations (sorted alphabetically): */ -struct audit_context; struct backing_dev_info; struct bio_list; struct blk_plug; @@ -873,10 +872,8 @@ struct task_struct { struct callback_head *task_works; - struct audit_context *audit_context; #ifdef CONFIG_AUDITSYSCALL - kuid_t loginuid; - unsigned int sessionid; + struct audit_task_info *audit; #endif struct seccomp seccomp; diff --git a/init/init_task.c b/init/init_task.c index 74f60ba..4058840 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -119,8 +119,7 @@ struct task_struct init_task .thread_group = LIST_HEAD_INIT(init_task.thread_group), .thread_node = LIST_HEAD_INIT(init_signals.thread_head), #ifdef CONFIG_AUDITSYSCALL - .loginuid = INVALID_UID, - .sessionid = AUDIT_SID_UNSET, + .audit = &init_struct_audit, #endif #ifdef CONFIG_PERF_EVENTS .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex), diff --git a/init/main.c b/init/main.c index 3b4ada1..6aba171 100644 --- a/init/main.c +++ b/init/main.c @@ -92,6 +92,7 @@ #include <linux/rodata_test.h> #include <linux/jump_label.h> #include <linux/mem_encrypt.h> +#include <linux/audit.h> #include <asm/io.h> #include <asm/bugs.h> @@ -721,6 +722,7 @@ asmlinkage __visible void __init start_kernel(void) nsfs_init(); cpuset_init(); cgroup_init(); + audit_task_init(); taskstats_init_early(); delayacct_init(); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fb20746..88779a7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -841,7 +841,7 @@ static inline struct audit_context *audit_take_context(struct task_struct *tsk, int return_valid, long return_code) { - struct audit_context *context = tsk->audit_context; + struct audit_context *context = tsk->audit->ctx; if (!context) return NULL; @@ -926,6 +926,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) return context; } +static struct kmem_cache *audit_task_cache; + +void __init audit_task_init(void) +{ + audit_task_cache = kmem_cache_create("audit_task", + sizeof(struct audit_task_info), + 0, SLAB_PANIC, NULL); +} + /** * audit_alloc - allocate an audit context block for a task * @tsk: task @@ -940,17 +949,28 @@ int audit_alloc(struct task_struct *tsk) struct audit_context *context; enum audit_state state; char *key = NULL; + struct audit_task_info *info; + + info = kmem_cache_zalloc(audit_task_cache, GFP_KERNEL); + if (!info) + return -ENOMEM; + info->loginuid = audit_get_loginuid(current); + info->sessionid = audit_get_sessionid(current); + tsk->audit = info; if (likely(!audit_ever_enabled)) return 0; /* Return if not auditing. */ state = audit_filter_task(tsk, &key); if (state == AUDIT_DISABLED) { + audit_set_context(tsk, NULL); clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); return 0; } if (!(context = audit_alloc_context(state))) { + tsk->audit = NULL; + kmem_cache_free(audit_task_cache, info); kfree(key); audit_log_lost("out of memory in audit_alloc"); return -ENOMEM; @@ -962,6 +982,12 @@ int audit_alloc(struct task_struct *tsk) return 0; } +struct audit_task_info init_struct_audit = { + .loginuid = INVALID_UID, + .sessionid = AUDIT_SID_UNSET, + .ctx = NULL, +}; + static inline void audit_free_context(struct audit_context *context) { audit_free_names(context); @@ -1469,26 +1495,33 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts } /** - * __audit_free - free a per-task audit context + * audit_free - free a per-task audit context * @tsk: task whose audit context block to free * * Called from copy_process and do_exit */ -void __audit_free(struct task_struct *tsk) +void audit_free(struct task_struct *tsk) { struct audit_context *context; + struct audit_task_info *info; context = audit_take_context(tsk, 0, 0); - if (!context) - return; - /* Check for system calls that do not go through the exit * function (e.g., exit_group), then free context block. * We use GFP_ATOMIC here because we might be doing this * in the context of the idle thread */ /* that can happen only if we are called from do_exit() */ - if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) + if (context && context->in_syscall && + context->current_state == AUDIT_RECORD_CONTEXT) audit_log_exit(context, tsk); + /* Freeing the audit_task_info struct must be performed after + * audit_log_exit() due to need for loginuid and sessionid. + */ + info = tsk->audit; + tsk->audit = NULL; + kmem_cache_free(audit_task_cache, info); + if (!context) + return; if (!list_empty(&context->killed_trees)) audit_kill_trees(&context->killed_trees); @@ -2071,8 +2104,8 @@ int audit_set_loginuid(kuid_t loginuid) sessionid = (unsigned int)atomic_inc_return(&session_id); } - task->sessionid = sessionid; - task->loginuid = loginuid; + task->audit->sessionid = sessionid; + task->audit->loginuid = loginuid; out: audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc); return rc; diff --git a/kernel/fork.c b/kernel/fork.c index 9440d61..1bfb0ff 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1721,7 +1721,9 @@ static __latent_entropy struct task_struct *copy_process( p->start_time = ktime_get_ns(); p->real_start_time = ktime_get_boot_ns(); p->io_context = NULL; - audit_set_context(p, NULL); +#ifdef CONFIG_AUDITSYSCALL + p->audit = NULL; +#endif /* CONFIG_AUDITSYSCALL */ cgroup_fork(p); #ifdef CONFIG_NUMA p->mempolicy = mpol_dup(p->mempolicy);
The audit-related parameters in struct task_struct should ideally be collected together and accessed through a standard audit API. Collect the existing loginuid, sessionid and audit_context together in a new struct audit_task_info called "audit" in struct task_struct. Use kmem_cache to manage this pool of memory. Un-inline audit_free() to be able to always recover that memory. See: https://github.com/linux-audit/audit-kernel/issues/81 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/linux/audit.h | 34 ++++++++++++++++++++++++---------- include/linux/sched.h | 5 +---- init/init_task.c | 3 +-- init/main.c | 2 ++ kernel/auditsc.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- kernel/fork.c | 4 +++- 6 files changed, 73 insertions(+), 26 deletions(-)