[PATCH 00/15] Rework tty audit

Peter Hurley peter at hurleysoftware.com
Fri Nov 13 02:31:17 UTC 2015 

On 11/10/2015 09:05 PM, Peter Hurley wrote:
> Hi Greg,
> 
> This patch series overhauls tty audit support. The goal was to simplify
> and speed up tty auditing, which was a significant performance hit even
> when disabled.
> 
> The main features of this series are:
> * Remove reference counting; the purpose of reference counting the per-
>   process tty_audit_buf was to prevent premature deletion if the
>   buffer was in-use when tty auditing was exited for the process.
>   However, since the process is single-threaded at tty_audit_exit(),
>   the buffer cannot be in-use by another thread. Patch 11/15.
> * Remove functionally dead code, such as tty_put_user(). Patch 2/15.
> * Atomically modify tty audit enable/disable flags to support lockless
>   read. Patch 9/15.
> 
> Cc: Ingo Molnar <mingo at redhat.com>
> Cc: Peter Zijlstra <peterz at infradead.org>
>     for patch 9/15 which removes an audit field from the signal_struct.
> 
> Cc: Oleg Nesterov <oleg at redhat.com>
>     to confirm my understanding of the single-threadedness of
>     if (group_dead) tty_audit_exit(), called from do_exit(). Patch 11/15
> 
> Requires: "tty: audit: Fix audit source"

and as brought to my attention by Richard Guy Briggs also
Requires: "n_tty: Uninline tty_copy_to_user()"

Apologies for any inconvenience caused.


> Regards,
> 
> Peter Hurley (15):
>   tty: audit: Early-out pty master reads earlier
>   tty: audit: Never audit packet mode
>   tty: audit: Remove icanon mode from call chain
>   tty: audit: Defer audit buffer association
>   tty: audit: Take siglock directly
>   tty: audit: Ignore current association for audit push
>   tty: audit: Combine push functions
>   tty: audit: Track tty association with dev_t
>   tty: audit: Handle tty audit enable atomically
>   tty: audit: Remove false memory optimization
>   tty: audit: Remove tty_audit_buf reference counting
>   tty: audit: Simplify first-use allocation
>   tty: audit: Check audit enable first
>   tty: audit: Always push audit buffer before TIOCSTI
>   tty: audit: Poison tty_audit_buf while process exits
> 
>  drivers/tty/n_tty.c     |  25 ++----
>  drivers/tty/tty_audit.c | 231 ++++++++++++++----------------------------------
>  include/linux/audit.h   |   4 +
>  include/linux/sched.h   |   1 -
>  include/linux/tty.h     |  12 +--
>  kernel/audit.c          |  27 +++---
>  6 files changed, 97 insertions(+), 203 deletions(-)
>

More information about the Linux-audit mailing list