[Devel] [PATCH RHEL7 COMMIT] ve/kernel: drop broken audit virtualization

Mon Jun 29 06:51:45 PDT 2015

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.22
------>
commit 5d57c681071143a4fafe0d8589cb5f5073d7ef09
Author: Vladimir Davydov <vdavydov at parallels.com>
Date:   Mon Jun 29 17:51:45 2015 +0400

    ve/kernel: drop broken audit virtualization
    
    As noted by Cyrill, it is deadly broken, that's why we disabled it in
    config - see commit d9362cde31ac ("audit: Disable audit subsystem in
    config"). This patch removes the virtualization code too. Since audit
    has been turned per net namespace upstream, if we want it back we'd
    better pull upstream patches.
    
    Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
    Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
---
 include/net/net_namespace.h |  1 -
 kernel/audit.c              | 51 ++++++++++-----------------------------------
 2 files changed, 11 insertions(+), 41 deletions(-)

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 14eda00..20eb093 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -86,7 +86,6 @@ struct net {
 	/* core fib_rules */
 	struct list_head	rules_ops;
 
-	struct sock		*_audit_sock;		/* audit socket */
 
 	struct net_device       *loopback_dev;          /* The loopback */
 	struct netns_core	core;
diff --git a/kernel/audit.c b/kernel/audit.c
index e081f08..2c6de57 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -51,7 +51,6 @@
 #include <linux/kthread.h>
 #include <linux/kernel.h>
 #include <linux/syscalls.h>
-#include <linux/ve.h>
 
 #include <linux/audit.h>
 
@@ -121,7 +120,8 @@ u32		audit_sig_sid = 0;
 */
 static atomic_t    audit_lost = ATOMIC_INIT(0);
 
-#define audit_sock	(get_exec_env()->ve_netns->_audit_sock)
+/* The netlink socket. */
+static struct sock *audit_sock;
 
 /* Hash for inode-based rules */
 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -755,9 +755,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	char			*ctx = NULL;
 	u32			len;
 
-	if (!ve_is_super(sock_net(skb->sk)->owner_ve))
-		return -ECONNREFUSED;
-
 	err = audit_netlink_ok(skb, msg_type);
 	if (err)
 		return err;
@@ -1017,50 +1014,24 @@ static void audit_receive(struct sk_buff  *skb)
 	mutex_unlock(&audit_cmd_mutex);
 }
 
-static int __net_init audit_net_init(struct net *net)
-{
-	struct sock *sk;
-	struct netlink_kernel_cfg cfg = {
-		.input = audit_receive,
-	};
-
-	sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
-	if (!sk) {
-		audit_panic("cannot initialize netlink socket");
-		return -ENODEV;
-	}
-
-	sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
-	net->_audit_sock = sk;
-
-	return 0;
-}
-
-static void __net_exit audit_net_exit(struct net *net)
-{
-	netlink_kernel_release(net->_audit_sock);
-	net->_audit_sock = NULL;
-}
-
-static struct pernet_operations audit_net_ops = {
-	.init = audit_net_init,
-	.exit = audit_net_exit,
-};
-
 /* Initialize audit support at boot time. */
 static int __init audit_init(void)
 {
-	int i, res;
+	int i;
+	struct netlink_kernel_cfg cfg = {
+		.input	= audit_receive,
+	};
 
 	if (audit_initialized == AUDIT_DISABLED)
 		return 0;
 
 	printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
 	       audit_default ? "enabled" : "disabled");
-
-	res = register_pernet_subsys(&audit_net_ops);
-	if (res < 0)
-		return res;
+	audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
+	if (!audit_sock)
+		audit_panic("cannot initialize netlink socket");
+	else
+		audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
 
 	skb_queue_head_init(&audit_skb_queue);
 	skb_queue_head_init(&audit_skb_hold_queue);

