Differential D48448

audit: Fix short-circuiting in syscallenter()
ClosedPublic
Actions

Authored by markj on Mon, Jan 13, 4:25 PM.

Tags

None

Referenced Files

	F107507027: D48448.id149190.diff
	Wed, Jan 15, 4:55 AM

	F107490165: D48448.diff
	Tue, Jan 14, 10:51 PM

	F107480643: D48448.diff
	Tue, Jan 14, 7:32 PM

Subscribers

Details

Reviewers

kib
mjg

Commits

rGf78fe930854c: audit: Fix short-circuiting in syscallenter()

Summary

syscallenter() has a slow path to handle syscall auditing and dtrace
syscall tracing. It uses AUDIT_SYSCALL_ENTER() to check whether to take
the slow path, but this macro also has side effects: it writes the audit
log entry. When systrace (dtrace syscall tracing) is enabled, this
would get short-circuited, and we end up not writing audit log entries.

Introduce a pure macro to check whether auditing is enabled, use it in
syscallenter() instead of AUDIT_SYSCALL_ENTER().

MFC after: 3 days
Reported by: Joe Duin <jd@firexfly.com>
Fixes: 2f7292437d0c ("Merge audit and systrace checks")
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Mon, Jan 13, 4:25 PM

Herald added subscribers: olce, imp. · View Herald TranscriptMon, Jan 13, 4:25 PM

markj requested review of this revision.Mon, Jan 13, 4:25 PM

Harbormaster completed remote builds in B61701: Diff 149190.Mon, Jan 13, 4:25 PM

emaste added a subscriber: emaste.Mon, Jan 13, 5:18 PM

kib added inline comments.Mon, Jan 13, 7:50 PM

sys/security/audit/audit.h
392	I do not see a value in defining such single-use obfuscating macro. Why not use the var directly in the if condition, same as sy_thr_static?

Handle the "nooptions AUDIT" case too.

Harbormaster completed remote builds in B61706: Diff 149208.Mon, Jan 13, 8:14 PM

markj added inline comments.Mon, Jan 13, 8:14 PM

sys/security/audit/audit.h
392	It's my bug. The reason to use a macro is to avoid adding ifdefs, since audit support can be compiled out of the kernel.

kib accepted this revision.Mon, Jan 13, 8:59 PM

This revision is now accepted and ready to land.Mon, Jan 13, 8:59 PM

Closed by commit rGf78fe930854c: audit: Fix short-circuiting in syscallenter() (authored by markj). · Explain WhyTue, Jan 14, 3:26 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGf78fe930854c: audit: Fix short-circuiting in syscallenter().

Revision Contents
Changeset List

Path

Size

sys/

kern/

8 lines

security/

audit/

5 lines

Diff 149234

sys/kern/subr_syscall.c

Loading...

sys/security/audit/audit.h

Loading...