git: 4b9ba274d736 - stable/14 - audit: Fix short-circuiting in syscallenter()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 17 Jan 2025 13:40:36 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=4b9ba274d736de74676051c8f13e7d3dd536334b
commit 4b9ba274d736de74676051c8f13e7d3dd536334b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-01-14 14:19:24 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-01-17 13:18:51 +0000
    audit: Fix short-circuiting in syscallenter()
    
    syscallenter() has a slow path to handle syscall auditing and dtrace
    syscall tracing.  It uses AUDIT_SYSCALL_ENTER() to check whether to take
    the slow path, but this macro also has side effects: it writes the audit
    log entry.  When systrace (dtrace syscall tracing) is enabled, this
    would get short-circuited, and we end up not writing audit log entries.
    
    Introduce a pure macro to check whether auditing is enabled, use it in
    syscallenter() instead of AUDIT_SYSCALL_ENTER().
    
    Reviewed by:    kib
    Reported by:    Joe Duin <jd@firexfly.com>
    Fixes:          2f7292437d0c ("Merge audit and systrace checks")
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D48448
    
    (cherry picked from commit f78fe930854cac6eed55859b45e0a7b5d87189d6)
---
 sys/kern/subr_syscall.c    | 8 +++++---
 sys/security/audit/audit.h | 5 ++++-
 2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/kern/subr_syscall.c b/sys/kern/subr_syscall.c
index 725467e1215f..25843eec3754 100644
--- a/sys/kern/subr_syscall.c
+++ b/sys/kern/subr_syscall.c
@@ -143,9 +143,8 @@ syscallenter(struct thread *td)
 
 	sy_thr_static = (se->sy_thrcnt & SY_THR_STATIC) != 0;
 
-	if (__predict_false(SYSTRACE_ENABLED() ||
-	    AUDIT_SYSCALL_ENTER(sa->code, td) ||
-	    !sy_thr_static)) {
+	if (__predict_false(AUDIT_SYSCALL_ENABLED() ||
+	    SYSTRACE_ENABLED() || !sy_thr_static)) {
 		if (!sy_thr_static) {
 			error = syscall_thread_enter(td, &se);
 			sy_thr_static = (se->sy_thrcnt & SY_THR_STATIC) != 0;
@@ -160,6 +159,9 @@ syscallenter(struct thread *td)
 		if (__predict_false(se->sy_entry != 0))
 			(*systrace_probe_func)(sa, SYSTRACE_ENTRY, 0);
 #endif
+
+		AUDIT_SYSCALL_ENTER(sa->code, td);
+
 		error = (se->sy_call)(td, sa->args);
 		/* Save the latest error return value. */
 		if (__predict_false((td->td_pflags & TDP_NERRNO) != 0))
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index b87dd52e0773..28e84dce79f3 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -389,9 +389,11 @@ void	 audit_thread_free(struct thread *td);
 		audit_arg_vnode2((vp));					\
 } while (0)
 
+#define	AUDIT_SYSCALL_ENABLED()	audit_syscalls_enabled
+
 #define	AUDIT_SYSCALL_ENTER(code, td)	({				\
 	bool _audit_entered = false;					\
-	if (__predict_false(audit_syscalls_enabled)) {			\
+	if (audit_syscalls_enabled) {					\
 		audit_syscall_enter(code, td);				\
 		_audit_entered = true;					\
 	}								\
@@ -468,6 +470,7 @@ void	 audit_thread_free(struct thread *td);
 
 #define	AUDITING_TD(td)		0
 
+#define	AUDIT_SYSCALL_ENABLED()	0
 #define	AUDIT_SYSCALL_ENTER(code, td)	0
 #define	AUDIT_SYSCALL_EXIT(error, td)