Differential D48448

audit: Fix short-circuiting in syscallenter()
ClosedPublic
Actions

Authored by markj on Jan 13 2025, 4:25 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Nov 15, 3:59 PM

	Unknown Object (File)
	Fri, Nov 14, 11:09 AM

	Unknown Object (File)
	Mon, Nov 10, 10:43 AM

	Unknown Object (File)
	Sun, Nov 9, 12:47 AM

	Unknown Object (File)
	Wed, Oct 29, 9:39 AM

	Unknown Object (File)
	Wed, Oct 29, 9:26 AM

	Unknown Object (File)
	Sat, Oct 25, 9:15 PM

	Unknown Object (File)
	Oct 17 2025, 11:36 PM

View All 69 Files

Subscribers

Details

Reviewers

kib
mjg

Commits

rGf7b9cd733c39: audit: Fix short-circuiting in syscallenter()
rG1574c53178e9: audit: Fix short-circuiting in syscallenter()
rG71bf983f92ba: audit: Fix short-circuiting in syscallenter()
rG1bf531bcd791: audit: Fix short-circuiting in syscallenter()
rG4b9ba274d736: audit: Fix short-circuiting in syscallenter()
rGf78fe930854c: audit: Fix short-circuiting in syscallenter()

Summary

syscallenter() has a slow path to handle syscall auditing and dtrace
syscall tracing. It uses AUDIT_SYSCALL_ENTER() to check whether to take
the slow path, but this macro also has side effects: it writes the audit
log entry. When systrace (dtrace syscall tracing) is enabled, this
would get short-circuited, and we end up not writing audit log entries.

Introduce a pure macro to check whether auditing is enabled, use it in
syscallenter() instead of AUDIT_SYSCALL_ENTER().

MFC after: 3 days
Reported by: Joe Duin <jd@firexfly.com>
Fixes: 2f7292437d0c ("Merge audit and systrace checks")
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 61701
Build 58585: arc lint + arc unit

Event Timeline

markj created this revision.Jan 13 2025, 4:25 PM

Herald added subscribers: olce, imp. · View Herald TranscriptJan 13 2025, 4:25 PM

markj requested review of this revision.Jan 13 2025, 4:25 PM

Harbormaster completed remote builds in B61701: Diff 149190.Jan 13 2025, 4:25 PM

emaste added a subscriber: emaste.Jan 13 2025, 5:18 PM

kib added inline comments.Jan 13 2025, 7:50 PM

sys/security/audit/audit.h
392	I do not see a value in defining such single-use obfuscating macro. Why not use the var directly in the if condition, same as sy_thr_static?

Handle the "nooptions AUDIT" case too.

Harbormaster completed remote builds in B61706: Diff 149208.Jan 13 2025, 8:14 PM

markj added inline comments.Jan 13 2025, 8:14 PM

sys/security/audit/audit.h
392	It's my bug. The reason to use a macro is to avoid adding ifdefs, since audit support can be compiled out of the kernel.

kib accepted this revision.Jan 13 2025, 8:59 PM

This revision is now accepted and ready to land.Jan 13 2025, 8:59 PM

Closed by commit rGf78fe930854c: audit: Fix short-circuiting in syscallenter() (authored by markj). · Explain WhyJan 14 2025, 3:26 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGf78fe930854c: audit: Fix short-circuiting in syscallenter().

markj added a commit: rG4b9ba274d736: audit: Fix short-circuiting in syscallenter().Jan 17 2025, 1:40 PM

markj added a commit: rG1bf531bcd791: audit: Fix short-circuiting in syscallenter().

markj added a commit: rG71bf983f92ba: audit: Fix short-circuiting in syscallenter().Jan 29 2025, 6:55 PM

markj added a commit: rG1574c53178e9: audit: Fix short-circuiting in syscallenter().

markj added a commit: rGf7b9cd733c39: audit: Fix short-circuiting in syscallenter().Jan 29 2025, 7:01 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

8 lines

security/

audit/

4 lines

Diff 149190

sys/kern/subr_syscall.c

Loading...

sys/security/audit/audit.h

Loading...