Received: by 10.223.185.116 with SMTP id b49csp5644859wrg; Wed, 7 Mar 2018 15:42:42 -0800 (PST) X-Google-Smtp-Source: AG47ELvyOgE4eX9Hg6ctJ+iSnSdhuu16y7FrcqRRtg4DcvZh15W34by5MzUdr4O5/Ii0ii1B60/z X-Received: by 10.99.45.194 with SMTP id t185mr18210466pgt.267.1520466162013; Wed, 07 Mar 2018 15:42:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520466161; cv=none; d=google.com; s=arc-20160816; b=qJAA9YYfUHHHNRxLV7dNafidxIz8aok2iBDDTqE73859onQNNZ5ou3HJ29AIk74F1g yjA+ULpdAsKnQo4D4ZBME9YyUveW7IpE2FgQGDmn4TeisPz5QtlE0kCs7gKt/ulUcBWT Q3c4NhyATR6bfnFTd9pMaOtxJ/rpwI1zPZ0PTMUcewuxBvdNjWCs94pQtER7eZ8pVZwc lFyY4FOu7cas0SoqpuQZjyZvLbxqbjs4MuQH5of3M6RkDTFwnbN5oUXicoBIB9LcgpqL AyVsLDapswOiccG5xNSfOjhFnyCFQEj8DeIHJvYM+yxYziEf03NFhiKRQW0rSwgMrip7 Lpkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=wY9jCwil0WDzKA6JE1VXSbJQOxJX7kqa1XfGgtFRo3o=; b=TzRs5zj8zQw1/ww43Di+jvKDBI03k3S4w9eCAfKFZL5y7utS95Zn30/3GmuPtaldfF h47CTOPlebMFhv71jxdnL4WtMSHOrUwBKxNpiTWDUIJJwR2qg43ZVXytXRRgc3r3kWuO IZrfpNywTltBMSFIh5OAUfNckLhjTJw0kE/ly1lBFHRAJZce/QqZEdUnmRayFNoZ1D6Y PrSw1awyRWTWeU/W0PI2H3KWeU5o8aY8zkarA9D4azUlOgQ6/X//HVz+5+L37Lzecq0P 1Pwe2AfzGopoPXDbaTopx9knWCdmbGfrXd5U8hkw2DO2FSc4RkQRM1/gI32bwi9/EanK DVcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=akmWv/eK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3si12104129pgu.518.2018.03.07.15.42.27; Wed, 07 Mar 2018 15:42:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=akmWv/eK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755080AbeCGXl0 (ORCPT + 99 others); Wed, 7 Mar 2018 18:41:26 -0500 Received: from mail-lf0-f51.google.com ([209.85.215.51]:41435 "EHLO mail-lf0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754781AbeCGXlW (ORCPT ); Wed, 7 Mar 2018 18:41:22 -0500 Received: by mail-lf0-f51.google.com with SMTP id m69-v6so5759935lfe.8 for ; Wed, 07 Mar 2018 15:41:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wY9jCwil0WDzKA6JE1VXSbJQOxJX7kqa1XfGgtFRo3o=; b=akmWv/eK6hAqxpn+kmI6U74BB+RfVe+sh8OEJYq0IqL3LDXet5OXLqeU94aVTQUGHG KOQoTw7yzfJ53LFtNkM9gUJtXFYcLk7XvA1o6cxiEiUVcqqPb+QSyieWuivv2xGXYOo2 wwTGtbEWML7aSi7q4wB996J5q7xO3R5YtwsI1VZ2/SvFHUixeQCE7nd3Xa3nUF4Wz277 Y8TXXOE+fo7Agg1P3iXfiYsdGoiyar7eMrzeA5Pc9Ao57AP93O7VeUgkgjpoZdb+qLm+ wd/WHTmKPbv1ses0kD5wpHrfCY8ieFrYA0HozAy+5XX6CIsNEcrujr+QwutaHYiGbv3h NFPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wY9jCwil0WDzKA6JE1VXSbJQOxJX7kqa1XfGgtFRo3o=; b=D8wxR44dsS2v5Y/dZp2ob7O2RiHTeMSl+dzSuPnfqiFvYxrGcLPZ4DApT8nlwluG89 wu96wXMfEXSenSrFv0weYiJZ5tpq6NpcA2mOWNvUB7DwhbB1DccxkUUwhF1IRrSMih8p 8woHzhBOX8hLOP0cLv7fJ1kT8+n7O+bjetziUm7b+QxxFCRpuvJfhmBkNXrC4KywEfRj 6vZvBWLbp9/oDYFZxoIVDwxj+a1Y9lTM7ChfMB0y4oyTukbsgkanA7N+g/kdksKgIMBC s1fRsKCWjgHmrBXJgtlJ4fEmnFZX7vGHIbxj0/daY/K4jru/XaT5heppGBkeMP3pgE6o vKww== X-Gm-Message-State: AElRT7FvuO59cqjco3kAHkzqqRViKw0li1xPPGz/jiwjHrHeLZrN0OGa fx+wL2IwGBGA2maDAJu1rG7NCTYBsaAXkrCe1oDs X-Received: by 10.46.5.3 with SMTP id 3mr16561955ljf.135.1520466080556; Wed, 07 Mar 2018 15:41:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.216.167 with HTTP; Wed, 7 Mar 2018 15:41:19 -0800 (PST) X-Originating-IP: [108.20.156.165] In-Reply-To: References: From: Paul Moore Date: Wed, 7 Mar 2018 18:41:19 -0500 Message-ID: Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated To: Jiri Kosina , Andy Lutomirski Cc: Oleg Nesterov , Andrew Morton , Michal Hocko , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > On Wed, 7 Mar 2018, Andy Lutomirski wrote: >> Wow, this was a long time ago. > > Oh yeah; but it now resurfaced on our side, as we are of course receiving > a lot of requests with respect to making syscall performance great again > :) Ooof. I'm not sure I can handle making more things "great again" ;) >> From memory and a bit of email diving, there are two reasons. >> >> 1. The probably was partially solved (by Oleg, IIRC) by making auditctl >> -a task,never cause newly spawned tasks to not suck. Yes, it's a >> very partial solution. After considerable nagging, I got Fedora to >> default to -a task,never. > > Hm, right; that's a bit inconvenient, because it takes each and every > vendor having to realize this option, and put it in. Making kernel do the > right thing automatically sounds like a better option to me. This predates audit falling into my lap, but speaking generally I think it would be good if the kernel did The Right Thing, so long as it isn't too painful. >> 2. This patch, as is, may be a bit problematic. In particular, if one >> task changes the audit rules while another task is in the middle of >> the syscall, then it's too late to audit that syscall correctly. >> This could be seen as a bug or it could be seen as being just fine. > > I don't think this should be a problem, given the fact that the whole > timing/ordering is not predictable anyway due to scheduling. > > Paul, what do you think? I'm not overly concerned about the race condition between configuring the audit filters and syscalls that are currently in-flight; after all we have that now and "fixing" it would be pretty much impractical (impossible maybe?). Most serious audit users configure it during boot and let it run, frequent runtime changes are not common as far as I can tell. I just looked quickly at the patch and decided it isn't something I'm going to be able to carefully review in the time I've got left today, so it's going to have to wait until tomorrow and Friday ... however, speaking on general principle I don't have an objection to the ideas put forth here. Andy, if you've got any Reviewed-by/Tested-by/NACK/etc. you want to add, that would be good to have. -- paul moore www.paul-moore.com