[PATCH ghak90 (was ghak32) V4 01/10] audit: collect audit task parameters

Paul Moore paul at paul-moore.com
Thu Jan 3 20:33:28 UTC 2019 

On Thu, Jan 3, 2019 at 3:29 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> I'm not sure what's going on here, but it looks like HTML-encoded reply
> quoting making the quoted text very difficult to read.  All the previous
> ">" have been converted to the HTML ">" encoding.  Your most recent
> reply text looks mostly fine.

Not sure what happened either, I suspect gmail did something odd when
I saved them as drafts, but it has never done that before.  FWIW, I
generally batch up individual review comments for complex patchsets as
one often needs to review the entire set first before commenting.

The most recent reply to patch 0/10 wasn't saved as a draft before sending.

> On 2019-01-03 15:10, Paul Moore wrote:
> > On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> > > On 2018-10-19 19:15, Paul Moore wrote:
> > > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs
> > <rgb at redhat.com> wrote:
> > > > > The audit-related parameters in struct task_struct
> > should ideally be
> > > > > collected together and accessed through a standard audit API.
> > > > >
> > > > > Collect the existing loginuid, sessionid and
> > audit_context together in a
> > > > > new struct audit_task_info called "audit" in struct task_struct.
> > > > >
> > > > > Use kmem_cache to manage this pool of memory.
> > > > > Un-inline audit_free() to be able to always recover that memory.
> > > > >
> > > > > See: https://github.com/linux-audit/audit-kernel/issues/81
> > > > >
> > > > > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > > > > ---
> > > > >  include/linux/audit.h | 34 ++++++++++++++++++++++++----------
> > > > >  include/linux/sched.h |  5 +----
> > > > >  init/init_task.c      |  3 +--
> > > > >  init/main.c           |  2 ++
> > > > >  kernel/auditsc.c      | 51
> > ++++++++++++++++++++++++++++++++++++++++++---------
> > > > >  kernel/fork.c         |  4 +++-
> > > > >  6 files changed, 73 insertions(+), 26 deletions(-)
> > > >
> > > > ...
> > > >
> > > > > diff --git a/include/linux/sched.h b/include/linux/sched.h
> > > > > index 87bf02d..e117272 100644
> > > > > --- a/include/linux/sched.h
> > > > > +++ b/include/linux/sched.h
> > > > > @@ -873,10 +872,8 @@ struct task_struct {
> > > > >
> > > > >         struct callback_head            *task_works;
> > > > >
> > > > > -       struct audit_context            *audit_context;
> > > > >  #ifdef CONFIG_AUDITSYSCALL
> > > > > -       kuid_t                          loginuid;
> > > > > -       unsigned int                    sessionid;
> > > > > +       struct audit_task_info          *audit;
> > > > >  #endif
> > > > >         struct seccomp                  seccomp;
> > > >
> > > > Prior to this patch audit_context was available regardless of
> > > > CONFIG_AUDITSYSCALL, after this patch the corresponding audit_context
> > > > is only available when CONFIG_AUDITSYSCALL is defined.
> > >
> > > This was intentional since audit_context is not used when AUDITSYSCALL is
> > > disabled.  audit_alloc() was stubbed in that case to return 0.
> > audit_context()
> > > returned NULL.
> > >
> > > The fact that audit_context was still present in struct task_struct was an
> > > oversight in the two patches already accepted:
> > >         ("audit: use inline function to get audit context")
> > >         ("audit: use inline function to get audit context")
> > > that failed to hide or remove it from struct task_struct when it
> > was no longer
> > > relevant.
> >
> > Okay, in that case let's pull this out and fix this separately from
> > the audit container ID patchset.
> >
> > > On further digging, loginuid and sessionid (and
> > audit_log_session_info) should
> > > be part of CONFIG_AUDIT scope and not CONFIG_AUDITSYSCALL since
> > it is used in
> > > CONFIG_CHANGE, ANOM_LINK, FEATURE_CHANGE(, INTEGRITY_RULE), none
> > of which are
> > > otherwise dependent on AUDITSYSCALL.
> >
> > This looks like something else we should fix independently from this patchset.
> >
> > > Looking ahead, contid should be treated like loginuid and
> > sessionid, which are
> > > currently only available when syscall auditting is.
> >
> > That seems reasonable.  Eventually it would be great if we got rid of
> > CONFIG_AUDITSYSCALL, but that is a separate issue, and something that
> > is going to require work from the different arch/ABI folks to ensure
> > everything is working properly.
> >
> > > Converting records from standalone to syscall and checking
> > audit_dummy_context
> > > changes the nature of CONFIG_AUDIT/!CONFIG_AUDITSYSCALL separation.
> > > eg: ANOM_LINK accompanied by PATH record (which needed CWD addition to be
> > > complete anyways)
> > >
> > > > > diff --git a/init/main.c b/init/main.c
> > > > > index 3b4ada1..6aba171 100644
> > > > > --- a/init/main.c
> > > > > +++ b/init/main.c
> > > > > @@ -92,6 +92,7 @@
> > > > >  #include <linux rodata_test.h="">
> > > > >  #include <linux jump_label.h="">
> > > > >  #include <linux mem_encrypt.h="">
> > > > > +#include <linux audit.h="">
> > > > >
> > > > >  #include <asm io.h="">
> > > > >  #include <asm bugs.h="">
> > > > > @@ -721,6 +722,7 @@ asmlinkage __visible void __init
> > start_kernel(void)
> > > > >         nsfs_init();
> > > > >         cpuset_init();
> > > > >         cgroup_init();
> > > > > +       audit_task_init();
> > > > >         taskstats_init_early();
> > > > >         delayacct_init();
> > > >
> > > > It seems like we would need either init_struct_audit or
> > > > audit_task_init(), but not both, yes?
> > >
> > > One sets initial values of init task via an included struct,
> > other makes a call
> > > to create the kmem cache.  Both seem appropriate to me unless we move the
> > > initialization from a struct to assignments in audit_task_init(),
> > but I'm not
> > > that comfortable separating the audit init values from the rest of the
> > > task_struct init task initializers (though there are other
> > subsystems that need
> > > to do so dynamically).
> >
> > My original thinking was focused on the use of init_struct_audit as an
> > initializer when audit_task_init() was already creating a kmem_cache
> > pool and a zero'd/init'd audit_task_info could be obtained via the
> > usual kmem_cache functions.  Alternatively, although I don't believe
> > it would be recommended for this case, would be to use
> > init_struct_audit as an init helper if we included the audit_task_info
> > struct directly in the task_struct, as opposed to a pointer.  What I
> > missed was the simple fact that you're only using init_struct_audit
> > for the init_task, which pretty much makes my original question rather
> > silly :)
> >
> > --
> > paul moore
> > www.paul-moore.com
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635



-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list