[PATCH 11/22] Audit: make audit_ever_enabled per user namespace

From: Gao feng
Date: Tue Jun 18 2013 - 21:58:43 EST

Next message: Rohit Vaswani: "[PATCH 2/3] drivers: gpio: msm: Fix the error condition for reading ngpio"
Previous message: Gao feng: "[PATCH 04/22] netlink: Add compare function for netlink_table"
In reply to: Gao feng: "[PATCH 04/22] netlink: Add compare function for netlink_table"
Next in thread: Gao feng: "[PATCH 06/22] Audit: make audit_skb_queue per user namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We set audit_ever_enabled true after we enabled audit once.
and if audit_ever_enabled is true, we will allocate audit
context for task.

We should decide if to allocate audit context for tasks based on
if the audit is enabled once in the user namespace which the
task belongs to.

Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
include/linux/user_namespace.h | 1 +
kernel/audit.c | 7 +++----
kernel/auditsc.c | 5 ++++-
3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 9972f0f..a2c0a79 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -27,6 +27,7 @@ struct audit_ctrl {
struct sk_buff_head queue;
struct sk_buff_head hold_queue;
struct task_struct *kauditd_task;
+ bool ever_enabled;
};
#endif

diff --git a/kernel/audit.c b/kernel/audit.c
index 758b1e8..923fe27 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -78,7 +78,6 @@ static int audit_initialized;
#define AUDIT_OFF 0
#define AUDIT_ON 1
#define AUDIT_LOCKED 2
-bool audit_ever_enabled;

/* Default state when kernel boots without any parameters. */
static int audit_default;
@@ -313,7 +312,7 @@ static int audit_set_enabled(struct user_namespace *ns, int state)
rc = audit_do_config_change("audit_enabled", &ns->audit.enabled,
state);
if (!rc)
- audit_ever_enabled |= !!state;
+ ns->audit.ever_enabled |= !!state;

return rc;
}
@@ -965,7 +964,6 @@ static int __init audit_init(void)

audit_set_user_ns(&init_user_ns);
audit_initialized = AUDIT_INITIALIZED;
- audit_ever_enabled |= !!audit_default;

audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");

@@ -987,7 +985,7 @@ static int __init audit_enable(char *str)

if (audit_initialized == AUDIT_INITIALIZED) {
init_user_ns.audit.enabled = audit_default;
- audit_ever_enabled |= !!audit_default;
+ init_user_ns.audit.ever_enabled |= !!audit_default;
} else if (audit_initialized == AUDIT_UNINITIALIZED) {
printk(" (after initialization)");
} else {
@@ -1792,6 +1790,7 @@ void audit_set_user_ns(struct user_namespace *ns)
skb_queue_head_init(&ns->audit.queue);
skb_queue_head_init(&ns->audit.hold_queue);
ns->audit.enabled = audit_default;
+ ns->audit.ever_enabled |= !!audit_default;
}

void audit_free_user_ns(struct user_namespace *ns)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 8ba8684..3fa69cb 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -938,8 +938,11 @@ int audit_alloc(struct task_struct *tsk)
struct audit_context *context;
enum audit_state state;
char *key = NULL;
+ struct user_namespace *ns = current_user_ns();
+ /* Use current_user_ns, since this new task may run
+ * in new user namespace */

- if (likely(!audit_ever_enabled))
+ if (likely(!ns->audit.ever_enabled))
return 0; /* Return if not auditing. */

state = audit_filter_task(tsk, &key);
--
1.8.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rohit Vaswani: "[PATCH 2/3] drivers: gpio: msm: Fix the error condition for reading ngpio"
Previous message: Gao feng: "[PATCH 04/22] netlink: Add compare function for netlink_table"
In reply to: Gao feng: "[PATCH 04/22] netlink: Add compare function for netlink_table"
Next in thread: Gao feng: "[PATCH 06/22] Audit: make audit_skb_queue per user namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]