Re: Can AUDIT_LIST_RULES causes kthreadd-spam?

From: Rinat Gadelshin <rgadelsh@gmail.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	Paul Moore <paul@paul-moore.com>
Cc: audit@vger.kernel.org, linux-audit@redhat.com
Subject: Re: Can AUDIT_LIST_RULES causes kthreadd-spam?
Date: Sat, 6 May 2023 01:12:23 +0300	[thread overview]
Message-ID: <7c4caf66-a0ae-4999-172e-437d6cfc8ff3@gmail.com> (raw)
In-Reply-To: <415a4871-4d84-a31f-5417-e850a98bbffd@I-love.SAKURA.ne.jp>

On 05.05.2023 01:53, Tetsuo Handa wrote:
> On 2023/05/05 3:40, Paul Moore wrote:
>> On Wed, May 3, 2023 at 10:50 PM Tetsuo Handa
>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>> On 2023/05/04 7:12, Rinat Gadelshin wrote:
>>>> On 04.05.2023 00:27, Paul Moore wrote:
>>>>> Can you be more specific about the kernel threads you are seeing, are
>>>>> you seeing multiple "kauditd" threads?
>>>>>
>>>>> % ps -fC kauditd
>>>>> UID          PID    PPID  C STIME TTY          TIME CMD
>>>>> root          89       2  0 Apr28 ?        00:00:00 [kauditd]
>>> I don't think so.
>>>
>>> kernel audit subsystem uses kthread_run() in order to run short-lived kernel threads.
>> Thanks Tetsuo, I agree that's far more likely.  Ever since I took over
>> shepherding the audit code, all of the thread issues have been around
>> the main audit queue thread so it's a bit reflexive to assume that is
>> the case :)
>>
> Since kthread_run(audit_send_list_thread) is called by audit_receive_msg(AUDIT_LIST_RULES)
> via audit_list_rules_send(), trying to audit fork request via AUDIT_LIST_RULES will cause
> spams. Maybe something is going wrong with "And such events occurred 1208 times when
> AUDIT_LIST_RULES is sending." part; let's wait for what printk() says.
>
> By the way, why do we need to use kthread_run() for short-lived tasks? Can't we use
> a dedicated workqueue which would significantly reduce frequency of fork request for
> AUDIT_LIST_RULES request?
>
Hello there =)
Sorry for my long absence.

I've managed to build and install the custom kernel (from Linus' branch 
with Tetsuo's patch for logging).

The following rules were dictated by my netlink (with disabled poll 
rule's logic:

-a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
-a always,exit -F arch=b64 -S clone,fork,vfork,execve,execveat
-a never,exit -F pid=4641
-a never,exit -F ppid=4641
-a never,exit -F pid=1
-a never,exit -F ppid=1
-a always,exit -F arch=b64 -S kill,ptrace
-a always,exit -F arch=b32 -S ptrace,kill
-a always,exit -F arch=b64 -S exit,exit_group
-a always,exit -F arch=b32 -S exit,exit_group
-a always,exit -F arch=b64 -S connect,accept,accept4
-a always,exit -F arch=b32 -S connect,accept4
-a always,exit -F arch=b64 -S open,creat,openat,437
-a always,exit -F arch=b64 -S rename,renameat,renameat2
-a always,exit -F arch=b32 -S rename,renameat,renameat2
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
-a always,exit -F arch=b64 -S link,symlink,linkat,symlinkat
-a always,exit -F arch=b32 -S link,symlink,linkat,symlinkat
-a always,exit -F arch=b64 -S mount,umount2
-a always,exit -F arch=b32 -S mount,umount,umount2
-a always,exit -F arch=b64 -S 
setuid,setgid,setreuid,setregid,setresuid,setresgid
-a always,exit -F arch=b32 -S 
setuid,setgid,setreuid,setregid,setresuid,setresgid
-a always,exit -F arch=b64 -S mmap,mprotect -F a2=0x7
-a always,exit -F arch=b32 -S mmap,mprotect -F a2=0x7
-a always,exit -F arch=b64 -S unlink,unlinkat
-a always,exit -F arch=b32 -S unlink,unlinkat
-a always,exit -F arch=b64 -S ioctl -F a2=0x40086602
-a always,exit -F arch=b32 -S ioctl -F a2=0x40086602

The only one `auditctl -l` request was performed.
I see the following response in syslog for the request:

May  6 01:01:19 gadelshin-ri-nb kernel: [  110.474111] audit: Started 
audit_send_reply_thread
May  6 01:01:19 gadelshin-ri-nb kernel: [  110.474123] audit: Finished 
audit_send_reply_thread
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972014] audit: Started 
audit_send_list_thread
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972020] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972023] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972023] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972024] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972025] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972026] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972026] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972027] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972028] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972029] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972029] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972030] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972030] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972031] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972032] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972032] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972033] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972034] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972034] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972035] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972035] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972036] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972037] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972038] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972038] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972039] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972039] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972040] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972040] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972041] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972042] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972043] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972044] audit: Calling 
netlink unicast
May  6 01:01:20 gadelshin-ri-nb kernel: [  111.972045] audit: Finished 
audit_send_list_thread
May  6 01:01:21 gadelshin-ri-nb kernel: [  112.485659] audit: Started 
audit_send_reply_thread
May  6 01:01:21 gadelshin-ri-nb kernel: [  112.485689] audit: Finished 
audit_send_reply_thread
May  6 01:01:23 gadelshin-ri-nb kernel: [  114.501072] audit: Started 
audit_send_reply_thread
May  6 01:01:23 gadelshin-ri-nb kernel: [  114.501076] audit: Finished 
audit_send_reply_thread
May  6 01:01:24 gadelshin-ri-nb auditd[1210]: Audit daemon rotating log 
files
May  6 01:01:25 gadelshin-ri-nb kernel: [  116.506645] audit: Started 
audit_send_reply_thread
May  6 01:01:25 gadelshin-ri-nb kernel: [  116.506656] audit: Finished 
audit_send_reply_thread
May  6 01:01:27 gadelshin-ri-nb kernel: [  118.512282] audit: Started 
audit_send_reply_thread
May  6 01:01:27 gadelshin-ri-nb kernel: [  118.512306] audit: Finished 
audit_send_reply_thread

`git describes` shows: v6.3-13027-g1a5304fecee5
Distributive is  Ubuntu 20.04 (x64)

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit