From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: casey.schaufler@intel.com, James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-audit@redhat.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v28 22/25] Audit: Add record for multiple process LSM attributes
Date: Fri, 20 Aug 2021 15:06:15 -0400 [thread overview]
Message-ID: <CAHC9VhSsJoEc=EDkUCrHr5Uid9DhsoininpvPVt+Ab6RsqieOQ@mail.gmail.com> (raw)
In-Reply-To: <6f219a4d-8686-e35a-6801-eb66f98c8032@schaufler-ca.com>
On Thu, Aug 19, 2021 at 6:41 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 8/18/2021 5:56 PM, Casey Schaufler wrote:
> > On 8/18/2021 5:47 PM, Paul Moore wrote:
> >> ...
> >> I just spent a few minutes tracing the code paths up from audit
> >> through netlink and then through the socket layer and I'm not seeing
> >> anything obvious where the path differs from any other syscall;
> >> current->audit_context *should* be valid just like any other syscall.
> >> However, I do have to ask, are you only seeing these audit records
> >> with a current->audit_context equal to NULL during early boot?
> >
> > Nope. Sorry.
>
> It looks as if all of the NULL audit_context cases are for either
> auditd or systemd. Given what the events are, this isn't especially
> surprising.
I think we may be back to the "early boot" theory.
Unless you explicitly enable audit on the kernel cmdline, e.g.
"audit=1", processes started before userspace enables audit will not
have a properly allocated audit_context; see the "if
(likely(!audit_ever_enabled))" check at the top of audit_alloc() for
the reason why.
I could be wrong here, but I suspect if you add "audit=1" to your
kernel command line those remaining cases of NULL audit_contexts will
resolve themselves. If not, we still have work to do ... well, I mean
we still have (different) work to do even if this solves the mystery,
it's just that we can now explain what you are seeing :)
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: john.johansen@canonical.com, selinux@vger.kernel.org,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, linux-audit@redhat.com,
casey.schaufler@intel.com, Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v28 22/25] Audit: Add record for multiple process LSM attributes
Date: Fri, 20 Aug 2021 15:06:15 -0400 [thread overview]
Message-ID: <CAHC9VhSsJoEc=EDkUCrHr5Uid9DhsoininpvPVt+Ab6RsqieOQ@mail.gmail.com> (raw)
In-Reply-To: <6f219a4d-8686-e35a-6801-eb66f98c8032@schaufler-ca.com>
On Thu, Aug 19, 2021 at 6:41 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 8/18/2021 5:56 PM, Casey Schaufler wrote:
> > On 8/18/2021 5:47 PM, Paul Moore wrote:
> >> ...
> >> I just spent a few minutes tracing the code paths up from audit
> >> through netlink and then through the socket layer and I'm not seeing
> >> anything obvious where the path differs from any other syscall;
> >> current->audit_context *should* be valid just like any other syscall.
> >> However, I do have to ask, are you only seeing these audit records
> >> with a current->audit_context equal to NULL during early boot?
> >
> > Nope. Sorry.
>
> It looks as if all of the NULL audit_context cases are for either
> auditd or systemd. Given what the events are, this isn't especially
> surprising.
I think we may be back to the "early boot" theory.
Unless you explicitly enable audit on the kernel cmdline, e.g.
"audit=1", processes started before userspace enables audit will not
have a properly allocated audit_context; see the "if
(likely(!audit_ever_enabled))" check at the top of audit_alloc() for
the reason why.
I could be wrong here, but I suspect if you add "audit=1" to your
kernel command line those remaining cases of NULL audit_contexts will
resolve themselves. If not, we still have work to do ... well, I mean
we still have (different) work to do even if this solves the mystery,
it's just that we can now explain what you are seeing :)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-08-20 19:06 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210722004758.12371-1-casey.ref@schaufler-ca.com>
2021-07-22 0:47 ` [PATCH v28 00/25] LSM: Module stacking for AppArmor Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 01/25] LSM: Infrastructure management of the sock security Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 02/25] LSM: Add the lsmblob data structure Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 03/25] LSM: provide lsm name and id slot mappings Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 04/25] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 05/25] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 06/25] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 07/25] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 08/25] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 09/25] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 10/25] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 11/25] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 12/25] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-23 23:56 ` kernel test robot
2021-07-23 23:56 ` kernel test robot
2021-07-23 23:56 ` kernel test robot
2021-07-22 0:47 ` [PATCH v28 13/25] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 14/25] LSM: Specify which LSM to display Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 15/25] LSM: Ensure the correct LSM context releaser Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 16/25] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 17/25] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 18/25] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 19/25] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 20/25] LSM: Verify LSM display sanity in binder Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 21/25] audit: support non-syscall auxiliary records Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 17:02 ` kernel test robot
2021-07-22 17:02 ` kernel test robot
2021-07-22 17:02 ` kernel test robot
2021-07-22 0:47 ` [PATCH v28 22/25] Audit: Add record for multiple process LSM attributes Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 4:08 ` kernel test robot
2021-07-22 4:08 ` kernel test robot
2021-08-12 20:59 ` Paul Moore
2021-08-12 20:59 ` Paul Moore
2021-08-12 22:38 ` Casey Schaufler
2021-08-12 22:38 ` Casey Schaufler
2021-08-13 15:31 ` Paul Moore
2021-08-13 15:31 ` Paul Moore
2021-08-13 18:48 ` Casey Schaufler
2021-08-13 18:48 ` Casey Schaufler
2021-08-13 20:43 ` Paul Moore
2021-08-13 20:43 ` Paul Moore
2021-08-13 21:47 ` Casey Schaufler
2021-08-13 21:47 ` Casey Schaufler
2021-08-16 18:57 ` Paul Moore
2021-08-16 18:57 ` Paul Moore
2021-08-18 21:59 ` Casey Schaufler
2021-08-18 21:59 ` Casey Schaufler
2021-08-19 0:47 ` Paul Moore
2021-08-19 0:47 ` Paul Moore
2021-08-19 0:56 ` Casey Schaufler
2021-08-19 0:56 ` Casey Schaufler
2021-08-19 22:41 ` Casey Schaufler
2021-08-19 22:41 ` Casey Schaufler
2021-08-20 19:06 ` Paul Moore [this message]
2021-08-20 19:06 ` Paul Moore
2021-08-20 19:17 ` Casey Schaufler
2021-08-20 19:17 ` Casey Schaufler
2021-08-20 23:48 ` Casey Schaufler
2021-08-20 23:48 ` Casey Schaufler
2021-08-24 14:45 ` Paul Moore
2021-08-24 14:45 ` Paul Moore
2021-08-24 15:20 ` Casey Schaufler
2021-08-24 15:20 ` Casey Schaufler
2021-08-24 16:14 ` Paul Moore
2021-08-24 16:14 ` Paul Moore
2021-07-22 0:47 ` [PATCH v28 23/25] Audit: Add record for multiple object " Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 24/25] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 25/25] AppArmor: Remove the exclusive flag Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhSsJoEc=EDkUCrHr5Uid9DhsoininpvPVt+Ab6RsqieOQ@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.