Re: [PATCH V9 1/3] audit: clean simple fsnotify implementation
On Wednesday, August 05, 2015 04:29:36 PM Richard Guy Briggs wrote: > This is to be used to audit by executable path rules, but audit watches > should be able to share this code eventually. > > At the moment the audit watch code is a lot more complex. That code only > creates one fsnotify watch per parent directory. That 'audit_parent' in > turn has a list of 'audit_watches' which contain the name, ino, dev of > the specific object we care about. This just creates one fsnotify watch > per object we care about. So if you watch 100 inodes in /etc this code > will create 100 fsnotify watches on /etc. The audit_watch code will > instead create 1 fsnotify watch on /etc (the audit_parent) and then 100 > individual watches chained from that fsnotify mark. > > We should be able to convert the audit_watch code to do one fsnotify > mark per watch and simplify things/remove a whole lot of code. After > that conversion we should be able to convert the audit_fsnotify code to > support that hierarchy if the optimization is necessary. > > Move the access to the entry for audit_match_signal() to the beginning of > the audit_del_rule() function in case the entry found is the same one passed > in. This will enable it to be used by audit_autoremove_mark_rule(), > kill_rules() and audit_remove_parent_watches(). > > This is a heavily modified and merged version of two patches originally > submitted by Eric Paris. > > Cc: Peter Moody > Cc: Eric Paris > Signed-off-by: Richard Guy Briggs > --- > kernel/Makefile |2 +- > kernel/audit.h | 14 +++ > kernel/audit_fsnotify.c | 215 +++ > kernel/auditfilter.c|2 +- > 4 files changed, 231 insertions(+), 2 deletions(-) > create mode 100644 kernel/audit_fsnotify.c Merged, although I had to add a line of whitespace to keep checkpatch happy. > diff --git a/kernel/Makefile b/kernel/Makefile > index 60c302c..58b5b52 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o > obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o > obj-$(CONFIG_AUDIT) += audit.o auditfilter.o > obj-$(CONFIG_AUDITSYSCALL) += auditsc.o > -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o > +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o > obj-$(CONFIG_AUDIT_TREE) += audit_tree.o > obj-$(CONFIG_GCOV_KERNEL) += gcov/ > obj-$(CONFIG_KPROBES) += kprobes.o > diff --git a/kernel/audit.h b/kernel/audit.h > index d641f9b..46d10dd 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -50,6 +50,7 @@ enum audit_state { > > /* Rule lists */ > struct audit_watch; > +struct audit_fsnotify_mark; > struct audit_tree; > struct audit_chunk; > > @@ -252,6 +253,7 @@ struct audit_net { > extern int selinux_audit_rule_update(void); > > extern struct mutex audit_filter_mutex; > +extern int audit_del_rule(struct audit_entry *); > extern void audit_free_rule_rcu(struct rcu_head *); > extern struct list_head audit_filter_list[]; > > @@ -269,6 +271,13 @@ extern int audit_add_watch(struct audit_krule *krule, > struct list_head **list); extern void audit_remove_watch_rule(struct > audit_krule *krule); > extern char *audit_watch_path(struct audit_watch *watch); > extern int audit_watch_compare(struct audit_watch *watch, unsigned long > ino, dev_t dev); + > +extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule > *krule, char *pathname, int len); +extern char *audit_mark_path(struct > audit_fsnotify_mark *mark); > +extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); > +extern void audit_remove_mark_rule(struct audit_krule *krule); > +extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned > long ino, dev_t dev); + > #else > #define audit_put_watch(w) {} > #define audit_get_watch(w) {} > @@ -278,6 +287,11 @@ extern int audit_watch_compare(struct audit_watch > *watch, unsigned long ino, dev #define audit_watch_path(w) "" > #define audit_watch_compare(w, i, d) 0 > > +#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL)) > +#define audit_mark_path(m) "" > +#define audit_remove_mark(m) > +#define audit_remove_mark_rule(k) > +#define audit_mark_compare(m, i, d) 0 > #endif /* CONFIG_AUDIT_WATCH */ > > #ifdef CONFIG_AUDIT_TREE > diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c > new file mode 100644 > index 000..654c6c7 > --- /dev/null > +++ b/kernel/audit_fsnotify.c > @@ -0,0 +1,215 @@ > +/* audit_fsnotify.c -- tracking inodes > + * > + * Copyright 2003-2009,2014-2015 Red Hat, Inc. > + * Copyright 2005 Hewlett-Packard Development Company, L.P. > + * Copyright 2005 IBM Corporation > + * > + * This program is free software; you can redistribute it and/or modify > + * it under the terms of the GNU General Public License as published by > + * the Free Software Foundation; either version 2 of the License, or > + * (at your option) any later version. > + * > + * This program is distributed in the hope that it
Re: [PATCH V9 1/3] audit: clean simple fsnotify implementation
On Wednesday, August 05, 2015 04:29:36 PM Richard Guy Briggs wrote: This is to be used to audit by executable path rules, but audit watches should be able to share this code eventually. At the moment the audit watch code is a lot more complex. That code only creates one fsnotify watch per parent directory. That 'audit_parent' in turn has a list of 'audit_watches' which contain the name, ino, dev of the specific object we care about. This just creates one fsnotify watch per object we care about. So if you watch 100 inodes in /etc this code will create 100 fsnotify watches on /etc. The audit_watch code will instead create 1 fsnotify watch on /etc (the audit_parent) and then 100 individual watches chained from that fsnotify mark. We should be able to convert the audit_watch code to do one fsnotify mark per watch and simplify things/remove a whole lot of code. After that conversion we should be able to convert the audit_fsnotify code to support that hierarchy if the optimization is necessary. Move the access to the entry for audit_match_signal() to the beginning of the audit_del_rule() function in case the entry found is the same one passed in. This will enable it to be used by audit_autoremove_mark_rule(), kill_rules() and audit_remove_parent_watches(). This is a heavily modified and merged version of two patches originally submitted by Eric Paris. Cc: Peter Moody pe...@hda3.com Cc: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/Makefile |2 +- kernel/audit.h | 14 +++ kernel/audit_fsnotify.c | 215 +++ kernel/auditfilter.c|2 +- 4 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 kernel/audit_fsnotify.c Merged, although I had to add a line of whitespace to keep checkpatch happy. diff --git a/kernel/Makefile b/kernel/Makefile index 60c302c..58b5b52 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o obj-$(CONFIG_AUDIT) += audit.o auditfilter.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o obj-$(CONFIG_AUDIT_TREE) += audit_tree.o obj-$(CONFIG_GCOV_KERNEL) += gcov/ obj-$(CONFIG_KPROBES) += kprobes.o diff --git a/kernel/audit.h b/kernel/audit.h index d641f9b..46d10dd 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -50,6 +50,7 @@ enum audit_state { /* Rule lists */ struct audit_watch; +struct audit_fsnotify_mark; struct audit_tree; struct audit_chunk; @@ -252,6 +253,7 @@ struct audit_net { extern int selinux_audit_rule_update(void); extern struct mutex audit_filter_mutex; +extern int audit_del_rule(struct audit_entry *); extern void audit_free_rule_rcu(struct rcu_head *); extern struct list_head audit_filter_list[]; @@ -269,6 +271,13 @@ extern int audit_add_watch(struct audit_krule *krule, struct list_head **list); extern void audit_remove_watch_rule(struct audit_krule *krule); extern char *audit_watch_path(struct audit_watch *watch); extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev); + +extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len); +extern char *audit_mark_path(struct audit_fsnotify_mark *mark); +extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); +extern void audit_remove_mark_rule(struct audit_krule *krule); +extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); + #else #define audit_put_watch(w) {} #define audit_get_watch(w) {} @@ -278,6 +287,11 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev #define audit_watch_path(w) #define audit_watch_compare(w, i, d) 0 +#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL)) +#define audit_mark_path(m) +#define audit_remove_mark(m) +#define audit_remove_mark_rule(k) +#define audit_mark_compare(m, i, d) 0 #endif /* CONFIG_AUDIT_WATCH */ #ifdef CONFIG_AUDIT_TREE diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c new file mode 100644 index 000..654c6c7 --- /dev/null +++ b/kernel/audit_fsnotify.c @@ -0,0 +1,215 @@ +/* audit_fsnotify.c -- tracking inodes + * + * Copyright 2003-2009,2014-2015 Red Hat, Inc. + * Copyright 2005 Hewlett-Packard Development Company, L.P. + * Copyright 2005 IBM Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied
[PATCH V9 1/3] audit: clean simple fsnotify implementation
This is to be used to audit by executable path rules, but audit watches should be able to share this code eventually. At the moment the audit watch code is a lot more complex. That code only creates one fsnotify watch per parent directory. That 'audit_parent' in turn has a list of 'audit_watches' which contain the name, ino, dev of the specific object we care about. This just creates one fsnotify watch per object we care about. So if you watch 100 inodes in /etc this code will create 100 fsnotify watches on /etc. The audit_watch code will instead create 1 fsnotify watch on /etc (the audit_parent) and then 100 individual watches chained from that fsnotify mark. We should be able to convert the audit_watch code to do one fsnotify mark per watch and simplify things/remove a whole lot of code. After that conversion we should be able to convert the audit_fsnotify code to support that hierarchy if the optimization is necessary. Move the access to the entry for audit_match_signal() to the beginning of the audit_del_rule() function in case the entry found is the same one passed in. This will enable it to be used by audit_autoremove_mark_rule(), kill_rules() and audit_remove_parent_watches(). This is a heavily modified and merged version of two patches originally submitted by Eric Paris. Cc: Peter Moody Cc: Eric Paris Signed-off-by: Richard Guy Briggs --- kernel/Makefile |2 +- kernel/audit.h | 14 +++ kernel/audit_fsnotify.c | 215 +++ kernel/auditfilter.c|2 +- 4 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 kernel/audit_fsnotify.c diff --git a/kernel/Makefile b/kernel/Makefile index 60c302c..58b5b52 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o obj-$(CONFIG_AUDIT) += audit.o auditfilter.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o obj-$(CONFIG_AUDIT_TREE) += audit_tree.o obj-$(CONFIG_GCOV_KERNEL) += gcov/ obj-$(CONFIG_KPROBES) += kprobes.o diff --git a/kernel/audit.h b/kernel/audit.h index d641f9b..46d10dd 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -50,6 +50,7 @@ enum audit_state { /* Rule lists */ struct audit_watch; +struct audit_fsnotify_mark; struct audit_tree; struct audit_chunk; @@ -252,6 +253,7 @@ struct audit_net { extern int selinux_audit_rule_update(void); extern struct mutex audit_filter_mutex; +extern int audit_del_rule(struct audit_entry *); extern void audit_free_rule_rcu(struct rcu_head *); extern struct list_head audit_filter_list[]; @@ -269,6 +271,13 @@ extern int audit_add_watch(struct audit_krule *krule, struct list_head **list); extern void audit_remove_watch_rule(struct audit_krule *krule); extern char *audit_watch_path(struct audit_watch *watch); extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev); + +extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len); +extern char *audit_mark_path(struct audit_fsnotify_mark *mark); +extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); +extern void audit_remove_mark_rule(struct audit_krule *krule); +extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); + #else #define audit_put_watch(w) {} #define audit_get_watch(w) {} @@ -278,6 +287,11 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev #define audit_watch_path(w) "" #define audit_watch_compare(w, i, d) 0 +#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL)) +#define audit_mark_path(m) "" +#define audit_remove_mark(m) +#define audit_remove_mark_rule(k) +#define audit_mark_compare(m, i, d) 0 #endif /* CONFIG_AUDIT_WATCH */ #ifdef CONFIG_AUDIT_TREE diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c new file mode 100644 index 000..654c6c7 --- /dev/null +++ b/kernel/audit_fsnotify.c @@ -0,0 +1,215 @@ +/* audit_fsnotify.c -- tracking inodes + * + * Copyright 2003-2009,2014-2015 Red Hat, Inc. + * Copyright 2005 Hewlett-Packard Development Company, L.P. + * Copyright 2005 IBM Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "audit.h" + +/* + *
[PATCH V9 1/3] audit: clean simple fsnotify implementation
This is to be used to audit by executable path rules, but audit watches should be able to share this code eventually. At the moment the audit watch code is a lot more complex. That code only creates one fsnotify watch per parent directory. That 'audit_parent' in turn has a list of 'audit_watches' which contain the name, ino, dev of the specific object we care about. This just creates one fsnotify watch per object we care about. So if you watch 100 inodes in /etc this code will create 100 fsnotify watches on /etc. The audit_watch code will instead create 1 fsnotify watch on /etc (the audit_parent) and then 100 individual watches chained from that fsnotify mark. We should be able to convert the audit_watch code to do one fsnotify mark per watch and simplify things/remove a whole lot of code. After that conversion we should be able to convert the audit_fsnotify code to support that hierarchy if the optimization is necessary. Move the access to the entry for audit_match_signal() to the beginning of the audit_del_rule() function in case the entry found is the same one passed in. This will enable it to be used by audit_autoremove_mark_rule(), kill_rules() and audit_remove_parent_watches(). This is a heavily modified and merged version of two patches originally submitted by Eric Paris. Cc: Peter Moody pe...@hda3.com Cc: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/Makefile |2 +- kernel/audit.h | 14 +++ kernel/audit_fsnotify.c | 215 +++ kernel/auditfilter.c|2 +- 4 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 kernel/audit_fsnotify.c diff --git a/kernel/Makefile b/kernel/Makefile index 60c302c..58b5b52 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o obj-$(CONFIG_AUDIT) += audit.o auditfilter.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o obj-$(CONFIG_AUDIT_TREE) += audit_tree.o obj-$(CONFIG_GCOV_KERNEL) += gcov/ obj-$(CONFIG_KPROBES) += kprobes.o diff --git a/kernel/audit.h b/kernel/audit.h index d641f9b..46d10dd 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -50,6 +50,7 @@ enum audit_state { /* Rule lists */ struct audit_watch; +struct audit_fsnotify_mark; struct audit_tree; struct audit_chunk; @@ -252,6 +253,7 @@ struct audit_net { extern int selinux_audit_rule_update(void); extern struct mutex audit_filter_mutex; +extern int audit_del_rule(struct audit_entry *); extern void audit_free_rule_rcu(struct rcu_head *); extern struct list_head audit_filter_list[]; @@ -269,6 +271,13 @@ extern int audit_add_watch(struct audit_krule *krule, struct list_head **list); extern void audit_remove_watch_rule(struct audit_krule *krule); extern char *audit_watch_path(struct audit_watch *watch); extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev); + +extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len); +extern char *audit_mark_path(struct audit_fsnotify_mark *mark); +extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); +extern void audit_remove_mark_rule(struct audit_krule *krule); +extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); + #else #define audit_put_watch(w) {} #define audit_get_watch(w) {} @@ -278,6 +287,11 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev #define audit_watch_path(w) #define audit_watch_compare(w, i, d) 0 +#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL)) +#define audit_mark_path(m) +#define audit_remove_mark(m) +#define audit_remove_mark_rule(k) +#define audit_mark_compare(m, i, d) 0 #endif /* CONFIG_AUDIT_WATCH */ #ifdef CONFIG_AUDIT_TREE diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c new file mode 100644 index 000..654c6c7 --- /dev/null +++ b/kernel/audit_fsnotify.c @@ -0,0 +1,215 @@ +/* audit_fsnotify.c -- tracking inodes + * + * Copyright 2003-2009,2014-2015 Red Hat, Inc. + * Copyright 2005 Hewlett-Packard Development Company, L.P. + * Copyright 2005 IBM Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include linux/kernel.h +#include linux/audit.h +#include linux/kthread.h +#include linux/mutex.h +#include