Received: by 10.223.185.116 with SMTP id b49csp6083808wrg; Thu, 8 Mar 2018 01:18:19 -0800 (PST) X-Google-Smtp-Source: AG47ELs2CPNm/OrBVq5i9HRrijdyN8pF6nMtRgRntk8i5F6stADApxCP0KAroPVdQpl59IH0A3h1 X-Received: by 10.99.151.26 with SMTP id n26mr20731500pge.370.1520500699582; Thu, 08 Mar 2018 01:18:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520500699; cv=none; d=google.com; s=arc-20160816; b=yFigv/4I4kDxCUb9fFb25P3cgcZ9LoouBXy3pkX7D+lcc/Sql8EAdNcArXqs6LE59G kg9hcF2qlcycGBo7iCHf4qHx+klx8hvVfLlJTPRxx//mfSw5O/20hv465RiYnw1fZddZ 5GDkj0cEs7m0HQAEUuo3I1RpK/A6dlWX9IIcBc1TD8YI6lFvexu8HiARDjtRSMj2Pth8 kTjFPCNCQiWQZjAShSB1zWX8koRi5EvUijw2TGYDLTiTLEmbb07f8IrrwJya/CapwJyb 75VjJcejWW3jF/bNXNESUUGCmhZcWQQZnG59jm6MvUhd8Fhac/2FBlbUE2Es5BYmjiEV K+uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=NkMTrFFBLc6jWQzDEbVvEbaC7zfrjUiXP/wzRJQ9S6w=; b=jZWOF3+bZVW1RbSlFPKjGapvWeLL07OuBvgu3W2ormXwy00wtoYMZq1zdngxM6G8/z C9q84iBBso3su+eY4kn9iRCocLeejDLg2nLLmFBUg4D7xWusQWih6RcM6dPkflT3diOM GIEX+OJE6c9lQQ5VdFJM/10LSg7IG06fHd8rut1KZJYTugC/nbiOgb5eyzMxLmNSq6CS Ol9kNeeg1JOsSjr1XfdLPz+l/6lfJ3K26/OLB0BarSBhLO0w+rQGp3uvaLzVWMOSkkkI rkWsX/t2l3IB2OQ7dCS3se75F1pl90Gd0B5h+PvWVi90HK680LzT8c4VpMEAq9q8OXqo GJOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k3si15357936pfj.24.2018.03.08.01.18.05; Thu, 08 Mar 2018 01:18:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935662AbeCHJQ7 (ORCPT + 99 others); Thu, 8 Mar 2018 04:16:59 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43476 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755101AbeCHJQx (ORCPT ); Thu, 8 Mar 2018 04:16:53 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EF95E4023113; Thu, 8 Mar 2018 09:16:52 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 248E9215CDAA; Thu, 8 Mar 2018 09:16:50 +0000 (UTC) Date: Thu, 8 Mar 2018 04:12:20 -0500 From: Richard Guy Briggs To: Paul Moore Cc: Jiri Kosina , Andy Lutomirski , linux-audit@redhat.com, Andrew Morton , Michal Hocko , Oleg Nesterov , LKML Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Message-ID: <20180308091220.5hzxjztbiugkxpna@madcap2.tricolour.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171027 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 08 Mar 2018 09:16:53 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 08 Mar 2018 09:16:53 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-03-07 18:43, Paul Moore wrote: > On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: > >>> Wow, this was a long time ago. > >> > >> Oh yeah; but it now resurfaced on our side, as we are of course receiving > >> a lot of requests with respect to making syscall performance great again > >> :) > > > > Ooof. I'm not sure I can handle making more things "great again" ;) > > > >>> From memory and a bit of email diving, there are two reasons. > >>> > >>> 1. The probably was partially solved (by Oleg, IIRC) by making auditctl > >>> -a task,never cause newly spawned tasks to not suck. Yes, it's a > >>> very partial solution. After considerable nagging, I got Fedora to > >>> default to -a task,never. > >> > >> Hm, right; that's a bit inconvenient, because it takes each and every > >> vendor having to realize this option, and put it in. Making kernel do the > >> right thing automatically sounds like a better option to me. > > > > This predates audit falling into my lap, but speaking generally I > > think it would be good if the kernel did The Right Thing, so long as > > it isn't too painful. > > > >>> 2. This patch, as is, may be a bit problematic. In particular, if one > >>> task changes the audit rules while another task is in the middle of > >>> the syscall, then it's too late to audit that syscall correctly. > >>> This could be seen as a bug or it could be seen as being just fine. > >> > >> I don't think this should be a problem, given the fact that the whole > >> timing/ordering is not predictable anyway due to scheduling. > >> > >> Paul, what do you think? > > > > I'm not overly concerned about the race condition between configuring > > the audit filters and syscalls that are currently in-flight; after all > > we have that now and "fixing" it would be pretty much impractical > > (impossible maybe?). Most serious audit users configure it during > > boot and let it run, frequent runtime changes are not common as far as > > I can tell. I'd agree the race condition here can't easily be fixed and isn't worth fixing for the reasons already stated (rules don't change often and may even be locked once in place relatively early, scheduling uncertainties). > > I just looked quickly at the patch and decided it isn't something I'm > > going to be able to carefully review in the time I've got left today, > > so it's going to have to wait until tomorrow and Friday ... however, > > speaking on general principle I don't have an objection to the ideas > > put forth here. The approach seems a bit draconian since it touches all tasks but only when adding the first rule or deleting the last. What we lose is the ability to set or clear individual task auditing and have it stick to speed up non-audited tasks when there are rules present, though this isn't currently used, in favour of audit_context presence. > > Andy, if you've got any Reviewed-by/Tested-by/NACK/etc. you want to > > add, that would be good to have. > > ... and I just realized that linux-audit isn't on the To/CC line, > adding them now. (and Andy's non-NACK missed too...) The mailing list *is* in MAINTAINERS. > Link to the patch is below. > > * https://marc.info/?t=152041887600003&r=1&w=2 > > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635