Received: by 10.223.185.116 with SMTP id b49csp5713269wrg; Wed, 7 Mar 2018 17:08:50 -0800 (PST) X-Google-Smtp-Source: AG47ELsuZVTD6FzLWqCZ9a4U3uIF2OjJ38p0Tsiqxs90qpZfkoqaCIdOOXCNCbq3Ae2srYhFcTOn X-Received: by 10.101.76.134 with SMTP id m6mr20152063pgt.445.1520471330555; Wed, 07 Mar 2018 17:08:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520471330; cv=none; d=google.com; s=arc-20160816; b=CK744oKJluQMzu8fBZNnG7NRmAPW6ejafl4mUcC5SIdNaNvfjmsyE34j2T6fryLQyo BozXM1pQOddiix+JJeQrCqhHymNv24V/W7kovzYSOWL/KY8qRWKs6WfF7gTMseKnl29I Sj+zV1aekVpxF6zRwH0rJxhr/l/wsId5MA/PeOvi/9aerrGdlb7czvo/FRRDUtz9sj6C evF3vVBqy+OxKgYT1iFlkPg5MoGCheWTFwYFIRHb70Ooo7yUCB9uD4cfnWuhvO7D9oSI AP8/5ao3S51TB7/YMsDkNhqOohG0SovK6D4CtVtWW9exYwL/8eEPlIPzcavEzRoaOkw6 ksgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=JgfUYEcEGwO5ldvq932uxrBk1tSv2UVpyx93AhYw+Gk=; b=YA8VocV07WfndFzYuKla1q0mqV7LN0EbOp66ZvZeGWfr6GQrq9UOiZ2Lt24avyTNww DGSXXIY260Fj8uAr4v0eWX5gXsvQkjw32difOqfl5t/LSUuuIp7TVFGlTZ3w8P95VnP4 Q5KCaRdB5g2TUA3FlaDUJsIbZs55Huo6oJOjK8/lxUO4+D64PQaGHdUvBQramepn3iGc dshqPB3rFN6EV2KViMvRdW0KYVfzdOL5GzKa34stsYwROAOq4u+jobGfCFY67tirJmYU szczNkvKHS3nd6mUYC/ba8XsxH4vwC7fCfHvQM4ta4XC6GPup9qk2gfc4QI6AGrQrfQ3 /L7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j9-v6si13754727pll.326.2018.03.07.17.08.35; Wed, 07 Mar 2018 17:08:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755243AbeCHBGy (ORCPT + 99 others); Wed, 7 Mar 2018 20:06:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:57600 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754741AbeCHBGv (ORCPT ); Wed, 7 Mar 2018 20:06:51 -0500 Received: from mail-io0-f178.google.com (mail-io0-f178.google.com [209.85.223.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 31DEF2178E for ; Thu, 8 Mar 2018 01:06:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 31DEF2178E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f178.google.com with SMTP id f1so5211147iob.0 for ; Wed, 07 Mar 2018 17:06:51 -0800 (PST) X-Gm-Message-State: AElRT7F9gKrQ5s0+sUP86B0lQpHbuYFke74oSmfE6MKY9oDlVKpSHx7E tdkiPQvMQhjOLE1i1Ncw6DsuV4keN20AvI99v3la2w== X-Received: by 10.107.151.209 with SMTP id z200mr20846603iod.150.1520471210458; Wed, 07 Mar 2018 17:06:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Wed, 7 Mar 2018 17:06:30 -0800 (PST) In-Reply-To: References: From: Andy Lutomirski Date: Thu, 8 Mar 2018 01:06:30 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated To: Paul Moore , linux-audit@redhat.com Cc: Jiri Kosina , Andy Lutomirski , Oleg Nesterov , Andrew Morton , Michal Hocko , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 7, 2018 at 11:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>> Wow, this was a long time ago. >> >> Oh yeah; but it now resurfaced on our side, as we are of course receiving >> a lot of requests with respect to making syscall performance great again >> :) > > Ooof. I'm not sure I can handle making more things "great again" ;) > >>> From memory and a bit of email diving, there are two reasons. >>> >>> 1. The probably was partially solved (by Oleg, IIRC) by making auditctl >>> -a task,never cause newly spawned tasks to not suck. Yes, it's a >>> very partial solution. After considerable nagging, I got Fedora to >>> default to -a task,never. >> >> Hm, right; that's a bit inconvenient, because it takes each and every >> vendor having to realize this option, and put it in. Making kernel do the >> right thing automatically sounds like a better option to me. > > This predates audit falling into my lap, but speaking generally I > think it would be good if the kernel did The Right Thing, so long as > it isn't too painful. > >>> 2. This patch, as is, may be a bit problematic. In particular, if one >>> task changes the audit rules while another task is in the middle of >>> the syscall, then it's too late to audit that syscall correctly. >>> This could be seen as a bug or it could be seen as being just fine. >> >> I don't think this should be a problem, given the fact that the whole >> timing/ordering is not predictable anyway due to scheduling. >> >> Paul, what do you think? > > I'm not overly concerned about the race condition between configuring > the audit filters and syscalls that are currently in-flight; after all > we have that now and "fixing" it would be pretty much impractical > (impossible maybe?). Most serious audit users configure it during > boot and let it run, frequent runtime changes are not common as far as > I can tell. > > I just looked quickly at the patch and decided it isn't something I'm > going to be able to carefully review in the time I've got left today, > so it's going to have to wait until tomorrow and Friday ... however, > speaking on general principle I don't have an objection to the ideas > put forth here. > > Andy, if you've got any Reviewed-by/Tested-by/NACK/etc. you want to > add, that would be good to have. > It's sort of my patch, and I was reasonably happy with it, so definitely no NACK from me. The only caveat I have is that I wrote the original version so long ago that we need to re-audit the code. In particular, I want to make sure that the following two cases don't result in warnings, oopses, or other misbehavior: 1. Do a syscall with TIF_AUDIT_SYSCALL clear. Return with TIF_AUDIT_SYSCALL set and that syscall enabled for auditing. 2.. Do a VFS syscall with TIF_AUDIT_CLEAR and have TIF_AUDIT_SYSCALL set before we execute any VFS code. The VFS code will call into the audit code to log the paths it touches (IIRC). Again, this shouldn't warn or otherwise misbehave.