On 7/24/20 4:32 PM, Casey Schaufler wrote:
Create a new audit record type to contain the subject information
when there are multiple security modules that require such data.
This record is linked with the same timestamp and serial number.
The record is produced only in cases where there is more than one
security module with a process "context".
Before this change the only audit events that required multiple
records were syscall events. Several non-syscall events include
subject contexts, so the use of audit_context data has been expanded
as necessary.
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Cc: linux-audit@xxxxxxxxxx
---
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index c7d213c9f9d8..930432c3912e 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -672,11 +672,13 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
if (audit_enabled == AUDIT_OFF)
return NULL;
+ audit_stamp_context(audit_context());
audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
AUDIT_MAC_IPSEC_EVENT);
if (audit_buf == NULL)
return NULL;
audit_log_format(audit_buf, "op=%s", op);
+ audit_log_lsm(NULL, false);
Notice that the audit_log_start() call above specified GFP_ATOMIC. But
your audit_log_lsm() uses GFP_KERNEL. You'll either need to always use
GFP_ATOMIC in audit_log_lsm() or pass in the gfp flags there. Make sure
you test with CONFIG_DEBUG_ATOMIC_SLEEP=y and check your dmesg output.
