]> pilppa.com Git - linux-2.6-omap-h63xx.git/commitdiff
AUDIT: Spawn kernel thread to list filter rules.
authorDavid Woodhouse <dwmw2@shinybook.infradead.org>
Tue, 21 Jun 2005 15:22:01 +0000 (16:22 +0100)
committerDavid Woodhouse <dwmw2@shinybook.infradead.org>
Tue, 21 Jun 2005 15:22:01 +0000 (16:22 +0100)
If we have enough rules to fill the netlink buffer space, it'll
deadlock because auditctl isn't ever actually going to read from the
socket until we return, and we aren't going to return until it
reads... so we spawn a kernel thread to spew out the list and then
exit.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
include/linux/audit.h
kernel/audit.c
kernel/auditsc.c

index 5f812e4d01e4f81bfea5daa60ccce9c27061e0ba..5d1a9dda5acba1347812b964f0959d7306856552 100644 (file)
@@ -281,6 +281,7 @@ extern void             audit_send_reply(int pid, int seq, int type,
                                             int done, int multi,
                                             void *payload, int size);
 extern void                audit_log_lost(const char *message);
+extern struct semaphore audit_netlink_sem;
 #else
 #define audit_log(c,t,f,...) do { ; } while (0)
 #define audit_log_start(c,t) ({ NULL; })
index ab6ac560cfe556b50980e07439592c001e9fc6eb..c1ab8dbbb67b5077aa0c6efd63f1ee11745fc00a 100644 (file)
@@ -110,7 +110,7 @@ static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
 /* The netlink socket is only to be read by 1 CPU, which lets us assume
  * that list additions and deletions never happen simultaneously in
  * auditsc.c */
-static DECLARE_MUTEX(audit_netlink_sem);
+DECLARE_MUTEX(audit_netlink_sem);
 
 /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
  * audit records.  Since printk uses a 1024 byte buffer, this buffer
index 031f979019d1534cfba45b35153fa067d5fca511..cb8a44945157889951ad1df68198bbcdf80d8d32 100644 (file)
@@ -39,6 +39,7 @@
 #include <linux/audit.h>
 #include <linux/personality.h>
 #include <linux/time.h>
+#include <linux/kthread.h>
 #include <asm/unistd.h>
 
 /* 0 = no checking
@@ -281,24 +282,60 @@ static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
        return 0;
 }
 
+static int audit_list_rules(void *_dest)
+{
+       int pid, seq;
+       int *dest = _dest;
+       struct audit_entry *entry;
+       int i;
+
+       pid = dest[0];
+       seq = dest[1];
+       kfree(dest);
+
+       down(&audit_netlink_sem);
+
+       /* The *_rcu iterators not needed here because we are
+          always called with audit_netlink_sem held. */
+       for (i=0; i<AUDIT_NR_FILTERS; i++) {
+               list_for_each_entry(entry, &audit_filter_list[i], list)
+                       audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
+                                        &entry->rule, sizeof(entry->rule));
+       }
+       audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
+       
+       up(&audit_netlink_sem);
+       return 0;
+}
+
 int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                                                        uid_t loginuid)
 {
        struct audit_entry *entry;
+       struct task_struct *tsk;
+       int *dest;
        int                err = 0;
-       int i;
        unsigned listnr;
 
        switch (type) {
        case AUDIT_LIST:
-               /* The *_rcu iterators not needed here because we are
-                  always called with audit_netlink_sem held. */
-               for (i=0; i<AUDIT_NR_FILTERS; i++) {
-                       list_for_each_entry(entry, &audit_filter_list[i], list)
-                               audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
-                                                &entry->rule, sizeof(entry->rule));
+               /* We can't just spew out the rules here because we might fill
+                * the available socket buffer space and deadlock waiting for
+                * auditctl to read from it... which isn't ever going to
+                * happen if we're actually running in the context of auditctl
+                * trying to _send_ the stuff */
+                
+               dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
+               if (!dest)
+                       return -ENOMEM;
+               dest[0] = pid;
+               dest[1] = seq;
+
+               tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
+               if (IS_ERR(tsk)) {
+                       kfree(dest);
+                       err = PTR_ERR(tsk);
                }
-               audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
                break;
        case AUDIT_ADD:
                if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))