Received: by 10.223.185.116 with SMTP id b49csp6483150wrg; Thu, 8 Mar 2018 08:09:30 -0800 (PST) X-Google-Smtp-Source: AG47ELvcHUiX1vYFEpI6DEr1jPbwu+vYBrsAEsLtfsjrxC8zSy0pgavlXZdFzE38NWZoaSbl910K X-Received: by 10.98.55.7 with SMTP id e7mr27039125pfa.112.1520525370178; Thu, 08 Mar 2018 08:09:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520525370; cv=none; d=google.com; s=arc-20160816; b=QYQlQoh5lWRwXPvXroP5V5kXJFjdlrWdWxnkd3UwSkcB9kGTkiLu9QIWCaw1FdOTL+ 3M4wtpyteUPLIwL7z0Ccl5hdh7d55Nw2rliVi8bBlKqlXpGh2DVdRhbqofPAeIsKE3ry QTqQUfr2ygAecpXzWcliW/aOCXjs89LHu2xs3Q2+q7oFwVPe8xLdKX+ldCjVTADKFX9H OGGz5de+ReFyeSlXWJcmEAVfieC4zUYLIHGMzDMUnFJpUqVv+SFTG9X//niQaj8XTvZk uTpSK5dN4LVx8w3mRtGrNKOKaG2VM/LtLK77tEHGSh5CxCr0dLpLclouiknfnzqtEifc XDVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=meV7tuuNDCH95FK8TWsv+w8+4LspmdSL6TF5qnLOg/A=; b=rfKTvovNhJi8B309xDEtppm3fMI1MtUuqxt6TTd4+9h1efl1REXMm2fWqPm8kY8838 TdKPLUIIxC3ivfyZYaBTIx3Nuhvfuy8Adva8qB6dcQ8CPguQbpk33IEBoMdEjPLqvB5q KuN9ztVgh4jLSqtMaIJREUeiB5BbxOWQQYwFNHI495bdIId6ptMyC5FQXfHwVj/bhPJE NJQjMSmzZp+8F8SDmXiLxO/+PPEN2xw/QbjtoMicCYHiYnb0UjeFEU8Akc55UYJQAU71 8oNWpqMA1Ky9znjJhtQLBAB+Ge3CNrAwc/B1O00fp8KbWqHqx234ArdI++xd29GxDU15 cGDg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p11-v6si12493587plk.785.2018.03.08.08.09.15; Thu, 08 Mar 2018 08:09:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935883AbeCHQIF (ORCPT + 99 others); Thu, 8 Mar 2018 11:08:05 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58290 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752059AbeCHQIE (ORCPT ); Thu, 8 Mar 2018 11:08:04 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BA8CEC33F; Thu, 8 Mar 2018 16:08:03 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C27FB10A85AD; Thu, 8 Mar 2018 16:07:55 +0000 (UTC) Date: Thu, 8 Mar 2018 11:03:24 -0500 From: Richard Guy Briggs To: Andy Lutomirski Cc: Paul Moore , Jiri Kosina , Andy Lutomirski , linux-audit@redhat.com, Andrew Morton , Michal Hocko , Oleg Nesterov , LKML Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Message-ID: <20180308160324.xhjp22ieqq4a5fs3@madcap2.tricolour.ca> References: <20180308091220.5hzxjztbiugkxpna@madcap2.tricolour.ca> <5508C8FE-FEF0-4326-9210-C3C956EF96CE@amacapital.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5508C8FE-FEF0-4326-9210-C3C956EF96CE@amacapital.net> User-Agent: NeoMutt/20171027 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 08 Mar 2018 16:08:03 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 08 Mar 2018 16:08:03 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-03-08 06:30, Andy Lutomirski wrote: > > > > On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > > > >> On 2018-03-07 18:43, Paul Moore wrote: > >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > >>>> On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > >>>>> On Wed, 7 Mar 2018, Andy Lutomirski wrote: > >>>>> Wow, this was a long time ago. > >>>> > >>>> Oh yeah; but it now resurfaced on our side, as we are of course receiving > >>>> a lot of requests with respect to making syscall performance great again > >>>> :) > >>> > >>> Ooof. I'm not sure I can handle making more things "great again" ;) > >>> > >>>>> From memory and a bit of email diving, there are two reasons. > >>>>> > >>>>> 1. The probably was partially solved (by Oleg, IIRC) by making auditctl > >>>>> -a task,never cause newly spawned tasks to not suck. Yes, it's a > >>>>> very partial solution. After considerable nagging, I got Fedora to > >>>>> default to -a task,never. > >>>> > >>>> Hm, right; that's a bit inconvenient, because it takes each and every > >>>> vendor having to realize this option, and put it in. Making kernel do the > >>>> right thing automatically sounds like a better option to me. > >>> > >>> This predates audit falling into my lap, but speaking generally I > >>> think it would be good if the kernel did The Right Thing, so long as > >>> it isn't too painful. > >>> > >>>>> 2. This patch, as is, may be a bit problematic. In particular, if one > >>>>> task changes the audit rules while another task is in the middle of > >>>>> the syscall, then it's too late to audit that syscall correctly. > >>>>> This could be seen as a bug or it could be seen as being just fine. > >>>> > >>>> I don't think this should be a problem, given the fact that the whole > >>>> timing/ordering is not predictable anyway due to scheduling. > >>>> > >>>> Paul, what do you think? > >>> > >>> I'm not overly concerned about the race condition between configuring > >>> the audit filters and syscalls that are currently in-flight; after all > >>> we have that now and "fixing" it would be pretty much impractical > >>> (impossible maybe?). Most serious audit users configure it during > >>> boot and let it run, frequent runtime changes are not common as far as > >>> I can tell. > > > > I'd agree the race condition here can't easily be fixed and isn't worth > > fixing for the reasons already stated (rules don't change often and may > > even be locked once in place relatively early, scheduling uncertainties). > > > >>> I just looked quickly at the patch and decided it isn't something I'm > >>> going to be able to carefully review in the time I've got left today, > >>> so it's going to have to wait until tomorrow and Friday ... however, > >>> speaking on general principle I don't have an objection to the ideas > >>> put forth here. > > > > The approach seems a bit draconian since it touches all tasks but only > > when adding the first rule or deleting the last. > > > > What we lose is the ability to set or clear individual task auditing and > > have it stick to speed up non-audited tasks when there are rules > > present, though this isn't currently used, in favour of audit_context > > presence. > > > >>> Andy, if you've got any Reviewed-by/Tested-by/NACK/etc. you want to > >>> add, that would be good to have. > >> > >> ... and I just realized that linux-audit isn't on the To/CC line, > >> adding them now. > > > > (and Andy's non-NACK missed too...) The mailing list *is* in MAINTAINERS. > > > > The mailing list bounces my emails. They'll get approved. > >> Link to the patch is below. > >> > >> * https://marc.info/?t=152041887600003&r=1&w=2 > >> > >> paul moore > > > > - RGB - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635