Differential D48448

audit: Fix short-circuiting in syscallenter()
ClosedPublic
Actions

Authored by markj on Jan 13 2025, 4:25 PM.

Tags

None

Referenced Files

	F132326993: D48448.id149208.diff
	Wed, Oct 15, 10:36 PM

	Unknown Object (File)
	Sat, Oct 11, 9:32 PM

	Unknown Object (File)
	Fri, Oct 10, 10:24 PM

	Unknown Object (File)
	Sat, Oct 4, 4:40 PM

	Unknown Object (File)
	Fri, Sep 26, 2:15 AM

	Unknown Object (File)
	Sat, Sep 20, 10:39 AM

	Unknown Object (File)
	Sep 16 2025, 7:25 AM

	Unknown Object (File)
	Sep 15 2025, 10:04 PM

View All 61 Files

Subscribers

Details

Reviewers

kib
mjg

Commits

rGf7b9cd733c39: audit: Fix short-circuiting in syscallenter()
rG1574c53178e9: audit: Fix short-circuiting in syscallenter()
rG71bf983f92ba: audit: Fix short-circuiting in syscallenter()
rG1bf531bcd791: audit: Fix short-circuiting in syscallenter()
rG4b9ba274d736: audit: Fix short-circuiting in syscallenter()
rGf78fe930854c: audit: Fix short-circuiting in syscallenter()

Summary

syscallenter() has a slow path to handle syscall auditing and dtrace
syscall tracing. It uses AUDIT_SYSCALL_ENTER() to check whether to take
the slow path, but this macro also has side effects: it writes the audit
log entry. When systrace (dtrace syscall tracing) is enabled, this
would get short-circuited, and we end up not writing audit log entries.

Introduce a pure macro to check whether auditing is enabled, use it in
syscallenter() instead of AUDIT_SYSCALL_ENTER().

MFC after: 3 days
Reported by: Joe Duin <jd@firexfly.com>
Fixes: 2f7292437d0c ("Merge audit and systrace checks")
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 61701
Build 58585: arc lint + arc unit

Event Timeline

markj created this revision.Jan 13 2025, 4:25 PM

Herald added subscribers: olce, imp. · View Herald TranscriptJan 13 2025, 4:25 PM

markj requested review of this revision.Jan 13 2025, 4:25 PM

Harbormaster completed remote builds in B61701: Diff 149190.Jan 13 2025, 4:25 PM

emaste added a subscriber: emaste.Jan 13 2025, 5:18 PM

kib added inline comments.Jan 13 2025, 7:50 PM

sys/security/audit/audit.h
392	I do not see a value in defining such single-use obfuscating macro. Why not use the var directly in the if condition, same as sy_thr_static?

Handle the "nooptions AUDIT" case too.

Harbormaster completed remote builds in B61706: Diff 149208.Jan 13 2025, 8:14 PM

markj added inline comments.Jan 13 2025, 8:14 PM

sys/security/audit/audit.h
392	It's my bug. The reason to use a macro is to avoid adding ifdefs, since audit support can be compiled out of the kernel.

kib accepted this revision.Jan 13 2025, 8:59 PM

This revision is now accepted and ready to land.Jan 13 2025, 8:59 PM

Closed by commit rGf78fe930854c: audit: Fix short-circuiting in syscallenter() (authored by markj). · Explain WhyJan 14 2025, 3:26 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGf78fe930854c: audit: Fix short-circuiting in syscallenter().

markj added a commit: rG4b9ba274d736: audit: Fix short-circuiting in syscallenter().Jan 17 2025, 1:40 PM

markj added a commit: rG1bf531bcd791: audit: Fix short-circuiting in syscallenter().

markj added a commit: rG71bf983f92ba: audit: Fix short-circuiting in syscallenter().Jan 29 2025, 6:55 PM

markj added a commit: rG1574c53178e9: audit: Fix short-circuiting in syscallenter().

markj added a commit: rGf7b9cd733c39: audit: Fix short-circuiting in syscallenter().Jan 29 2025, 7:01 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

8 lines

security/

audit/

4 lines

Diff 149190

sys/kern/subr_syscall.c

Loading...

sys/security/audit/audit.h

Loading...