[PATCH v19 20/23] Audit: Add new record for multiple process LSM attributes

Stephen Smalley stephen.smalley.work at gmail.com
Mon Jul 27 19:04:19 UTC 2020


On 7/24/20 4:32 PM, Casey Schaufler wrote:

> Create a new audit record type to contain the subject information
> when there are multiple security modules that require such data.
> This record is linked with the same timestamp and serial number.
> The record is produced only in cases where there is more than one
> security module with a process "context".
>
> Before this change the only audit events that required multiple
> records were syscall events. Several non-syscall events include
> subject contexts, so the use of audit_context data has been expanded
> as necessary.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> Cc: linux-audit at redhat.com
> ---
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index c7d213c9f9d8..930432c3912e 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -672,11 +672,13 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
>   
>   	if (audit_enabled == AUDIT_OFF)
>   		return NULL;
> +	audit_stamp_context(audit_context());
>   	audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
>   				    AUDIT_MAC_IPSEC_EVENT);
>   	if (audit_buf == NULL)
>   		return NULL;
>   	audit_log_format(audit_buf, "op=%s", op);
> +	audit_log_lsm(NULL, false);

Notice that the audit_log_start() call above specified GFP_ATOMIC. But 
your audit_log_lsm() uses GFP_KERNEL. You'll either need to always use 
GFP_ATOMIC in audit_log_lsm() or pass in the gfp flags there.  Make sure 
you test with CONFIG_DEBUG_ATOMIC_SLEEP=y and check your dmesg output.




More information about the Linux-security-module-archive mailing list