From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 01595C433EF for ; Wed, 29 Dec 2021 22:52:07 +0000 (UTC) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-219-0c8lEczwNVSk1qTH6ZA7pQ-1; Wed, 29 Dec 2021 17:52:03 -0500 X-MC-Unique: 0c8lEczwNVSk1qTH6ZA7pQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57EFD802C92; Wed, 29 Dec 2021 22:51:58 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AFE0056F8F; Wed, 29 Dec 2021 22:51:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BD4331809CB8; Wed, 29 Dec 2021 22:51:54 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BTMppXQ029420 for ; Wed, 29 Dec 2021 17:51:51 -0500 Received: by smtp.corp.redhat.com (Postfix) id 86AA71417200; Wed, 29 Dec 2021 22:51:51 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 814E314171FD for ; Wed, 29 Dec 2021 22:51:51 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4582780A0B1 for ; Wed, 29 Dec 2021 22:51:51 +0000 (UTC) Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-352-uQcEQIWhMGi3M8NA9xR2Yg-1; Wed, 29 Dec 2021 17:51:49 -0500 X-MC-Unique: uQcEQIWhMGi3M8NA9xR2Yg-1 Received: by mail-ed1-f52.google.com with SMTP id bm14so91315662edb.5 for ; Wed, 29 Dec 2021 14:51:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/joZc2Q9KivVlJOJjjeeD1+3qeCCrXNOkA3t1BzdQmA=; b=hnAZsxxvSwQVxwMob0jgxq8cKBcGgDII6aSwAxNlVnyfQNDAfBVAE/ob9VdZIM3Ll9 ud2M0jNa6eQYGAMlqAkIi4YIi09fOyNDXLC6TJfV5WZefl19g0YNa6SYAp97eFEnKuJy XkXJOVp50Wwo2DrMgyjMrCqtBkDwCZVUpKvKio5jt4yFdGUpjEsGdHqLa/dgwlOWMi+M /nfemKyVAvhaL+a3OeiWvGKIC6CNMsiv+6d48Ys8uOXP9MPeZjUx6ZAmDqQ9datqaXcB nit718TSNgLcPTVGOY33vREp8onnkTqW3cShpbQINpmGhbx4LZPVIiJUj+5Y0HFXn6Vg eYpw== X-Gm-Message-State: AOAM532PkrFUXRZs08E6jSGeHOqQ5Bh62I+4mMR+L+DF2NqZTNMJxGoN I0eGgWsiyVkzYE/ZTORNrJHQ29pfZoCbs8yp/Icy X-Google-Smtp-Source: ABdhPJwcGC1dd3Lx74B6clU5l5alLpjnsAJyKxKQ/G9iLpz99EpHiHl6c1g2vPHv/CQ45NZWlYW5MrYafrKsOY4iGg8= X-Received: by 2002:a05:6402:2707:: with SMTP id y7mr25344641edd.409.1640818308013; Wed, 29 Dec 2021 14:51:48 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Wed, 29 Dec 2021 17:51:37 -0500 Message-ID: Subject: Re: [RFC PATCH v1] audit: log AUDIT_TIME_* records only from rules To: Richard Guy Briggs X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-loop: linux-audit@redhat.com Cc: Eric Paris , Linux-Audit Mailing List X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs wrote: > > AUDIT_TIME_* events are generated when there are syscall rules present that are > not related to time keeping. This will produce noisy log entries that could > flood the logs and hide events we really care about. > > Rather than immediately produce the AUDIT_TIME_* records, store the data and > log it at syscall exit time respecting the filter rules. > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 > > Signed-off-by: Richard Guy Briggs > --- > Note: This is a quick and dirty proof-of-concept. If this approach of > storing the values in the audit_context for later filtering is > acceptable I'll clean up the patch (re-name functions) and re-submit. > > kernel/audit.h | 6 ++++++ > kernel/auditsc.c | 29 +++++++++++++++++++++++++---- > 2 files changed, 31 insertions(+), 4 deletions(-) Reviewing this now with a more critical eye since it is longer just a quick-n-dirty proof of concept ... > diff --git a/kernel/audit.h b/kernel/audit.h > index 3b64a97f6091..25d63731b0e0 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -196,6 +196,12 @@ struct audit_context { > struct { > char *name; > } module; > + struct { > + struct audit_ntp_data data; > + } ntp; > + struct { > + struct timespec64 injoffset; > + } tk; With the ntp and tk structs being separate parts of a union, are we going to have a problem when ADJ_SETOFFSET is set in a call to do_adjtimex()? > }; > int fds[2]; > struct audit_proctitle proctitle; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 6efb0bb909d0..8983790ad86a 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1210,11 +1210,18 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) > from_kuid(&init_user_ns, name->fcap.rootid)); > } > > +void __audit_ntp_log_(const struct audit_ntp_data *ad); > + > static void show_special(struct audit_context *context, int *call_panic) > { > struct audit_buffer *ab; > int i; > > + if (context->type == AUDIT_TIME_ADJNTPVAL) { > + __audit_ntp_log_(&context->ntp.data); > + return; > + } Can we find a way to move this down into the main switch statement in show_special() like you did with AUDIT_TIME_INJOFFSET? This looks *really* hacky to me. Why should AUDIT_TIME_ADJNTPVAL be different from the other "special" bits? > ab = audit_log_start(context, GFP_KERNEL, context->type); > if (!ab) > return; > @@ -1324,6 +1331,11 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_format(ab, "(null)"); > > break; > + case AUDIT_TIME_INJOFFSET: > + audit_log_format(ab, "sec=%lli nsec=%li", > + (long long)context->tk.injoffset.tv_sec, > + context->tk.injoffset.tv_nsec); > + break; > } > audit_log_end(ab); > } > @@ -2571,9 +2583,18 @@ void __audit_fanotify(unsigned int response) > > void __audit_tk_injoffset(struct timespec64 offset) > { > - audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET, > - "sec=%lli nsec=%li", > - (long long)offset.tv_sec, offset.tv_nsec); > + struct audit_context *context = audit_context(); > + > + context->type = AUDIT_TIME_INJOFFSET; > + memcpy(&context->tk.injoffset, &offset, sizeof(offset)); > +} > + > +void __audit_ntp_log(const struct audit_ntp_data *ad) > +{ > + struct audit_context *context = audit_context(); > + > + context->type = AUDIT_TIME_ADJNTPVAL; > + memcpy(&context->ntp.data, ad, sizeof(*ad)); > } > > static void audit_log_ntp_val(const struct audit_ntp_data *ad, > @@ -2588,7 +2609,7 @@ static void audit_log_ntp_val(const struct audit_ntp_data *ad, > "op=%s old=%lli new=%lli", op, val->oldval, val->newval); > } > > -void __audit_ntp_log(const struct audit_ntp_data *ad) > +void __audit_ntp_log_(const struct audit_ntp_data *ad) > { > audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET); > audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ); Ooof, *please* don't end a function, or any symbol for that matter, with an underscore. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit