AUDIT: Wait for backlog to clear when generating messages.

Add a gfp_mask to audit_log_start() and audit_log(), to reduce the amount of GFP_ATOMIC allocation -- most of it doesn't need to be GFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to 60 seconds for the auditd backlog to clear instead of immediately abandoning the message. The timeout should probably be made configurable, but for now it'll suffice that it only happens if auditd is actually running. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
author: David Woodhouse <dwmw2@shinybook.infradead.org> 2005-06-22 10:04:33 -0400
committer: David Woodhouse <dwmw2@shinybook.infradead.org> 2005-06-22 10:04:33 -0400
commit: 9ad9ad385be27fcc7c16d290d972c6173e780a61 (patch)
tree: bbca700c2d88ba421a6c9c348de367eaf4de0e2c /security
parent: 177bbc733a1d9c935bc3d6efd776a6699b29b1ca (diff)
3 files changed, 5 insertions, 5 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 451502467a9b..2d088bb65ee8 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
        avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
                                             0, SLAB_PANIC, NULL, NULL);
-        audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
+        audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
 }
 int avc_get_hash_stats(char *page)
@@ -550,7 +550,7 @@ void avc_audit(u32 ssid, u32 tsid,
                        return;
        }
-        ab = audit_log_start(current->audit_context, AUDIT_AVC);
+        ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC);
        if (!ab)
                return;         /* audit_panic has been called */
        audit_log_format(ab, "avc:  %s ", denied ? "denied" : "granted");
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index db845cbd5841..b5220a266dce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
        err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
        if (err) {
                if (err == -EINVAL) {
-                        audit_log(current->audit_context, AUDIT_SELINUX_ERR,
+                        audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
                                  "SELinux:  unrecognized netlink message"
                                  " type=%hu for sclass=%hu\n",
                                  nlh->nlmsg_type, isec->sclass);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b6149147d5cb..2947cf85dc56 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
                goto out;
        if (context_struct_to_string(tcontext, &t, &tlen) < 0)
                goto out;
-        audit_log(current->audit_context, AUDIT_SELINUX_ERR,
+        audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
                  "security_validate_transition:  denied for"
                  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
                  o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
                goto out;
        if (context_struct_to_string(newcontext, &n, &nlen) < 0)
                goto out;
-        audit_log(current->audit_context, AUDIT_SELINUX_ERR,
+        audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
                  "security_compute_sid:  invalid context %s"
                  " for scontext=%s"
                  " tcontext=%s"
author	David Woodhouse <dwmw2@shinybook.infradead.org>	2005-06-22 10:04:33 -0400
committer	David Woodhouse <dwmw2@shinybook.infradead.org>	2005-06-22 10:04:33 -0400
commit	9ad9ad385be27fcc7c16d290d972c6173e780a61 (patch)
tree	bbca700c2d88ba421a6c9c348de367eaf4de0e2c /security
parent	177bbc733a1d9c935bc3d6efd776a6699b29b1ca (diff)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 451502467a9b..2d088bb65ee8 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
242	avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),	242	avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243	0, SLAB_PANIC, NULL, NULL);	243	0, SLAB_PANIC, NULL, NULL);
244		244
245	audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");	245	audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
246	}	246	}
247		247
248	int avc_get_hash_stats(char *page)	248	int avc_get_hash_stats(char *page)
@@ -550,7 +550,7 @@ void avc_audit(u32 ssid, u32 tsid,
550	return;	550	return;
551	}	551	}
552		552
553	ab = audit_log_start(current->audit_context, AUDIT_AVC);	553	ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC);
554	if (!ab)	554	if (!ab)
555	return; /* audit_panic has been called */	555	return; /* audit_panic has been called */
556	audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");	556	audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index db845cbd5841..b5220a266dce 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock sk, struct sk_buff skb)
3419	err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);	3419	err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420	if (err) {	3420	if (err) {
3421	if (err == -EINVAL) {	3421	if (err == -EINVAL) {
3422	audit_log(current->audit_context, AUDIT_SELINUX_ERR,	3422	audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3423	"SELinux: unrecognized netlink message"	3423	"SELinux: unrecognized netlink message"
3424	" type=%hu for sclass=%hu\n",	3424	" type=%hu for sclass=%hu\n",
3425	nlh->nlmsg_type, isec->sclass);	3425	nlh->nlmsg_type, isec->sclass);


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b6149147d5cb..2947cf85dc56 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
365	goto out;	365	goto out;
366	if (context_struct_to_string(tcontext, &t, &tlen) < 0)	366	if (context_struct_to_string(tcontext, &t, &tlen) < 0)
367	goto out;	367	goto out;
368	audit_log(current->audit_context, AUDIT_SELINUX_ERR,	368	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
369	"security_validate_transition: denied for"	369	"security_validate_transition: denied for"
370	" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",	370	" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
371	o, n, t, policydb.p_class_val_to_name[tclass-1]);	371	o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
742	goto out;	742	goto out;
743	if (context_struct_to_string(newcontext, &n, &nlen) < 0)	743	if (context_struct_to_string(newcontext, &n, &nlen) < 0)
744	goto out;	744	goto out;
745	audit_log(current->audit_context, AUDIT_SELINUX_ERR,	745	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
746	"security_compute_sid: invalid context %s"	746	"security_compute_sid: invalid context %s"
747	" for scontext=%s"	747	" for scontext=%s"
748	" tcontext=%s"	748	" tcontext=%s"