On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > On 2018-10-19 19:15, Paul Moore wrote: > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > The audit-related parameters in struct task_struct should ideally be > > > collected together and accessed through a standard audit API. > > > > > > Collect the existing loginuid, sessionid and audit_context together in a > > > new struct audit_task_info called "audit" in struct task_struct. > > > > > > Use kmem_cache to manage this pool of memory. > > > Un-inline audit_free() to be able to always recover that memory. > > > > > > See: https://github.com/linux-audit/audit-kernel/issues/81 > > > > > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> > > > --- > > > include/linux/audit.h | 34 ++++++++++++++++++++++++---------- > > > include/linux/sched.h | 5 +---- > > > init/init_task.c | 3 +-- > > > init/main.c | 2 ++ > > > kernel/auditsc.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- > > > kernel/fork.c | 4 +++- > > > 6 files changed, 73 insertions(+), 26 deletions(-) > > > > ... > > > > > diff --git a/include/linux/sched.h b/include/linux/sched.h > > > index 87bf02d..e117272 100644 > > > --- a/include/linux/sched.h > > > +++ b/include/linux/sched.h > > > @@ -873,10 +872,8 @@ struct task_struct { > > > > > > struct callback_head *task_works; > > > > > > - struct audit_context *audit_context; > > > #ifdef CONFIG_AUDITSYSCALL > > > - kuid_t loginuid; > > > - unsigned int sessionid; > > > + struct audit_task_info *audit; > > > #endif > > > struct seccomp seccomp; > > > > Prior to this patch audit_context was available regardless of > > CONFIG_AUDITSYSCALL, after this patch the corresponding audit_context > > is only available when CONFIG_AUDITSYSCALL is defined. > > This was intentional since audit_context is not used when AUDITSYSCALL is > disabled. audit_alloc() was stubbed in that case to return 0. audit_context() > returned NULL. > > The fact that audit_context was still present in struct task_struct was an > oversight in the two patches already accepted: > ("audit: use inline function to get audit context") > ("audit: use inline function to get audit context") > that failed to hide or remove it from struct task_struct when it was no longer > relevant. Okay, in that case let's pull this out and fix this separately from the audit container ID patchset. > On further digging, loginuid and sessionid (and audit_log_session_info) should > be part of CONFIG_AUDIT scope and not CONFIG_AUDITSYSCALL since it is used in > CONFIG_CHANGE, ANOM_LINK, FEATURE_CHANGE(, INTEGRITY_RULE), none of which are > otherwise dependent on AUDITSYSCALL. This looks like something else we should fix independently from this patchset. > Looking ahead, contid should be treated like loginuid and sessionid, which are > currently only available when syscall auditting is. That seems reasonable. Eventually it would be great if we got rid of CONFIG_AUDITSYSCALL, but that is a separate issue, and something that is going to require work from the different arch/ABI folks to ensure everything is working properly. > Converting records from standalone to syscall and checking audit_dummy_context > changes the nature of CONFIG_AUDIT/!CONFIG_AUDITSYSCALL separation. > eg: ANOM_LINK accompanied by PATH record (which needed CWD addition to be > complete anyways) > > > > diff --git a/init/main.c b/init/main.c > > > index 3b4ada1..6aba171 100644 > > > --- a/init/main.c > > > +++ b/init/main.c > > > @@ -92,6 +92,7 @@ > > > #include <linux rodata_test.h=""> > > > #include <linux jump_label.h=""> > > > #include <linux mem_encrypt.h=""> > > > +#include <linux audit.h=""> > > > > > > #include <asm io.h=""> > > > #include <asm bugs.h=""> > > > @@ -721,6 +722,7 @@ asmlinkage __visible void __init start_kernel(void) > > > nsfs_init(); > > > cpuset_init(); > > > cgroup_init(); > > > + audit_task_init(); > > > taskstats_init_early(); > > > delayacct_init(); > > > > It seems like we would need either init_struct_audit or > > audit_task_init(), but not both, yes? > > One sets initial values of init task via an included struct, other makes a call > to create the kmem cache. Both seem appropriate to me unless we move the > initialization from a struct to assignments in audit_task_init(), but I'm not > that comfortable separating the audit init values from the rest of the > task_struct init task initializers (though there are other subsystems that need > to do so dynamically). My original thinking was focused on the use of init_struct_audit as an initializer when audit_task_init() was already creating a kmem_cache pool and a zero'd/init'd audit_task_info could be obtained via the usual kmem_cache functions. Alternatively, although I don't believe it would be recommended for this case, would be to use init_struct_audit as an init helper if we included the audit_task_info struct directly in the task_struct, as opposed to a pointer. What I missed was the simple fact that you're only using init_struct_audit for the init_task, which pretty much makes my original question rather silly :) -- paul moore www.paul-moore.com
