[PATCH v19 20/23] Audit: Add new record for multiple process LSM attributes
Stephen Smalley
stephen.smalley.work at gmail.com
Mon Jul 27 19:04:19 UTC 2020
On 7/24/20 4:32 PM, Casey Schaufler wrote:
> Create a new audit record type to contain the subject information
> when there are multiple security modules that require such data.
> This record is linked with the same timestamp and serial number.
> The record is produced only in cases where there is more than one
> security module with a process "context".
>
> Before this change the only audit events that required multiple
> records were syscall events. Several non-syscall events include
> subject contexts, so the use of audit_context data has been expanded
> as necessary.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> Cc: linux-audit at redhat.com
> ---
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index c7d213c9f9d8..930432c3912e 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -672,11 +672,13 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
>
> if (audit_enabled == AUDIT_OFF)
> return NULL;
> + audit_stamp_context(audit_context());
> audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
> AUDIT_MAC_IPSEC_EVENT);
> if (audit_buf == NULL)
> return NULL;
> audit_log_format(audit_buf, "op=%s", op);
> + audit_log_lsm(NULL, false);
Notice that the audit_log_start() call above specified GFP_ATOMIC. But
your audit_log_lsm() uses GFP_KERNEL. You'll either need to always use
GFP_ATOMIC in audit_log_lsm() or pass in the gfp flags there. Make sure
you test with CONFIG_DEBUG_ATOMIC_SLEEP=y and check your dmesg output.
More information about the Linux-security-module-archive
mailing list