aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul@paul-moore.com>2017-03-21 11:26:35 -0400
committerPaul Moore <paul@paul-moore.com>2017-03-21 11:26:35 -0400
commit5b52330bbfe63b3305765354d6046c9f7f89c011 (patch)
tree3c2d52604b0a886f521ee5dc7c4445990dfbc3cd
parent97da3854c526d3a6ee05c849c96e48d21527606c (diff)
audit: fix auditd/kernel connection state tracking
What started as a rather straightforward race condition reported by Dmitry using the syzkaller fuzzer ended up revealing some major problems with how the audit subsystem managed its netlink sockets and its connection with the userspace audit daemon. Fixing this properly had quite the cascading effect and what we are left with is this rather large and complicated patch. My initial goal was to try and decompose this patch into multiple smaller patches, but the way these changes are intertwined makes it difficult to split these changes into meaningful pieces that don't break or somehow make things worse for the intermediate states. The patch makes a number of changes, but the most significant are highlighted below: * The auditd tracking variables, e.g. audit_sock, are now gone and replaced by a RCU/spin_lock protected variable auditd_conn which is a structure containing all of the auditd tracking information. * We no longer track the auditd sock directly, instead we track it via the network namespace in which it resides and we use the audit socket associated with that namespace. In spirit, this is what the code was trying to do prior to this patch (at least I think that is what the original authors intended), but it was done rather poorly and added a layer of obfuscation that only masked the underlying problems. * Big backlog queue cleanup, again. In v4.10 we made some pretty big changes to how the audit backlog queues work, here we haven't changed the queue design so much as cleaned up the implementation. Brought about by the locking changes, we've simplified kauditd_thread() quite a bit by consolidating the queue handling into a new helper function, kauditd_send_queue(), which allows us to eliminate a lot of very similar code and makes the looping logic in kauditd_thread() clearer. * All netlink messages sent to auditd are now sent via auditd_send_unicast_skb(). Other than just making sense, this makes the lock handling easier. * Change the audit_log_start() sleep behavior so that we never sleep on auditd events (unchanged) or if the caller is holding the audit_cmd_mutex (changed). Previously we didn't sleep if the caller was auditd or if the message type fell between a certain range; the type check was a poor effort of doing what the cmd_mutex check now does. Richard Guy Briggs originally proposed not sleeping the cmd_mutex owner several years ago but his patch wasn't acceptable at the time. At least the idea lives on here. * A problem with the lost record counter has been resolved. Steve Grubb and I both happened to notice this problem and according to some quick testing by Steve, this problem goes back quite some time. It's largely a harmless problem, although it may have left some careful sysadmins quite puzzled. Cc: <stable@vger.kernel.org> # 4.10.x- Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat
-rw-r--r--kernel/audit.c639
-rw-r--r--kernel/audit.h9
-rw-r--r--kernel/auditsc.c6
3 files changed, 399 insertions, 255 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index e794544f5e63..2f4964cfde0b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,10 @@
54#include <linux/kthread.h> 54#include <linux/kthread.h>
55#include <linux/kernel.h> 55#include <linux/kernel.h>
56#include <linux/syscalls.h> 56#include <linux/syscalls.h>
57#include <linux/spinlock.h>
58#include <linux/rcupdate.h>
59#include <linux/mutex.h>
60#include <linux/gfp.h>
57 61
58#include <linux/audit.h> 62#include <linux/audit.h>
59 63
@@ -90,13 +94,34 @@ static u32 audit_default;
90/* If auditing cannot proceed, audit_failure selects what happens. */ 94/* If auditing cannot proceed, audit_failure selects what happens. */
91static u32 audit_failure = AUDIT_FAIL_PRINTK; 95static u32 audit_failure = AUDIT_FAIL_PRINTK;
92 96
93/* 97/* private audit network namespace index */
94 * If audit records are to be written to the netlink socket, audit_pid 98static unsigned int audit_net_id;
95 * contains the pid of the auditd process and audit_nlk_portid contains 99
96 * the portid to use to send netlink messages to that process. 100/**
101 * struct audit_net - audit private network namespace data
102 * @sk: communication socket
103 */
104struct audit_net {
105 struct sock *sk;
106};
107
108/**
109 * struct auditd_connection - kernel/auditd connection state
110 * @pid: auditd PID
111 * @portid: netlink portid
112 * @net: the associated network namespace
113 * @lock: spinlock to protect write access
114 *
115 * Description:
116 * This struct is RCU protected; you must either hold the RCU lock for reading
117 * or the included spinlock for writing.
97 */ 118 */
98int audit_pid; 119static struct auditd_connection {
99static __u32 audit_nlk_portid; 120 int pid;
121 u32 portid;
122 struct net *net;
123 spinlock_t lock;
124} auditd_conn;
100 125
101/* If audit_rate_limit is non-zero, limit the rate of sending audit records 126/* If audit_rate_limit is non-zero, limit the rate of sending audit records
102 * to that number per second. This prevents DoS attacks, but results in 127 * to that number per second. This prevents DoS attacks, but results in
@@ -123,10 +148,6 @@ u32 audit_sig_sid = 0;
123*/ 148*/
124static atomic_t audit_lost = ATOMIC_INIT(0); 149static atomic_t audit_lost = ATOMIC_INIT(0);
125 150
126/* The netlink socket. */
127static struct sock *audit_sock;
128static unsigned int audit_net_id;
129
130/* Hash for inode-based rules */ 151/* Hash for inode-based rules */
131struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; 152struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
132 153
@@ -139,6 +160,7 @@ static LIST_HEAD(audit_freelist);
139 160
140/* queue msgs to send via kauditd_task */ 161/* queue msgs to send via kauditd_task */
141static struct sk_buff_head audit_queue; 162static struct sk_buff_head audit_queue;
163static void kauditd_hold_skb(struct sk_buff *skb);
142/* queue msgs due to temporary unicast send problems */ 164/* queue msgs due to temporary unicast send problems */
143static struct sk_buff_head audit_retry_queue; 165static struct sk_buff_head audit_retry_queue;
144/* queue msgs waiting for new auditd connection */ 166/* queue msgs waiting for new auditd connection */
@@ -192,6 +214,43 @@ struct audit_reply {
192 struct sk_buff *skb; 214 struct sk_buff *skb;
193}; 215};
194 216
217/**
218 * auditd_test_task - Check to see if a given task is an audit daemon
219 * @task: the task to check
220 *
221 * Description:
222 * Return 1 if the task is a registered audit daemon, 0 otherwise.
223 */
224int auditd_test_task(const struct task_struct *task)
225{
226 int rc;
227
228 rcu_read_lock();
229 rc = (auditd_conn.pid && task->tgid == auditd_conn.pid ? 1 : 0);
230 rcu_read_unlock();
231
232 return rc;
233}
234
235/**
236 * audit_get_sk - Return the audit socket for the given network namespace
237 * @net: the destination network namespace
238 *
239 * Description:
240 * Returns the sock pointer if valid, NULL otherwise. The caller must ensure
241 * that a reference is held for the network namespace while the sock is in use.
242 */
243static struct sock *audit_get_sk(const struct net *net)
244{
245 struct audit_net *aunet;
246
247 if (!net)
248 return NULL;
249
250 aunet = net_generic(net, audit_net_id);
251 return aunet->sk;
252}
253
195static void audit_set_portid(struct audit_buffer *ab, __u32 portid) 254static void audit_set_portid(struct audit_buffer *ab, __u32 portid)
196{ 255{
197 if (ab) { 256 if (ab) {
@@ -210,9 +269,7 @@ void audit_panic(const char *message)
210 pr_err("%s\n", message); 269 pr_err("%s\n", message);
211 break; 270 break;
212 case AUDIT_FAIL_PANIC: 271 case AUDIT_FAIL_PANIC:
213 /* test audit_pid since printk is always losey, why bother? */ 272 panic("audit: %s\n", message);
214 if (audit_pid)
215 panic("audit: %s\n", message);
216 break; 273 break;
217 } 274 }
218} 275}
@@ -370,21 +427,87 @@ static int audit_set_failure(u32 state)
370 return audit_do_config_change("audit_failure", &audit_failure, state); 427 return audit_do_config_change("audit_failure", &audit_failure, state);
371} 428}
372 429
373/* 430/**
374 * For one reason or another this nlh isn't getting delivered to the userspace 431 * auditd_set - Set/Reset the auditd connection state
375 * audit daemon, just send it to printk. 432 * @pid: auditd PID
433 * @portid: auditd netlink portid
434 * @net: auditd network namespace pointer
435 *
436 * Description:
437 * This function will obtain and drop network namespace references as
438 * necessary.
439 */
440static void auditd_set(int pid, u32 portid, struct net *net)
441{
442 unsigned long flags;
443
444 spin_lock_irqsave(&auditd_conn.lock, flags);
445 auditd_conn.pid = pid;
446 auditd_conn.portid = portid;
447 if (auditd_conn.net)
448 put_net(auditd_conn.net);
449 if (net)
450 auditd_conn.net = get_net(net);
451 else
452 auditd_conn.net = NULL;
453 spin_unlock_irqrestore(&auditd_conn.lock, flags);
454}
455
456/**
457 * auditd_reset - Disconnect the auditd connection
458 *
459 * Description:
460 * Break the auditd/kauditd connection and move all the queued records into the
461 * hold queue in case auditd reconnects.
462 */
463static void auditd_reset(void)
464{
465 struct sk_buff *skb;
466
467 /* if it isn't already broken, break the connection */
468 rcu_read_lock();
469 if (auditd_conn.pid)
470 auditd_set(0, 0, NULL);
471 rcu_read_unlock();
472
473 /* flush all of the main and retry queues to the hold queue */
474 while ((skb = skb_dequeue(&audit_retry_queue)))
475 kauditd_hold_skb(skb);
476 while ((skb = skb_dequeue(&audit_queue)))
477 kauditd_hold_skb(skb);
478}
479
480/**
481 * kauditd_print_skb - Print the audit record to the ring buffer
482 * @skb: audit record
483 *
484 * Whatever the reason, this packet may not make it to the auditd connection
485 * so write it via printk so the information isn't completely lost.
376 */ 486 */
377static void kauditd_printk_skb(struct sk_buff *skb) 487static void kauditd_printk_skb(struct sk_buff *skb)
378{ 488{
379 struct nlmsghdr *nlh = nlmsg_hdr(skb); 489 struct nlmsghdr *nlh = nlmsg_hdr(skb);
380 char *data = nlmsg_data(nlh); 490 char *data = nlmsg_data(nlh);
381 491
382 if (nlh->nlmsg_type != AUDIT_EOE) { 492 if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
383 if (printk_ratelimit()) 493 pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
384 pr_notice("type=%d %s\n", nlh->nlmsg_type, data); 494}
385 else 495
386 audit_log_lost("printk limit exceeded"); 496/**
387 } 497 * kauditd_rehold_skb - Handle a audit record send failure in the hold queue
498 * @skb: audit record
499 *
500 * Description:
501 * This should only be used by the kauditd_thread when it fails to flush the
502 * hold queue.
503 */
504static void kauditd_rehold_skb(struct sk_buff *skb)
505{
506 /* put the record back in the queue at the same place */
507 skb_queue_head(&audit_hold_queue, skb);
508
509 /* fail the auditd connection */
510 auditd_reset();
388} 511}
389 512
390/** 513/**
@@ -421,6 +544,9 @@ static void kauditd_hold_skb(struct sk_buff *skb)
421 /* we have no other options - drop the message */ 544 /* we have no other options - drop the message */
422 audit_log_lost("kauditd hold queue overflow"); 545 audit_log_lost("kauditd hold queue overflow");
423 kfree_skb(skb); 546 kfree_skb(skb);
547
548 /* fail the auditd connection */
549 auditd_reset();
424} 550}
425 551
426/** 552/**
@@ -441,51 +567,122 @@ static void kauditd_retry_skb(struct sk_buff *skb)
441} 567}
442 568
443/** 569/**
444 * auditd_reset - Disconnect the auditd connection 570 * auditd_send_unicast_skb - Send a record via unicast to auditd
571 * @skb: audit record
445 * 572 *
446 * Description: 573 * Description:
447 * Break the auditd/kauditd connection and move all the records in the retry 574 * Send a skb to the audit daemon, returns positive/zero values on success and
448 * queue into the hold queue in case auditd reconnects. The audit_cmd_mutex 575 * negative values on failure; in all cases the skb will be consumed by this
449 * must be held when calling this function. 576 * function. If the send results in -ECONNREFUSED the connection with auditd
577 * will be reset. This function may sleep so callers should not hold any locks
578 * where this would cause a problem.
450 */ 579 */
451static void auditd_reset(void) 580static int auditd_send_unicast_skb(struct sk_buff *skb)
452{ 581{
453 struct sk_buff *skb; 582 int rc;
454 583 u32 portid;
455 /* break the connection */ 584 struct net *net;
456 if (audit_sock) { 585 struct sock *sk;
457 sock_put(audit_sock); 586
458 audit_sock = NULL; 587 /* NOTE: we can't call netlink_unicast while in the RCU section so
588 * take a reference to the network namespace and grab local
589 * copies of the namespace, the sock, and the portid; the
590 * namespace and sock aren't going to go away while we hold a
591 * reference and if the portid does become invalid after the RCU
592 * section netlink_unicast() should safely return an error */
593
594 rcu_read_lock();
595 if (!auditd_conn.pid) {
596 rcu_read_unlock();
597 rc = -ECONNREFUSED;
598 goto err;
459 } 599 }
460 audit_pid = 0; 600 net = auditd_conn.net;
461 audit_nlk_portid = 0; 601 get_net(net);
602 sk = audit_get_sk(net);
603 portid = auditd_conn.portid;
604 rcu_read_unlock();
462 605
463 /* flush all of the retry queue to the hold queue */ 606 rc = netlink_unicast(sk, skb, portid, 0);
464 while ((skb = skb_dequeue(&audit_retry_queue))) 607 put_net(net);
465 kauditd_hold_skb(skb); 608 if (rc < 0)
609 goto err;
610
611 return rc;
612
613err:
614 if (rc == -ECONNREFUSED)
615 auditd_reset();
616 return rc;
466} 617}
467 618
468/** 619/**
469 * kauditd_send_unicast_skb - Send a record via unicast to auditd 620 * kauditd_send_queue - Helper for kauditd_thread to flush skb queues
470 * @skb: audit record 621 * @sk: the sending sock
622 * @portid: the netlink destination
623 * @queue: the skb queue to process
624 * @retry_limit: limit on number of netlink unicast failures
625 * @skb_hook: per-skb hook for additional processing
626 * @err_hook: hook called if the skb fails the netlink unicast send
627 *
628 * Description:
629 * Run through the given queue and attempt to send the audit records to auditd,
630 * returns zero on success, negative values on failure. It is up to the caller
631 * to ensure that the @sk is valid for the duration of this function.
632 *
471 */ 633 */
472static int kauditd_send_unicast_skb(struct sk_buff *skb) 634static int kauditd_send_queue(struct sock *sk, u32 portid,
635 struct sk_buff_head *queue,
636 unsigned int retry_limit,
637 void (*skb_hook)(struct sk_buff *skb),
638 void (*err_hook)(struct sk_buff *skb))
473{ 639{
474 int rc; 640 int rc = 0;
641 struct sk_buff *skb;
642 static unsigned int failed = 0;
475 643
476 /* if we know nothing is connected, don't even try the netlink call */ 644 /* NOTE: kauditd_thread takes care of all our locking, we just use
477 if (!audit_pid) 645 * the netlink info passed to us (e.g. sk and portid) */
478 return -ECONNREFUSED; 646
647 while ((skb = skb_dequeue(queue))) {
648 /* call the skb_hook for each skb we touch */
649 if (skb_hook)
650 (*skb_hook)(skb);
651
652 /* can we send to anyone via unicast? */
653 if (!sk) {
654 if (err_hook)
655 (*err_hook)(skb);
656 continue;
657 }
479 658
480 /* get an extra skb reference in case we fail to send */ 659 /* grab an extra skb reference in case of error */
481 skb_get(skb); 660 skb_get(skb);
482 rc = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); 661 rc = netlink_unicast(sk, skb, portid, 0);
483 if (rc >= 0) { 662 if (rc < 0) {
484 consume_skb(skb); 663 /* fatal failure for our queue flush attempt? */
485 rc = 0; 664 if (++failed >= retry_limit ||
665 rc == -ECONNREFUSED || rc == -EPERM) {
666 /* yes - error processing for the queue */
667 sk = NULL;
668 if (err_hook)
669 (*err_hook)(skb);
670 if (!skb_hook)
671 goto out;
672 /* keep processing with the skb_hook */
673 continue;
674 } else
675 /* no - requeue to preserve ordering */
676 skb_queue_head(queue, skb);
677 } else {
678 /* it worked - drop the extra reference and continue */
679 consume_skb(skb);
680 failed = 0;
681 }
486 } 682 }
487 683
488 return rc; 684out:
685 return (rc >= 0 ? 0 : rc);
489} 686}
490 687
491/* 688/*
@@ -493,16 +690,19 @@ static int kauditd_send_unicast_skb(struct sk_buff *skb)
493 * @skb: audit record 690 * @skb: audit record
494 * 691 *
495 * Description: 692 * Description:
496 * This function doesn't consume an skb as might be expected since it has to 693 * Write a multicast message to anyone listening in the initial network
497 * copy it anyways. 694 * namespace. This function doesn't consume an skb as might be expected since
695 * it has to copy it anyways.
498 */ 696 */
499static void kauditd_send_multicast_skb(struct sk_buff *skb) 697static void kauditd_send_multicast_skb(struct sk_buff *skb)
500{ 698{
501 struct sk_buff *copy; 699 struct sk_buff *copy;
502 struct audit_net *aunet = net_generic(&init_net, audit_net_id); 700 struct sock *sock = audit_get_sk(&init_net);
503 struct sock *sock = aunet->nlsk;
504 struct nlmsghdr *nlh; 701 struct nlmsghdr *nlh;
505 702
703 /* NOTE: we are not taking an additional reference for init_net since
704 * we don't have to worry about it going away */
705
506 if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG)) 706 if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
507 return; 707 return;
508 708
@@ -526,149 +726,75 @@ static void kauditd_send_multicast_skb(struct sk_buff *skb)
526} 726}
527 727
528/** 728/**
529 * kauditd_wake_condition - Return true when it is time to wake kauditd_thread 729 * kauditd_thread - Worker thread to send audit records to userspace
530 * 730 * @dummy: unused
531 * Description:
532 * This function is for use by the wait_event_freezable() call in
533 * kauditd_thread().
534 */ 731 */
535static int kauditd_wake_condition(void)
536{
537 static int pid_last = 0;
538 int rc;
539 int pid = audit_pid;
540
541 /* wake on new messages or a change in the connected auditd */
542 rc = skb_queue_len(&audit_queue) || (pid && pid != pid_last);
543 if (rc)
544 pid_last = pid;
545
546 return rc;
547}
548
549static int kauditd_thread(void *dummy) 732static int kauditd_thread(void *dummy)
550{ 733{
551 int rc; 734 int rc;
552 int auditd = 0; 735 u32 portid = 0;
553 int reschedule = 0; 736 struct net *net = NULL;
554 struct sk_buff *skb; 737 struct sock *sk = NULL;
555 struct nlmsghdr *nlh;
556 738
557#define UNICAST_RETRIES 5 739#define UNICAST_RETRIES 5
558#define AUDITD_BAD(x,y) \
559 ((x) == -ECONNREFUSED || (x) == -EPERM || ++(y) >= UNICAST_RETRIES)
560
561 /* NOTE: we do invalidate the auditd connection flag on any sending
562 * errors, but we only "restore" the connection flag at specific places
563 * in the loop in order to help ensure proper ordering of audit
564 * records */
565 740
566 set_freezable(); 741 set_freezable();
567 while (!kthread_should_stop()) { 742 while (!kthread_should_stop()) {
568 /* NOTE: possible area for future improvement is to look at 743 /* NOTE: see the lock comments in auditd_send_unicast_skb() */
569 * the hold and retry queues, since only this thread 744 rcu_read_lock();
570 * has access to these queues we might be able to do 745 if (!auditd_conn.pid) {
571 * our own queuing and skip some/all of the locking */ 746 rcu_read_unlock();
572 747 goto main_queue;
573 /* NOTE: it might be a fun experiment to split the hold and 748 }
574 * retry queue handling to another thread, but the 749 net = auditd_conn.net;
575 * synchronization issues and other overhead might kill 750 get_net(net);
576 * any performance gains */ 751 sk = audit_get_sk(net);
752 portid = auditd_conn.portid;
753 rcu_read_unlock();
577 754
578 /* attempt to flush the hold queue */ 755 /* attempt to flush the hold queue */
579 while (auditd && (skb = skb_dequeue(&audit_hold_queue))) { 756 rc = kauditd_send_queue(sk, portid,
580 rc = kauditd_send_unicast_skb(skb); 757 &audit_hold_queue, UNICAST_RETRIES,
581 if (rc) { 758 NULL, kauditd_rehold_skb);
582 /* requeue to the same spot */ 759 if (rc < 0) {
583 skb_queue_head(&audit_hold_queue, skb); 760 sk = NULL;
584 761 goto main_queue;
585 auditd = 0;
586 if (AUDITD_BAD(rc, reschedule)) {
587 mutex_lock(&audit_cmd_mutex);
588 auditd_reset();
589 mutex_unlock(&audit_cmd_mutex);
590 reschedule = 0;
591 }
592 } else
593 /* we were able to send successfully */
594 reschedule = 0;
595 } 762 }
596 763
597 /* attempt to flush the retry queue */ 764 /* attempt to flush the retry queue */
598 while (auditd && (skb = skb_dequeue(&audit_retry_queue))) { 765 rc = kauditd_send_queue(sk, portid,
599 rc = kauditd_send_unicast_skb(skb); 766 &audit_retry_queue, UNICAST_RETRIES,
600 if (rc) { 767 NULL, kauditd_hold_skb);
601 auditd = 0; 768 if (rc < 0) {
602 if (AUDITD_BAD(rc, reschedule)) { 769 sk = NULL;
603 kauditd_hold_skb(skb); 770 goto main_queue;
604 mutex_lock(&audit_cmd_mutex);
605 auditd_reset();
606 mutex_unlock(&audit_cmd_mutex);
607 reschedule = 0;
608 } else
609 /* temporary problem (we hope), queue
610 * to the same spot and retry */
611 skb_queue_head(&audit_retry_queue, skb);
612 } else
613 /* we were able to send successfully */
614 reschedule = 0;
615 } 771 }
616 772
617 /* standard queue processing, try to be as quick as possible */ 773main_queue:
618quick_loop: 774 /* process the main queue - do the multicast send and attempt
619 skb = skb_dequeue(&audit_queue); 775 * unicast, dump failed record sends to the retry queue; if
620 if (skb) { 776 * sk == NULL due to previous failures we will just do the
621 /* setup the netlink header, see the comments in 777 * multicast send and move the record to the retry queue */
622 * kauditd_send_multicast_skb() for length quirks */ 778 kauditd_send_queue(sk, portid, &audit_queue, 1,
623 nlh = nlmsg_hdr(skb); 779 kauditd_send_multicast_skb,
624 nlh->nlmsg_len = skb->len - NLMSG_HDRLEN; 780 kauditd_retry_skb);
625 781
626 /* attempt to send to any multicast listeners */ 782 /* drop our netns reference, no auditd sends past this line */
627 kauditd_send_multicast_skb(skb); 783 if (net) {
628 784 put_net(net);
629 /* attempt to send to auditd, queue on failure */ 785 net = NULL;
630 if (auditd) {
631 rc = kauditd_send_unicast_skb(skb);
632 if (rc) {
633 auditd = 0;
634 if (AUDITD_BAD(rc, reschedule)) {
635 mutex_lock(&audit_cmd_mutex);
636 auditd_reset();
637 mutex_unlock(&audit_cmd_mutex);
638 reschedule = 0;
639 }
640
641 /* move to the retry queue */
642 kauditd_retry_skb(skb);
643 } else
644 /* everything is working so go fast! */
645 goto quick_loop;
646 } else if (reschedule)
647 /* we are currently having problems, move to
648 * the retry queue */
649 kauditd_retry_skb(skb);
650 else
651 /* dump the message via printk and hold it */
652 kauditd_hold_skb(skb);
653 } else {
654 /* we have flushed the backlog so wake everyone */
655 wake_up(&audit_backlog_wait);
656
657 /* if everything is okay with auditd (if present), go
658 * to sleep until there is something new in the queue
659 * or we have a change in the connected auditd;
660 * otherwise simply reschedule to give things a chance
661 * to recover */
662 if (reschedule) {
663 set_current_state(TASK_INTERRUPTIBLE);
664 schedule();
665 } else
666 wait_event_freezable(kauditd_wait,
667 kauditd_wake_condition());
668
669 /* update the auditd connection status */
670 auditd = (audit_pid ? 1 : 0);
671 } 786 }
787 sk = NULL;
788
789 /* we have processed all the queues so wake everyone */
790 wake_up(&audit_backlog_wait);
791
792 /* NOTE: we want to wake up if there is anything on the queue,
793 * regardless of if an auditd is connected, as we need to
794 * do the multicast send and rotate records from the
795 * main queue to the retry/hold queues */
796 wait_event_freezable(kauditd_wait,
797 (skb_queue_len(&audit_queue) ? 1 : 0));
672 } 798 }
673 799
674 return 0; 800 return 0;
@@ -678,17 +804,16 @@ int audit_send_list(void *_dest)
678{ 804{
679 struct audit_netlink_list *dest = _dest; 805 struct audit_netlink_list *dest = _dest;
680 struct sk_buff *skb; 806 struct sk_buff *skb;
681 struct net *net = dest->net; 807 struct sock *sk = audit_get_sk(dest->net);
682 struct audit_net *aunet = net_generic(net, audit_net_id);
683 808
684 /* wait for parent to finish and send an ACK */ 809 /* wait for parent to finish and send an ACK */
685 mutex_lock(&audit_cmd_mutex); 810 mutex_lock(&audit_cmd_mutex);
686 mutex_unlock(&audit_cmd_mutex); 811 mutex_unlock(&audit_cmd_mutex);
687 812
688 while ((skb = __skb_dequeue(&dest->q)) != NULL) 813 while ((skb = __skb_dequeue(&dest->q)) != NULL)
689 netlink_unicast(aunet->nlsk, skb, dest->portid, 0); 814 netlink_unicast(sk, skb, dest->portid, 0);
690 815
691 put_net(net); 816 put_net(dest->net);
692 kfree(dest); 817 kfree(dest);
693 818
694 return 0; 819 return 0;
@@ -722,16 +847,15 @@ out_kfree_skb:
722static int audit_send_reply_thread(void *arg) 847static int audit_send_reply_thread(void *arg)
723{ 848{
724 struct audit_reply *reply = (struct audit_reply *)arg; 849 struct audit_reply *reply = (struct audit_reply *)arg;
725 struct net *net = reply->net; 850 struct sock *sk = audit_get_sk(reply->net);
726 struct audit_net *aunet = net_generic(net, audit_net_id);
727 851
728 mutex_lock(&audit_cmd_mutex); 852 mutex_lock(&audit_cmd_mutex);
729 mutex_unlock(&audit_cmd_mutex); 853 mutex_unlock(&audit_cmd_mutex);
730 854
731 /* Ignore failure. It'll only happen if the sender goes away, 855 /* Ignore failure. It'll only happen if the sender goes away,
732 because our timeout is set to infinite. */ 856 because our timeout is set to infinite. */
733 netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); 857 netlink_unicast(sk, reply->skb, reply->portid, 0);
734 put_net(net); 858 put_net(reply->net);
735 kfree(reply); 859 kfree(reply);
736 return 0; 860 return 0;
737} 861}
@@ -949,12 +1073,12 @@ static int audit_set_feature(struct sk_buff *skb)
949 1073
950static int audit_replace(pid_t pid) 1074static int audit_replace(pid_t pid)
951{ 1075{
952 struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0, 1076 struct sk_buff *skb;
953 &pid, sizeof(pid));
954 1077
1078 skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0, &pid, sizeof(pid));
955 if (!skb) 1079 if (!skb)
956 return -ENOMEM; 1080 return -ENOMEM;
957 return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); 1081 return auditd_send_unicast_skb(skb);
958} 1082}
959 1083
960static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 1084static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
@@ -981,7 +1105,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
981 memset(&s, 0, sizeof(s)); 1105 memset(&s, 0, sizeof(s));
982 s.enabled = audit_enabled; 1106 s.enabled = audit_enabled;
983 s.failure = audit_failure; 1107 s.failure = audit_failure;
984 s.pid = audit_pid; 1108 rcu_read_lock();
1109 s.pid = auditd_conn.pid;
1110 rcu_read_unlock();
985 s.rate_limit = audit_rate_limit; 1111 s.rate_limit = audit_rate_limit;
986 s.backlog_limit = audit_backlog_limit; 1112 s.backlog_limit = audit_backlog_limit;
987 s.lost = atomic_read(&audit_lost); 1113 s.lost = atomic_read(&audit_lost);
@@ -1014,30 +1140,44 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
1014 * from the initial pid namespace, but something 1140 * from the initial pid namespace, but something
1015 * to keep in mind if this changes */ 1141 * to keep in mind if this changes */
1016 int new_pid = s.pid; 1142 int new_pid = s.pid;
1143 pid_t auditd_pid;
1017 pid_t requesting_pid = task_tgid_vnr(current); 1144 pid_t requesting_pid = task_tgid_vnr(current);
1018 1145
1019 if ((!new_pid) && (requesting_pid != audit_pid)) { 1146 /* test the auditd connection */
1020 audit_log_config_change("audit_pid", new_pid, audit_pid, 0); 1147 audit_replace(requesting_pid);
1148
1149 rcu_read_lock();
1150 auditd_pid = auditd_conn.pid;
1151 /* only the current auditd can unregister itself */
1152 if ((!new_pid) && (requesting_pid != auditd_pid)) {
1153 rcu_read_unlock();
1154 audit_log_config_change("audit_pid", new_pid,
1155 auditd_pid, 0);
1021 return -EACCES; 1156 return -EACCES;
1022 } 1157 }
1023 if (audit_pid && new_pid && 1158 /* replacing a healthy auditd is not allowed */
1024 audit_replace(requesting_pid) != -ECONNREFUSED) { 1159 if (auditd_pid && new_pid) {
1025 audit_log_config_change("audit_pid", new_pid, audit_pid, 0); 1160 rcu_read_unlock();
1161 audit_log_config_change("audit_pid", new_pid,
1162 auditd_pid, 0);
1026 return -EEXIST; 1163 return -EEXIST;
1027 } 1164 }
1165 rcu_read_unlock();
1166
1028 if (audit_enabled != AUDIT_OFF) 1167 if (audit_enabled != AUDIT_OFF)
1029 audit_log_config_change("audit_pid", new_pid, audit_pid, 1); 1168 audit_log_config_change("audit_pid", new_pid,
1169 auditd_pid, 1);
1170
1030 if (new_pid) { 1171 if (new_pid) {
1031 if (audit_sock) 1172 /* register a new auditd connection */
1032 sock_put(audit_sock); 1173 auditd_set(new_pid,
1033 audit_pid = new_pid; 1174 NETLINK_CB(skb).portid,
1034 audit_nlk_portid = NETLINK_CB(skb).portid; 1175 sock_net(NETLINK_CB(skb).sk));
1035 sock_hold(skb->sk); 1176 /* try to process any backlog */
1036 audit_sock = skb->sk; 1177 wake_up_interruptible(&kauditd_wait);
1037 } else { 1178 } else
1179 /* unregister the auditd connection */
1038 auditd_reset(); 1180 auditd_reset();
1039 }
1040 wake_up_interruptible(&kauditd_wait);
1041 } 1181 }
1042 if (s.mask & AUDIT_STATUS_RATE_LIMIT) { 1182 if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
1043 err = audit_set_rate_limit(s.rate_limit); 1183 err = audit_set_rate_limit(s.rate_limit);
@@ -1090,7 +1230,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
1090 if (err) 1230 if (err)
1091 break; 1231 break;
1092 } 1232 }
1093 mutex_unlock(&audit_cmd_mutex);
1094 audit_log_common_recv_msg(&ab, msg_type); 1233 audit_log_common_recv_msg(&ab, msg_type);
1095 if (msg_type != AUDIT_USER_TTY) 1234 if (msg_type != AUDIT_USER_TTY)
1096 audit_log_format(ab, " msg='%.*s'", 1235 audit_log_format(ab, " msg='%.*s'",
@@ -1108,7 +1247,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
1108 } 1247 }
1109 audit_set_portid(ab, NETLINK_CB(skb).portid); 1248 audit_set_portid(ab, NETLINK_CB(skb).portid);
1110 audit_log_end(ab); 1249 audit_log_end(ab);
1111 mutex_lock(&audit_cmd_mutex);
1112 } 1250 }
1113 break; 1251 break;
1114 case AUDIT_ADD_RULE: 1252 case AUDIT_ADD_RULE:
@@ -1298,26 +1436,26 @@ static int __net_init audit_net_init(struct net *net)
1298 1436
1299 struct audit_net *aunet = net_generic(net, audit_net_id); 1437 struct audit_net *aunet = net_generic(net, audit_net_id);
1300 1438
1301 aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); 1439 aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
1302 if (aunet->nlsk == NULL) { 1440 if (aunet->sk == NULL) {
1303 audit_panic("cannot initialize netlink socket in namespace"); 1441 audit_panic("cannot initialize netlink socket in namespace");
1304 return -ENOMEM; 1442 return -ENOMEM;
1305 } 1443 }
1306 aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; 1444 aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
1445
1307 return 0; 1446 return 0;
1308} 1447}
1309 1448
1310static void __net_exit audit_net_exit(struct net *net) 1449static void __net_exit audit_net_exit(struct net *net)
1311{ 1450{
1312 struct audit_net *aunet = net_generic(net, audit_net_id); 1451 struct audit_net *aunet = net_generic(net, audit_net_id);
1313 struct sock *sock = aunet->nlsk; 1452
1314 mutex_lock(&audit_cmd_mutex); 1453 rcu_read_lock();
1315 if (sock == audit_sock) 1454 if (net == auditd_conn.net)
1316 auditd_reset(); 1455 auditd_reset();
1317 mutex_unlock(&audit_cmd_mutex); 1456 rcu_read_unlock();
1318 1457
1319 netlink_kernel_release(sock); 1458 netlink_kernel_release(aunet->sk);
1320 aunet->nlsk = NULL;
1321} 1459}
1322 1460
1323static struct pernet_operations audit_net_ops __net_initdata = { 1461static struct pernet_operations audit_net_ops __net_initdata = {
@@ -1335,20 +1473,24 @@ static int __init audit_init(void)
1335 if (audit_initialized == AUDIT_DISABLED) 1473 if (audit_initialized == AUDIT_DISABLED)
1336 return 0; 1474 return 0;
1337 1475
1338 pr_info("initializing netlink subsys (%s)\n", 1476 memset(&auditd_conn, 0, sizeof(auditd_conn));
1339 audit_default ? "enabled" : "disabled"); 1477 spin_lock_init(&auditd_conn.lock);
1340 register_pernet_subsys(&audit_net_ops);
1341 1478
1342 skb_queue_head_init(&audit_queue); 1479 skb_queue_head_init(&audit_queue);
1343 skb_queue_head_init(&audit_retry_queue); 1480 skb_queue_head_init(&audit_retry_queue);
1344 skb_queue_head_init(&audit_hold_queue); 1481 skb_queue_head_init(&audit_hold_queue);
1345 audit_initialized = AUDIT_INITIALIZED;
1346 audit_enabled = audit_default;
1347 audit_ever_enabled |= !!audit_default;
1348 1482
1349 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) 1483 for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
1350 INIT_LIST_HEAD(&audit_inode_hash[i]); 1484 INIT_LIST_HEAD(&audit_inode_hash[i]);
1351 1485
1486 pr_info("initializing netlink subsys (%s)\n",
1487 audit_default ? "enabled" : "disabled");
1488 register_pernet_subsys(&audit_net_ops);
1489
1490 audit_initialized = AUDIT_INITIALIZED;
1491 audit_enabled = audit_default;
1492 audit_ever_enabled |= !!audit_default;
1493
1352 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); 1494 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
1353 if (IS_ERR(kauditd_task)) { 1495 if (IS_ERR(kauditd_task)) {
1354 int err = PTR_ERR(kauditd_task); 1496 int err = PTR_ERR(kauditd_task);
@@ -1519,20 +1661,16 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1519 if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE))) 1661 if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
1520 return NULL; 1662 return NULL;
1521 1663
1522 /* don't ever fail/sleep on these two conditions: 1664 /* NOTE: don't ever fail/sleep on these two conditions:
1523 * 1. auditd generated record - since we need auditd to drain the 1665 * 1. auditd generated record - since we need auditd to drain the
1524 * queue; also, when we are checking for auditd, compare PIDs using 1666 * queue; also, when we are checking for auditd, compare PIDs using
1525 * task_tgid_vnr() since auditd_pid is set in audit_receive_msg() 1667 * task_tgid_vnr() since auditd_pid is set in audit_receive_msg()
1526 * using a PID anchored in the caller's namespace 1668 * using a PID anchored in the caller's namespace
1527 * 2. audit command message - record types 1000 through 1099 inclusive 1669 * 2. generator holding the audit_cmd_mutex - we don't want to block
1528 * are command messages/records used to manage the kernel subsystem 1670 * while holding the mutex */
1529 * and the audit userspace, blocking on these messages could cause 1671 if (!(auditd_test_task(current) ||
1530 * problems under load so don't do it (note: not all of these 1672 (current == __mutex_owner(&audit_cmd_mutex)))) {
1531 * command types are valid as record types, but it is quicker to 1673 long stime = audit_backlog_wait_time;
1532 * just check two ints than a series of ints in a if/switch stmt) */
1533 if (!((audit_pid && audit_pid == task_tgid_vnr(current)) ||
1534 (type >= 1000 && type <= 1099))) {
1535 long sleep_time = audit_backlog_wait_time;
1536 1674
1537 while (audit_backlog_limit && 1675 while (audit_backlog_limit &&
1538 (skb_queue_len(&audit_queue) > audit_backlog_limit)) { 1676 (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
@@ -1541,14 +1679,13 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1541 1679
1542 /* sleep if we are allowed and we haven't exhausted our 1680 /* sleep if we are allowed and we haven't exhausted our
1543 * backlog wait limit */ 1681 * backlog wait limit */
1544 if ((gfp_mask & __GFP_DIRECT_RECLAIM) && 1682 if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) {
1545 (sleep_time > 0)) {
1546 DECLARE_WAITQUEUE(wait, current); 1683 DECLARE_WAITQUEUE(wait, current);
1547 1684
1548 add_wait_queue_exclusive(&audit_backlog_wait, 1685 add_wait_queue_exclusive(&audit_backlog_wait,
1549 &wait); 1686 &wait);
1550 set_current_state(TASK_UNINTERRUPTIBLE); 1687 set_current_state(TASK_UNINTERRUPTIBLE);
1551 sleep_time = schedule_timeout(sleep_time); 1688 stime = schedule_timeout(stime);
1552 remove_wait_queue(&audit_backlog_wait, &wait); 1689 remove_wait_queue(&audit_backlog_wait, &wait);
1553 } else { 1690 } else {
1554 if (audit_rate_check() && printk_ratelimit()) 1691 if (audit_rate_check() && printk_ratelimit())
@@ -2127,15 +2264,27 @@ out:
2127 */ 2264 */
2128void audit_log_end(struct audit_buffer *ab) 2265void audit_log_end(struct audit_buffer *ab)
2129{ 2266{
2267 struct sk_buff *skb;
2268 struct nlmsghdr *nlh;
2269
2130 if (!ab) 2270 if (!ab)
2131 return; 2271 return;
2132 if (!audit_rate_check()) { 2272
2133 audit_log_lost("rate limit exceeded"); 2273 if (audit_rate_check()) {
2134 } else { 2274 skb = ab->skb;
2135 skb_queue_tail(&audit_queue, ab->skb);
2136 wake_up_interruptible(&kauditd_wait);
2137 ab->skb = NULL; 2275 ab->skb = NULL;
2138 } 2276
2277 /* setup the netlink header, see the comments in
2278 * kauditd_send_multicast_skb() for length quirks */
2279 nlh = nlmsg_hdr(skb);
2280 nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
2281
2282 /* queue the netlink packet and poke the kauditd thread */
2283 skb_queue_tail(&audit_queue, skb);
2284 wake_up_interruptible(&kauditd_wait);
2285 } else
2286 audit_log_lost("rate limit exceeded");
2287
2139 audit_buffer_free(ab); 2288 audit_buffer_free(ab);
2140} 2289}
2141 2290
diff --git a/kernel/audit.h b/kernel/audit.h
index ca579880303a..0f1cf6d1878a 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -218,7 +218,7 @@ extern void audit_log_name(struct audit_context *context,
218 struct audit_names *n, const struct path *path, 218 struct audit_names *n, const struct path *path,
219 int record_num, int *call_panic); 219 int record_num, int *call_panic);
220 220
221extern int audit_pid; 221extern int auditd_test_task(const struct task_struct *task);
222 222
223#define AUDIT_INODE_BUCKETS 32 223#define AUDIT_INODE_BUCKETS 32
224extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; 224extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -250,10 +250,6 @@ struct audit_netlink_list {
250 250
251int audit_send_list(void *); 251int audit_send_list(void *);
252 252
253struct audit_net {
254 struct sock *nlsk;
255};
256
257extern int selinux_audit_rule_update(void); 253extern int selinux_audit_rule_update(void);
258 254
259extern struct mutex audit_filter_mutex; 255extern struct mutex audit_filter_mutex;
@@ -340,8 +336,7 @@ extern int audit_filter(int msgtype, unsigned int listtype);
340extern int __audit_signal_info(int sig, struct task_struct *t); 336extern int __audit_signal_info(int sig, struct task_struct *t);
341static inline int audit_signal_info(int sig, struct task_struct *t) 337static inline int audit_signal_info(int sig, struct task_struct *t)
342{ 338{
343 if (unlikely((audit_pid && t->tgid == audit_pid) || 339 if (auditd_test_task(t) || (audit_signals && !audit_dummy_context()))
344 (audit_signals && !audit_dummy_context())))
345 return __audit_signal_info(sig, t); 340 return __audit_signal_info(sig, t);
346 return 0; 341 return 0;
347} 342}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d6a8de5f8fa3..e59ffc7fc522 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -762,7 +762,7 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
762 struct audit_entry *e; 762 struct audit_entry *e;
763 enum audit_state state; 763 enum audit_state state;
764 764
765 if (audit_pid && tsk->tgid == audit_pid) 765 if (auditd_test_task(tsk))
766 return AUDIT_DISABLED; 766 return AUDIT_DISABLED;
767 767
768 rcu_read_lock(); 768 rcu_read_lock();
@@ -816,7 +816,7 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
816{ 816{
817 struct audit_names *n; 817 struct audit_names *n;
818 818
819 if (audit_pid && tsk->tgid == audit_pid) 819 if (auditd_test_task(tsk))
820 return; 820 return;
821 821
822 rcu_read_lock(); 822 rcu_read_lock();
@@ -2256,7 +2256,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2256 struct audit_context *ctx = tsk->audit_context; 2256 struct audit_context *ctx = tsk->audit_context;
2257 kuid_t uid = current_uid(), t_uid = task_uid(t); 2257 kuid_t uid = current_uid(), t_uid = task_uid(t);
2258 2258
2259 if (audit_pid && t->tgid == audit_pid) { 2259 if (auditd_test_task(t)) {
2260 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { 2260 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2261 audit_sig_pid = task_tgid_nr(tsk); 2261 audit_sig_pid = task_tgid_nr(tsk);
2262 if (uid_valid(tsk->loginuid)) 2262 if (uid_valid(tsk->loginuid))
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-29 15:36:19 -0400