--- v38
+++ v35
@@ -1,120 +1,146 @@
-Change netlink netfilter interfaces to use lsmcontext
-pointers, and remove scaffolding.
+Replace the single skb pointer in an audit_buffer with
+a list of skb pointers. Add the audit_stamp information
+to the audit_buffer as there's no guarantee that there
+will be an audit_context containing the stamp associated
+with the event. At audit_log_end() time create auxiliary
+records (none are currently defined) as have been added
+to the list.
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: John Johansen <john.johansen@canonical.com>
-Acked-by: Paul Moore <paul@paul-moore.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
-Cc: netdev@vger.kernel.org
-Cc: netfilter-devel@vger.kernel.org
---
- net/netfilter/nfnetlink_queue.c | 37 +++++++++++++--------------------
- 1 file changed, 14 insertions(+), 23 deletions(-)
+ kernel/audit.c | 62 +++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 23 deletions(-)
-diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
-index 46f49cd2543d..3a7d1a693c5e 100644
---- a/net/netfilter/nfnetlink_queue.c
-+++ b/net/netfilter/nfnetlink_queue.c
-@@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
- return -1;
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 6b6c089512f7..4d44c05053b0 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -197,8 +197,10 @@ static struct audit_ctl_mutex {
+ * to place it on a transmit queue. Multiple audit_buffers can be in
+ * use simultaneously. */
+ struct audit_buffer {
+- struct sk_buff *skb; /* formatted skb ready to send */
++ struct sk_buff *skb; /* the skb for audit_log functions */
++ struct sk_buff_head skb_list; /* formatted skbs, ready to send */
+ struct audit_context *ctx; /* NULL or associated context */
++ struct audit_stamp stamp; /* audit stamp for these records */
+ gfp_t gfp_mask;
+ };
+
+@@ -1765,10 +1767,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set);
+
+ static void audit_buffer_free(struct audit_buffer *ab)
+ {
++ struct sk_buff *skb;
++
+ if (!ab)
+ return;
+
+- kfree_skb(ab->skb);
++ while((skb = skb_dequeue(&ab->skb_list)))
++ kfree_skb(skb);
+ kmem_cache_free(audit_buffer_cache, ab);
}
--static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
-+static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
+@@ -1784,8 +1789,12 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
+ ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
+ if (!ab->skb)
+ goto err;
++
++ skb_queue_head_init(&ab->skb_list);
++ skb_queue_tail(&ab->skb_list, ab->skb);
++
+ if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
+- goto err;
++ kfree_skb(ab->skb);
+
+ ab->ctx = ctx;
+ ab->gfp_mask = gfp_mask;
+@@ -1849,7 +1858,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
+ int type)
{
-- u32 seclen = 0;
- #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
- struct lsmblob blob;
-- struct lsmcontext context = { };
+ struct audit_buffer *ab;
+- struct audit_stamp stamp;
- if (!skb || !sk_fullsock(skb->sk))
-- return 0;
-+ return;
-
- read_lock_bh(&skb->sk->sk_callback_lock);
-
-@@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
- * blob. security_secid_to_secctx() will know which security
- * module to use to create the secctx. */
- lsmblob_init(&blob, skb->secmark);
-- security_secid_to_secctx(&blob, &context);
-- *secdata = context.context;
-+ security_secid_to_secctx(&blob, context);
+ if (audit_initialized != AUDIT_INITIALIZED)
+ return NULL;
+@@ -1904,14 +1912,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
+ return NULL;
}
- read_unlock_bh(&skb->sk->sk_callback_lock);
-- seclen = context.len;
- #endif
-- return seclen;
-+ return;
+- audit_get_stamp(ab->ctx, &stamp);
++ audit_get_stamp(ab->ctx, &ab->stamp);
+ /* cancel dummy context to enable supporting records */
+ if (ctx)
+ ctx->dummy = 0;
+ audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+- (unsigned long long)stamp.ctime.tv_sec,
+- stamp.ctime.tv_nsec/1000000,
+- stamp.serial);
++ (unsigned long long)ab->stamp.ctime.tv_sec,
++ ab->stamp.ctime.tv_nsec/1000000,
++ ab->stamp.serial);
+
+ return ab;
+ }
+@@ -2402,26 +2410,14 @@ int audit_signal_info(int sig, struct task_struct *t)
}
- static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry)
-@@ -397,12 +393,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
- struct net_device *indev;
- struct net_device *outdev;
- struct nf_conn *ct = NULL;
-+ struct lsmcontext context = { };
- enum ip_conntrack_info ctinfo = 0;
- const struct nfnl_ct_hook *nfnl_ct;
- bool csum_verify;
-- struct lsmcontext scaff; /* scaffolding */
-- char *secdata = NULL;
-- u32 seclen = 0;
- ktime_t tstamp;
+ /**
+- * audit_log_end - end one audit record
+- * @ab: the audit_buffer
+- *
+- * We can not do a netlink send inside an irq context because it blocks (last
+- * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
+- * queue and a kthread is scheduled to remove them from the queue outside the
+- * irq context. May be called in any context.
++ * __audit_log_end - enqueue one audit record
++ * @skb: the buffer to send
+ */
+-void audit_log_end(struct audit_buffer *ab)
++static void __audit_log_end(struct sk_buff *skb)
+ {
+- struct sk_buff *skb;
+ struct nlmsghdr *nlh;
- size = nlmsg_total_size(sizeof(struct nfgenmsg))
-@@ -473,9 +467,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
- }
+- if (!ab)
+- return;
+-
+ if (audit_rate_check()) {
+- skb = ab->skb;
+- ab->skb = NULL;
+-
+ /* setup the netlink header, see the comments in
+ * kauditd_send_multicast_skb() for length quirks */
+ nlh = nlmsg_hdr(skb);
+@@ -2432,6 +2428,26 @@ void audit_log_end(struct audit_buffer *ab)
+ wake_up_interruptible(&kauditd_wait);
+ } else
+ audit_log_lost("rate limit exceeded");
++}
++
++/**
++ * audit_log_end - end one audit record
++ * @ab: the audit_buffer
++ *
++ * We can not do a netlink send inside an irq context because it blocks (last
++ * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
++ * queue and a kthread is scheduled to remove them from the queue outside the
++ * irq context. May be called in any context.
++ */
++void audit_log_end(struct audit_buffer *ab)
++{
++ struct sk_buff *skb;
++
++ if (!ab)
++ return;
++
++ while ((skb = skb_dequeue(&ab->skb_list)))
++ __audit_log_end(skb);
- if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
-- seclen = nfqnl_get_sk_secctx(entskb, &secdata);
-- if (seclen)
-- size += nla_total_size(seclen);
-+ nfqnl_get_sk_secctx(entskb, &context);
-+ if (context.len)
-+ size += nla_total_size(context.len);
- }
-
- skb = alloc_skb(size, GFP_ATOMIC);
-@@ -610,7 +604,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
- nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
- goto nla_put_failure;
-
-- if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
-+ if (context.len &&
-+ nla_put(skb, NFQA_SECCTX, context.len, context.context))
- goto nla_put_failure;
-
- if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
-@@ -638,10 +633,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
- }
-
- nlh->nlmsg_len = skb->len;
-- if (seclen) {
-- lsmcontext_init(&scaff, secdata, seclen, 0);
-- security_release_secctx(&scaff);
-- }
-+ if (context.len)
-+ security_release_secctx(&context);
- return skb;
-
- nla_put_failure:
-@@ -649,10 +642,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
- kfree_skb(skb);
- net_err_ratelimited("nf_queue: error creating packet message\n");
- nlmsg_failure:
-- if (seclen) {
-- lsmcontext_init(&scaff, secdata, seclen, 0);
-- security_release_secctx(&scaff);
-- }
-+ if (context.len)
-+ security_release_secctx(&context);
- return NULL;
+ audit_buffer_free(ab);
}
-
--
-2.37.3
+2.35.1