Received: by 10.223.185.116 with SMTP id b49csp6377572wrg; Thu, 8 Mar 2018 06:32:18 -0800 (PST) X-Google-Smtp-Source: AG47ELtfmYjUi+oOMtMj7dTNsiOiSxphdYgrcF+7faQwXKGtXnjnDLyp00GC0+MkX40AIajZJEpg X-Received: by 2002:a17:902:bcc6:: with SMTP id o6-v6mr24352327pls.16.1520519537941; Thu, 08 Mar 2018 06:32:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520519537; cv=none; d=google.com; s=arc-20160816; b=YShs4afXcl8QfmPBMvESNVFf/AJTB5xwHqE6W9LBMH2kOKFLeBKA/+iZfXWpS/7Xi/ 5ZBHOLybC6I2qcKvawl5PIyeCerX4HK+3NAncHhjJJPIAp0Jr8prJJS2fbclEKKdwLuL ERrvtLqpR5C+thQ4+7ZowyAzP16Xhrbth/VOYGCrnxzShcjW10Karlxdfo6Lcn46y9ud RrlYWB0TuBm/fppf211TpiHRzBKntZxtCDq2m+ye4QxRZcsqxyKWqX5crPMRkw9wCFMF 1IwC2IvPQkYHwmv//jeCUclRJeaR/H92gyikcouWoD2Jir2NpXyy4+WhgsikakZj0oxl ZqHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=652LiDlpU2T60p//4DX6I62fvOjmwDexX5Gjt1lISGs=; b=rzGbW1WYhVN2eyShudbsSStaQ8+AGL39YcDTftzxTMon0ePbaPhws87XwWkIrm0Uuz kXD8xstXNmHp0oNLwuc6TxIWMAHPjLsD0mNhnq0wo+FL+jFLu2Zl0ZbHuZ/1B05qEj9j Lj1YFR48iuLF/eEQrRzBnxXODhdmwt2ifgamIsiX6lG43ObpfyfVpawDOwTsEvW5WsNR YdWikv+rgAiS3MlPR29rRNDFqfnRg6lWd3Q3BxrgSBCDK0quO39nF8OKoTFw83idWUzv nL2GwyvghFfLdKpFhcE9eqcCrrXmwmmB/8U0DZRQXwasHAHdW0VSvn/ajz9bKXnIyhb/ AXtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ZYfUjAj/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2-v6si11867510plo.567.2018.03.08.06.32.02; Thu, 08 Mar 2018 06:32:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ZYfUjAj/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754917AbeCHObE (ORCPT + 99 others); Thu, 8 Mar 2018 09:31:04 -0500 Received: from mail-pg0-f46.google.com ([74.125.83.46]:37192 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754039AbeCHObA (ORCPT ); Thu, 8 Mar 2018 09:31:00 -0500 Received: by mail-pg0-f46.google.com with SMTP id y26so2277304pgv.4 for ; Thu, 08 Mar 2018 06:31:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=652LiDlpU2T60p//4DX6I62fvOjmwDexX5Gjt1lISGs=; b=ZYfUjAj/MxuwKv6KYlV6J4mLib6U8hLCY3g7CCShKIANG/U0aSzO2UDo6zayjBz2vI QcpEeRhKQ1Bc8ow77oEDKCdwGBW7dZ/pi5hBRRa0FE+8MG61Dfom4SybWuOuv54cZCCn ERQ919Zfh45yY3JwbuSkHOusvPdofUdIBWIzL+M+S+4+Gmw5rFCBD7vea0ULYgm1u6/N wFgfixH9FMp9/jcqWOqsxdGhZYdmi3fWgLs2AkbnpBfXH3okl5+8aDP7upYw9MXcyS7L /xkPtr3NrX1WjPwUchVkAMkaZp4jf6uijERHjCNN/efoniTEvdPCLc3miQtF68JdEnrb afrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=652LiDlpU2T60p//4DX6I62fvOjmwDexX5Gjt1lISGs=; b=GncfpXihvDQP2z26ISPwM2nP1ay6lmG9ikhLuJxICFWXB+6Tap206AO/AYDtYZeUut NpbeateEFGPRZxCyVhOZUZjLWyn2vTW9iyi+XtNBkVBGkUxiuvu7Syo5C39KP9c+RKrO NBga9JZSjMmoGb+/Cn9NyCl3gHRKJeJYCz+ltvy6qwEnpIlEpj7uamKHibxlsJ69yGQC s14BqGIeF/QMbhm0BwSUTyCYWX4TSde+xwX2FPEuli+sHtSo9OtR5AodlP4Cj7f1ftN2 dTFM6izfBPOMZQNglU1ooATncZAyi3wV7wp9p8d4DnWo5uB8ZiZj42A7622ouiaNpaA3 aXSg== X-Gm-Message-State: APf1xPB2uTCOrhZBZlN1g1Ih7fBHg6N3gO1DFGLcwWz2U1MLbXkr+27/ OWpWMul0KBcFq/XIEfK7OtEbbpLRmqw= X-Received: by 10.99.107.202 with SMTP id g193mr20897674pgc.38.1520519459221; Thu, 08 Mar 2018 06:30:59 -0800 (PST) Received: from ?IPv6:2601:646:c200:7429:c4b4:bd6f:557c:be82? ([2601:646:c200:7429:c4b4:bd6f:557c:be82]) by smtp.gmail.com with ESMTPSA id b6sm45164651pfm.160.2018.03.08.06.30.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Mar 2018 06:30:58 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated From: Andy Lutomirski X-Mailer: iPhone Mail (15D60) In-Reply-To: <20180308091220.5hzxjztbiugkxpna@madcap2.tricolour.ca> Date: Thu, 8 Mar 2018 06:30:58 -0800 Cc: Paul Moore , Jiri Kosina , Andy Lutomirski , linux-audit@redhat.com, Andrew Morton , Michal Hocko , Oleg Nesterov , LKML Content-Transfer-Encoding: quoted-printable Message-Id: <5508C8FE-FEF0-4326-9210-C3C956EF96CE@amacapital.net> References: <20180308091220.5hzxjztbiugkxpna@madcap2.tricolour.ca> To: Richard Guy Briggs Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: >=20 >> On 2018-03-07 18:43, Paul Moore wrote: >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: >>>> On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >>>>> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>>>> Wow, this was a long time ago. >>>>=20 >>>> Oh yeah; but it now resurfaced on our side, as we are of course receivi= ng >>>> a lot of requests with respect to making syscall performance great agai= n >>>> :) >>>=20 >>> Ooof. I'm not sure I can handle making more things "great again" ;) >>>=20 >>>>> =46rom memory and a bit of email diving, there are two reasons. >>>>>=20 >>>>> 1. The probably was partially solved (by Oleg, IIRC) by making auditct= l >>>>> -a task,never cause newly spawned tasks to not suck. Yes, it's a >>>>> very partial solution. After considerable nagging, I got Fedora to >>>>> default to -a task,never. >>>>=20 >>>> Hm, right; that's a bit inconvenient, because it takes each and every >>>> vendor having to realize this option, and put it in. Making kernel do t= he >>>> right thing automatically sounds like a better option to me. >>>=20 >>> This predates audit falling into my lap, but speaking generally I >>> think it would be good if the kernel did The Right Thing, so long as >>> it isn't too painful. >>>=20 >>>>> 2. This patch, as is, may be a bit problematic. In particular, if one= >>>>> task changes the audit rules while another task is in the middle of >>>>> the syscall, then it's too late to audit that syscall correctly. >>>>> This could be seen as a bug or it could be seen as being just fine. >>>>=20 >>>> I don't think this should be a problem, given the fact that the whole >>>> timing/ordering is not predictable anyway due to scheduling. >>>>=20 >>>> Paul, what do you think? >>>=20 >>> I'm not overly concerned about the race condition between configuring >>> the audit filters and syscalls that are currently in-flight; after all >>> we have that now and "fixing" it would be pretty much impractical >>> (impossible maybe?). Most serious audit users configure it during >>> boot and let it run, frequent runtime changes are not common as far as >>> I can tell. >=20 > I'd agree the race condition here can't easily be fixed and isn't worth > fixing for the reasons already stated (rules don't change often and may > even be locked once in place relatively early, scheduling uncertainties). >=20 >>> I just looked quickly at the patch and decided it isn't something I'm >>> going to be able to carefully review in the time I've got left today, >>> so it's going to have to wait until tomorrow and Friday ... however, >>> speaking on general principle I don't have an objection to the ideas >>> put forth here. >=20 > The approach seems a bit draconian since it touches all tasks but only > when adding the first rule or deleting the last. >=20 > What we lose is the ability to set or clear individual task auditing and > have it stick to speed up non-audited tasks when there are rules > present, though this isn't currently used, in favour of audit_context > presence. >=20 >>> Andy, if you've got any Reviewed-by/Tested-by/NACK/etc. you want to >>> add, that would be good to have. >>=20 >> ... and I just realized that linux-audit isn't on the To/CC line, >> adding them now. >=20 > (and Andy's non-NACK missed too...) The mailing list *is* in MAINTAINERS.= >=20 The mailing list bounces my emails.=20 >> Link to the patch is below. >>=20 >> * https://marc.info/?t=3D152041887600003&r=3D1&w=3D2 >>=20 >> paul moore >=20 > - RGB >=20 > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635