[Devel] [PATCH rh7] kernel: drop broken audit virtualization

Fri Jun 26 03:28:08 PDT 2015

As noted by Cyrill, it is deadly broken, that's why we disabled it in
config - see commit d9362cde31ac ("audit: Disable audit subsystem in
config"). This patch removes the virtualization code too. Since audit
has been turned per net namespace upstream, if we want it back we'd
better pull upstream patches.

Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
---
 include/net/net_namespace.h |  1 -
 kernel/audit.c              | 51 ++++++++++-----------------------------------
 2 files changed, 11 insertions(+), 41 deletions(-)

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 14eda0090f57..20eb09347f9b 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -86,7 +86,6 @@ struct net {
 	/* core fib_rules */
 	struct list_head	rules_ops;
 
-	struct sock		*_audit_sock;		/* audit socket */
 
 	struct net_device       *loopback_dev;          /* The loopback */
 	struct netns_core	core;
diff --git a/kernel/audit.c b/kernel/audit.c
index e081f0832d7d..2c6de57b439e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -51,7 +51,6 @@
 #include <linux/kthread.h>
 #include <linux/kernel.h>
 #include <linux/syscalls.h>
-#include <linux/ve.h>
 
 #include <linux/audit.h>
 
@@ -121,7 +120,8 @@ u32		audit_sig_sid = 0;
 */
 static atomic_t    audit_lost = ATOMIC_INIT(0);
 
-#define audit_sock	(get_exec_env()->ve_netns->_audit_sock)
+/* The netlink socket. */
+static struct sock *audit_sock;
 
 /* Hash for inode-based rules */
 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -755,9 +755,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	char			*ctx = NULL;
 	u32			len;
 
-	if (!ve_is_super(sock_net(skb->sk)->owner_ve))
-		return -ECONNREFUSED;
-
 	err = audit_netlink_ok(skb, msg_type);
 	if (err)
 		return err;
@@ -1017,50 +1014,24 @@ static void audit_receive(struct sk_buff  *skb)
 	mutex_unlock(&audit_cmd_mutex);
 }
 
-static int __net_init audit_net_init(struct net *net)
-{
-	struct sock *sk;
-	struct netlink_kernel_cfg cfg = {
-		.input = audit_receive,
-	};
-
-	sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
-	if (!sk) {
-		audit_panic("cannot initialize netlink socket");
-		return -ENODEV;
-	}
-
-	sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
-	net->_audit_sock = sk;
-
-	return 0;
-}
-
-static void __net_exit audit_net_exit(struct net *net)
-{
-	netlink_kernel_release(net->_audit_sock);
-	net->_audit_sock = NULL;
-}
-
-static struct pernet_operations audit_net_ops = {
-	.init = audit_net_init,
-	.exit = audit_net_exit,
-};
-
 /* Initialize audit support at boot time. */
 static int __init audit_init(void)
 {
-	int i, res;
+	int i;
+	struct netlink_kernel_cfg cfg = {
+		.input	= audit_receive,
+	};
 
 	if (audit_initialized == AUDIT_DISABLED)
 		return 0;
 
 	printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
 	       audit_default ? "enabled" : "disabled");
-
-	res = register_pernet_subsys(&audit_net_ops);
-	if (res < 0)
-		return res;
+	audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
+	if (!audit_sock)
+		audit_panic("cannot initialize netlink socket");
+	else
+		audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
 
 	skb_queue_head_init(&audit_skb_queue);
 	skb_queue_head_init(&audit_skb_hold_queue);
-- 
2.1.4


