Discussion:
moving audit_free() up into do_exit()
(too old to reply)
Alexander Viro
2006-03-29 22:03:58 UTC
Permalink
If we want to get full information on syscalls that kill the caller
(exit, exit_group, anything oopsing), we really ought to move audit_free()
into do_exit(), just before the exit_mm() call there.

Impact: we'll generate records for such syscall when it's called
(and gets to the point of no return), not when the resulting zombie gets
reaped. If anyone has objections to that, yell _NOW_.

What we get is, among other things, accurate tty=, exe= and subj=
in such records. We also get much simpler locking, since now _all_
access to ->audit_context is done by process itself in a process-synchronous
context. We don't have to bother with atomic allocations on that path
either.

NOTE: it does change the moment when record is generated and if
something in userland depends on having it postponed until the time when
zombie gets reaped, we will have to change such userland code. I doubt
we have any such place, but that definitely needs an ACK from userland
side of things.
Steve Grubb
2006-03-29 22:21:34 UTC
Permalink
Post by Alexander Viro
NOTE: it does change the moment when record is generated and if
something in userland depends on having it postponed until the time when
zombie gets reaped, we will have to change such userland code.  I doubt
we have any such place, but that definitely needs an ACK from userland
side of things.
User land - e.g. auditd - does not have any dependency. It is a change that
people doing EAL documentation may want to be aware of.

Thanks,
-Steve
Alexander Viro
2006-03-30 08:54:53 UTC
Permalink
Post by Steve Grubb
Post by Alexander Viro
NOTE: it does change the moment when record is generated and if
something in userland depends on having it postponed until the time when
zombie gets reaped, we will have to change such userland code. ?I doubt
we have any such place, but that definitely needs an ACK from userland
side of things.
User land - e.g. auditd - does not have any dependency. It is a change that
people doing EAL documentation may want to be aware of.
OK, preliminary patches attached; the first one is minimal "take care of
deadlocks", hopefully suitable for 2.6.16.2. The second is incremental
to that (actually, a combination of several smaller steps from git tree)
doing the audit_free() move and cleanups. Warning: both are absolutely
untested.

Question: do we have agreed upon variants of "Inotify kernel API" and
"filesystem location based auditing" patches against the current mainline
(or FC, no difference in that respect) tree?
Alexander Viro
2006-03-30 08:56:38 UTC
Permalink
Post by Alexander Viro
OK, preliminary patches attached; the first one is minimal "take care of
Gah... Attached to this followup; my apologies.
Andrew Morton
2006-03-30 09:03:55 UTC
Permalink
Post by Alexander Viro
OK, preliminary patches attached; the first one is minimal "take care of
+static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk, gfp_t gfp_mask)
{
- char name[sizeof(current->comm)];
- struct mm_struct *mm = current->mm;
+ char name[sizeof(tsk->comm)];
+ struct mm_struct *mm = tsk->mm;
struct vm_area_struct *vma;
- get_task_comm(name, current);
+ get_task_comm(name, tsk);
audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, name);
Am too lazy to apply the thing and check, but does `tsk' always equal
`current' here? If not, what pins the mm_struct?
Alexander Viro
2006-03-30 09:11:46 UTC
Permalink
Post by Andrew Morton
+static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk, gfp_t gfp_mask)
{
- char name[sizeof(current->comm)];
- struct mm_struct *mm = current->mm;
+ char name[sizeof(tsk->comm)];
+ struct mm_struct *mm = tsk->mm;
struct vm_area_struct *vma;
- get_task_comm(name, current);
+ get_task_comm(name, tsk);
audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, name);
Am too lazy to apply the thing and check, but does `tsk' always equal
`current' here? If not, what pins the mm_struct?
It's either current or something being freed. In the latter case we'd
already got ->mm set to NULL by that point. Note that with the second
patch we'll _always_ have current here and it will have intact ->mm;
current code is called too late to do anything useful and the best we
can do is to avoid using ->mm of unrelated process (deadlock country
if we do that and it ends up non-NULL by accident; that's exactly what
the guy had hit).
Steve Grubb
2006-03-31 20:40:30 UTC
Permalink
Post by Alexander Viro
Post by Alexander Viro
OK, preliminary patches attached; the first one is minimal "take care of
Gah... Attached to this followup; my apologies.
In audit-exit.patch

@@ -607,12 +605,12 @@ static void audit_log_exit(struct audit_
context->gid,
context->euid, context->suid, context->fsuid,
context->egid, context->sgid, context->fsgid, tty);
- audit_log_task_info(ab, gfp_mask);
+ audit_log_task_info(ab);
audit_log_end(ab);

for (aux = context->aux; aux; aux = aux->next) {

- ab = audit_log_start(context, gfp_mask, aux->type);
+ ab = audit_log_start(context, GFP_KERNEL, aux->type);
if (!ab)
continue; /* audit_panic has been called */

It doesn't compile....it needs:
+ audit_log_task_info(ab, tsk);


Also, piece in kernel/exit.c complains of implicit declaration of
'audit_free'.

-Steve
Alexander Viro
2006-03-31 21:41:08 UTC
Permalink
Post by Steve Grubb
Post by Alexander Viro
Post by Alexander Viro
OK, preliminary patches attached; the first one is minimal "take care of
Gah... Attached to this followup; my apologies.
In audit-exit.patch
[snip]

Fixed, pushed to kernel.org audit-current, updated patch follows:

diff --git a/arch/i386/kernel/ptrace.c b/arch/i386/kernel/ptrace.c
index 506462e..fd7eaf7 100644
--- a/arch/i386/kernel/ptrace.c
+++ b/arch/i386/kernel/ptrace.c
@@ -671,7 +671,7 @@ int do_syscall_trace(struct pt_regs *reg

if (unlikely(current->audit_context)) {
if (entryexit)
- audit_syscall_exit(current, AUDITSC_RESULT(regs->eax),
+ audit_syscall_exit(AUDITSC_RESULT(regs->eax),
regs->eax);
/* Debug traps, when using PTRACE_SINGLESTEP, must be sent only
* on the syscall exit path. Normally, when TIF_SYSCALL_AUDIT is
@@ -720,14 +720,13 @@ int do_syscall_trace(struct pt_regs *reg
ret = is_sysemu;
out:
if (unlikely(current->audit_context) && !entryexit)
- audit_syscall_entry(current, AUDIT_ARCH_I386, regs->orig_eax,
+ audit_syscall_entry(AUDIT_ARCH_I386, regs->orig_eax,
regs->ebx, regs->ecx, regs->edx, regs->esi);
if (ret == 0)
return 0;

regs->orig_eax = -1; /* force skip of syscall restarting */
if (unlikely(current->audit_context))
- audit_syscall_exit(current, AUDITSC_RESULT(regs->eax),
- regs->eax);
+ audit_syscall_exit(AUDITSC_RESULT(regs->eax), regs->eax);
return 1;
}
diff --git a/arch/i386/kernel/vm86.c b/arch/i386/kernel/vm86.c
index aee14fa..00e0118 100644
--- a/arch/i386/kernel/vm86.c
+++ b/arch/i386/kernel/vm86.c
@@ -312,7 +312,7 @@ static void do_sys_vm86(struct kernel_vm

/*call audit_syscall_exit since we do not exit via the normal paths */
if (unlikely(current->audit_context))
- audit_syscall_exit(current, AUDITSC_RESULT(eax), eax);
+ audit_syscall_exit(AUDITSC_RESULT(eax), eax);

__asm__ __volatile__(
"movl %0,%%esp\n\t"
diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
index 9887c87..e61e15e 100644
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -1644,7 +1644,7 @@ syscall_trace_enter (long arg0, long arg
arch = AUDIT_ARCH_IA64;
}

- audit_syscall_entry(current, arch, syscall, arg0, arg1, arg2, arg3);
+ audit_syscall_entry(arch, syscall, arg0, arg1, arg2, arg3);
}

}
@@ -1662,7 +1662,7 @@ syscall_trace_leave (long arg0, long arg

if (success != AUDITSC_SUCCESS)
result = -result;
- audit_syscall_exit(current, success, result);
+ audit_syscall_exit(success, result);
}

if (test_thread_flag(TIF_SYSCALL_TRACE)
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index f838b36..26ab8a9 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -469,7 +469,7 @@ static inline int audit_arch(void)
asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
{
if (unlikely(current->audit_context) && entryexit)
- audit_syscall_exit(current, AUDITSC_RESULT(regs->regs[2]),
+ audit_syscall_exit(AUDITSC_RESULT(regs->regs[2]),
regs->regs[2]);

if (!(current->ptrace & PT_PTRACED))
@@ -493,7 +493,7 @@ asmlinkage void do_syscall_trace(struct
}
out:
if (unlikely(current->audit_context) && !entryexit)
- audit_syscall_entry(current, audit_arch(), regs->regs[2],
+ audit_syscall_entry(audit_arch(), regs->regs[2],
regs->regs[4], regs->regs[5],
regs->regs[6], regs->regs[7]);
}
diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index bcb8357..4a677d1 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -538,7 +538,7 @@ void do_syscall_trace_enter(struct pt_re
do_syscall_trace();

if (unlikely(current->audit_context))
- audit_syscall_entry(current,
+ audit_syscall_entry(
#ifdef CONFIG_PPC32
AUDIT_ARCH_PPC,
#else
@@ -556,8 +556,7 @@ void do_syscall_trace_leave(struct pt_re
#endif

if (unlikely(current->audit_context))
- audit_syscall_exit(current,
- (regs->ccr&0x1000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
+ audit_syscall_exit((regs->ccr&0x1000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
regs->result);

if ((test_thread_flag(TIF_SYSCALL_TRACE)
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index 37dfe33..8f36504 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -734,7 +734,7 @@ asmlinkage void
syscall_trace(struct pt_regs *regs, int entryexit)
{
if (unlikely(current->audit_context) && entryexit)
- audit_syscall_exit(current, AUDITSC_RESULT(regs->gprs[2]), regs->gprs[2]);
+ audit_syscall_exit(AUDITSC_RESULT(regs->gprs[2]), regs->gprs[2]);

if (!test_thread_flag(TIF_SYSCALL_TRACE))
goto out;
@@ -761,8 +761,7 @@ syscall_trace(struct pt_regs *regs, int
}
out:
if (unlikely(current->audit_context) && !entryexit)
- audit_syscall_entry(current,
- test_thread_flag(TIF_31BIT)?AUDIT_ARCH_S390:AUDIT_ARCH_S390X,
+ audit_syscall_entry(test_thread_flag(TIF_31BIT)?AUDIT_ARCH_S390:AUDIT_ARCH_S390X,
regs->gprs[2], regs->orig_gpr2, regs->gprs[3],
regs->gprs[4], regs->gprs[5]);
}
diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
index eb93e9c..bd54daf 100644
--- a/arch/sparc64/kernel/ptrace.c
+++ b/arch/sparc64/kernel/ptrace.c
@@ -630,7 +630,7 @@ asmlinkage void syscall_trace(struct pt_
if (unlikely(tstate & (TSTATE_XCARRY | TSTATE_ICARRY)))
result = AUDITSC_FAILURE;

- audit_syscall_exit(current, result, regs->u_regs[UREG_I0]);
+ audit_syscall_exit(result, regs->u_regs[UREG_I0]);
}

if (!(current->ptrace & PT_PTRACED))
@@ -654,8 +654,7 @@ asmlinkage void syscall_trace(struct pt_

out:
if (unlikely(current->audit_context) && !syscall_exit_p)
- audit_syscall_entry(current,
- (test_thread_flag(TIF_32BIT) ?
+ audit_syscall_entry((test_thread_flag(TIF_32BIT) ?
AUDIT_ARCH_SPARC :
AUDIT_ARCH_SPARC64),
regs->u_regs[UREG_G1],
diff --git a/arch/um/kernel/ptrace.c b/arch/um/kernel/ptrace.c
index 98e0939..139c3ac 100644
--- a/arch/um/kernel/ptrace.c
+++ b/arch/um/kernel/ptrace.c
@@ -269,15 +269,13 @@ void syscall_trace(union uml_pt_regs *re

if (unlikely(current->audit_context)) {
if (!entryexit)
- audit_syscall_entry(current,
- HOST_AUDIT_ARCH,
+ audit_syscall_entry(HOST_AUDIT_ARCH,
UPT_SYSCALL_NR(regs),
UPT_SYSCALL_ARG1(regs),
UPT_SYSCALL_ARG2(regs),
UPT_SYSCALL_ARG3(regs),
UPT_SYSCALL_ARG4(regs));
- else audit_syscall_exit(current,
- AUDITSC_RESULT(UPT_SYSCALL_RET(regs)),
+ else audit_syscall_exit(AUDITSC_RESULT(UPT_SYSCALL_RET(regs)),
UPT_SYSCALL_RET(regs));
}

diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
index d44b2c1..5ef7aae 100644
--- a/arch/x86_64/kernel/ptrace.c
+++ b/arch/x86_64/kernel/ptrace.c
@@ -605,12 +605,12 @@ asmlinkage void syscall_trace_enter(stru

if (unlikely(current->audit_context)) {
if (test_thread_flag(TIF_IA32)) {
- audit_syscall_entry(current, AUDIT_ARCH_I386,
+ audit_syscall_entry(AUDIT_ARCH_I386,
regs->orig_rax,
regs->rbx, regs->rcx,
regs->rdx, regs->rsi);
} else {
- audit_syscall_entry(current, AUDIT_ARCH_X86_64,
+ audit_syscall_entry(AUDIT_ARCH_X86_64,
regs->orig_rax,
regs->rdi, regs->rsi,
regs->rdx, regs->r10);
@@ -621,7 +621,7 @@ asmlinkage void syscall_trace_enter(stru
asmlinkage void syscall_trace_leave(struct pt_regs *regs)
{
if (unlikely(current->audit_context))
- audit_syscall_exit(current, AUDITSC_RESULT(regs->rax), regs->rax);
+ audit_syscall_exit(AUDITSC_RESULT(regs->rax), regs->rax);

if ((test_thread_flag(TIF_SYSCALL_TRACE)
|| test_thread_flag(TIF_SINGLESTEP))
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 1c47c59..39fef6e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -287,10 +287,10 @@ struct netlink_skb_parms;
/* Public API */
extern int audit_alloc(struct task_struct *task);
extern void audit_free(struct task_struct *task);
-extern void audit_syscall_entry(struct task_struct *task, int arch,
+extern void audit_syscall_entry(int arch,
int major, unsigned long a0, unsigned long a1,
unsigned long a2, unsigned long a3);
-extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code);
+extern void audit_syscall_exit(int failed, long return_code);
extern void audit_getname(const char *name);
extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags);
@@ -323,8 +323,8 @@ extern int audit_set_macxattr(const char
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
-#define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0)
-#define audit_syscall_exit(t,f,r) do { ; } while (0)
+#define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
+#define audit_syscall_exit(f,r) do { ; } while (0)
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
#define __audit_inode(n,i,f) do { ; } while (0)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4052f0a..8aca4ab 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -329,7 +329,6 @@ static enum audit_state audit_filter_sys
return AUDIT_BUILD_CONTEXT;
}

-/* This should be called with task_lock() held. */
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
int return_valid,
int return_code)
@@ -506,7 +505,7 @@ static inline void audit_free_context(st
printk(KERN_ERR "audit: freed %d contexts\n", count);
}

-static void audit_log_task_context(struct audit_buffer *ab, gfp_t gfp_mask)
+static void audit_log_task_context(struct audit_buffer *ab)
{
char *ctx = NULL;
ssize_t len = 0;
@@ -518,7 +517,7 @@ static void audit_log_task_context(struc
return;
}

- ctx = kmalloc(len, gfp_mask);
+ ctx = kmalloc(len, GFP_KERNEL);
if (!ctx)
goto error_path;

@@ -536,47 +535,46 @@ error_path:
return;
}

-static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk, gfp_t gfp_mask)
+static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
char name[sizeof(tsk->comm)];
struct mm_struct *mm = tsk->mm;
struct vm_area_struct *vma;

+ /* tsk == current */
+
get_task_comm(name, tsk);
audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, name);

- if (!mm)
- return;
-
- /*
- * this is brittle; all callers that pass GFP_ATOMIC will have
- * NULL tsk->mm and we won't get here.
- */
- down_read(&mm->mmap_sem);
- vma = mm->mmap;
- while (vma) {
- if ((vma->vm_flags & VM_EXECUTABLE) &&
- vma->vm_file) {
- audit_log_d_path(ab, "exe=",
- vma->vm_file->f_dentry,
- vma->vm_file->f_vfsmnt);
- break;
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ vma = mm->mmap;
+ while (vma) {
+ if ((vma->vm_flags & VM_EXECUTABLE) &&
+ vma->vm_file) {
+ audit_log_d_path(ab, "exe=",
+ vma->vm_file->f_dentry,
+ vma->vm_file->f_vfsmnt);
+ break;
+ }
+ vma = vma->vm_next;
}
- vma = vma->vm_next;
+ up_read(&mm->mmap_sem);
}
- up_read(&mm->mmap_sem);
- audit_log_task_context(ab, gfp_mask);
+ audit_log_task_context(ab);
}

-static void audit_log_exit(struct audit_context *context, struct task_struct *tsk, gfp_t gfp_mask)
+static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
{
int i;
struct audit_buffer *ab;
struct audit_aux_data *aux;
const char *tty;

- ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
+ /* tsk == current */
+
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
if (!ab)
return; /* audit_panic has been called */
audit_log_format(ab, "arch=%x syscall=%d",
@@ -607,12 +605,12 @@ static void audit_log_exit(struct audit_
context->gid,
context->euid, context->suid, context->fsuid,
context->egid, context->sgid, context->fsgid, tty);
- audit_log_task_info(ab, gfp_mask);
+ audit_log_task_info(ab, tsk);
audit_log_end(ab);

for (aux = context->aux; aux; aux = aux->next) {

- ab = audit_log_start(context, gfp_mask, aux->type);
+ ab = audit_log_start(context, GFP_KERNEL, aux->type);
if (!ab)
continue; /* audit_panic has been called */

@@ -649,7 +647,7 @@ static void audit_log_exit(struct audit_
}

if (context->pwd && context->pwdmnt) {
- ab = audit_log_start(context, gfp_mask, AUDIT_CWD);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
if (ab) {
audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
audit_log_end(ab);
@@ -659,7 +657,7 @@ static void audit_log_exit(struct audit_
unsigned long ino = context->names[i].ino;
unsigned long pino = context->names[i].pino;

- ab = audit_log_start(context, gfp_mask, AUDIT_PATH);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
if (!ab)
continue; /* audit_panic has been called */

@@ -698,19 +696,12 @@ static void audit_log_exit(struct audit_
* audit_free - free a per-task audit context
* @tsk: task whose audit context block to free
*
- * Called from copy_process and __put_task_struct.
+ * Called from copy_process and do_exit
*/
void audit_free(struct task_struct *tsk)
{
struct audit_context *context;

- /*
- * No need to lock the task - when we execute audit_free()
- * then the task has no external references anymore, and
- * we are tearing it down. (The locking also confuses
- * DEBUG_LOCKDEP - this freeing may occur in softirq
- * contexts as well, via RCU.)
- */
context = audit_get_context(tsk, 0, 0);
if (likely(!context))
return;
@@ -719,8 +710,9 @@ void audit_free(struct task_struct *tsk)
* function (e.g., exit_group), then free context block.
* We use GFP_ATOMIC here because we might be doing this
* in the context of the idle thread */
+ /* that can happen only if we are called from do_exit() */
if (context->in_syscall && context->auditable)
- audit_log_exit(context, tsk, GFP_ATOMIC);
+ audit_log_exit(context, tsk);

audit_free_context(context);
}
@@ -743,10 +735,11 @@ void audit_free(struct task_struct *tsk)
* will only be written if another part of the kernel requests that it
* be written).
*/
-void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
+void audit_syscall_entry(int arch, int major,
unsigned long a1, unsigned long a2,
unsigned long a3, unsigned long a4)
{
+ struct task_struct *tsk = current;
struct audit_context *context = tsk->audit_context;
enum audit_state state;

@@ -824,22 +817,18 @@ void audit_syscall_entry(struct task_str
* message), then write out the syscall information. In call cases,
* free the names stored from getname().
*/
-void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
+void audit_syscall_exit(int valid, long return_code)
{
+ struct task_struct *tsk = current;
struct audit_context *context;

- get_task_struct(tsk);
- task_lock(tsk);
context = audit_get_context(tsk, valid, return_code);
- task_unlock(tsk);

- /* Not having a context here is ok, since the parent may have
- * called __put_task_struct. */
if (likely(!context))
- goto out;
+ return;

if (context->in_syscall && context->auditable)
- audit_log_exit(context, tsk, GFP_KERNEL);
+ audit_log_exit(context, tsk);

context->in_syscall = 0;
context->auditable = 0;
@@ -854,8 +843,6 @@ void audit_syscall_exit(struct task_stru
audit_free_aux(context);
tsk->audit_context = context;
}
- out:
- put_task_struct(tsk);
}

/**
diff --git a/kernel/exit.c b/kernel/exit.c
index bc0ec67..70bd67b 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -34,6 +34,7 @@
#include <linux/mutex.h>
#include <linux/futex.h>
#include <linux/compat.h>
+#include <linux/audit.h> /* for audit_free() */

#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -904,6 +905,8 @@ fastcall NORET_TYPE void do_exit(long co
if (unlikely(tsk->compat_robust_list))
compat_exit_robust_list(tsk);
#endif
+ if (unlikely(tsk->audit_context))
+ audit_free(tsk);
exit_mm(tsk);

exit_sem(tsk);
diff --git a/kernel/fork.c b/kernel/fork.c
index b3f7a1b..be4a935 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -116,8 +116,6 @@ void __put_task_struct_cb(struct rcu_hea
WARN_ON(atomic_read(&tsk->usage));
WARN_ON(tsk == current);

- if (unlikely(tsk->audit_context))
- audit_free(tsk);
security_task_free(tsk);
free_uid(tsk->user);
put_group_info(tsk->group_info);

Amy Griffis
2006-03-30 15:51:25 UTC
Permalink
Alexander Viro wrote: [Thu Mar 30 2006, 03:54:53AM EST]
Post by Alexander Viro
Question: do we have agreed upon variants of "Inotify kernel API" and
"filesystem location based auditing" patches against the current mainline
(or FC, no difference in that respect) tree?
Not quite sure what you mean by "agreed upon", but I can rediff the
versions in the lspp kernel against the latest audit git head (plus a
list of follow-on patches) if necessary.
Alexander Viro
2006-03-30 16:58:23 UTC
Permalink
Post by Amy Griffis
Alexander Viro wrote: [Thu Mar 30 2006, 03:54:53AM EST]
Post by Alexander Viro
Question: do we have agreed upon variants of "Inotify kernel API" and
"filesystem location based auditing" patches against the current mainline
(or FC, no difference in that respect) tree?
Not quite sure what you mean by "agreed upon", but I can rediff the
versions in the lspp kernel against the latest audit git head (plus a
list of follow-on patches) if necessary.
Please, do (against lspp.4 branch).
Continue reading on narkive:
Loading...