Received: by 10.223.185.111 with SMTP id b44csp1276630wrg; Sat, 10 Mar 2018 02:16:19 -0800 (PST) X-Google-Smtp-Source: AG47ELtwgkkM5zSKt6vCX7NaffDIEQ/6zOUdPjGdARk2nI1ozEa2KWdaxW9Egq1Kb4JhmV8VYGBl X-Received: by 10.98.182.26 with SMTP id j26mr1557368pff.223.1520676979378; Sat, 10 Mar 2018 02:16:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520676979; cv=none; d=google.com; s=arc-20160816; b=twM1hnPRQkusRy9ydUqSyzGF61HfTfQoO3xF57j4drnGcqTAlFb/J4TfMf6+hchBoF h9e7WgLqfqQcLf81vYnnpPT5HCHW7+HYh8Xj2FhBzmbB1J5Rk8Q4ecAGtGjLvqdK+MTY 5iNXXylEZH3/nKT8ZPTWUuncje3NJfuFXEenfrb9132GgeUJ6DC5EwgaQOaKsrJ0hLqb e4ZIokml3T9NheXaNUHSxTK4ldBaocHRMUddjPAWVxAaDN1JWc5LV7n2MTso5DnZkwMJ +v7Z2DjX3Nvjhf/5/9AVa4acMEgv8uNzU39ekPHHXtyjw7kIzTiCv5j4+gfs83KwnG9V D7Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=l9F71zVtlm17FByUfEpYMXC9nCo9xDKyNXdbkH6T+qc=; b=Ulf7aF/+N/9ie1IyQ/1MR2IBIkXjaDQfqiW/q85IwWLcFNBFqfPj3aQBsrqQeFukax nZpNSx+4RqUMVs2SWYe4VXJtWVEnMo7PqlK/oFdDmWj19dXV6QgCrHClqMCiB1kbXIwx TOjNT5yK2oGa9kEe/zwUhkPBeWTp6OHskZxkWUbGC0Ph+Ei0F5TJ/Etq6LpP2o2JyC7R +VRAJHKhYmMtrvolPTK/HlHwqHyzQAR9X08I3p17Df9XlA2h+QDv0kMcVPOUgKmtifnU qUGKTB1msJps+ObsgxbdkZ37FDDEcrBL1qgy1YxnmkEcrtsw5w10VS49Levw/80uAZC6 19Rg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x4si2153855pgo.278.2018.03.10.02.16.05; Sat, 10 Mar 2018 02:16:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932147AbeCJKPN (ORCPT + 99 others); Sat, 10 Mar 2018 05:15:13 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:33188 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750884AbeCJKPL (ORCPT ); Sat, 10 Mar 2018 05:15:11 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 24AE64022909; Sat, 10 Mar 2018 10:15:11 +0000 (UTC) Received: from ivy-bridge (ovpn-204-37.brq.redhat.com [10.40.204.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id A2146202322A; Sat, 10 Mar 2018 10:15:09 +0000 (UTC) Date: Sat, 10 Mar 2018 11:15:35 +0100 From: Steve Grubb To: Paul Moore Cc: Jiri Kosina , Andy Lutomirski , linux-audit@redhat.com, Andrew Morton , Michal Hocko , Oleg Nesterov , LKML Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Message-ID: <20180310111535.2e3202bc@ivy-bridge> In-Reply-To: References: Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Sat, 10 Mar 2018 10:15:11 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Sat, 10 Mar 2018 10:15:11 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 7 Mar 2018 18:43:42 -0500 Paul Moore wrote: > ... and I just realized that linux-audit isn't on the To/CC line, > adding them now. > > Link to the patch is below. > > * https://marc.info/?t=152041887600003&r=1&w=2 Yes...I wished I was in on the beginning of this discussion. Here's the problem. We need all tasks auditable unless specifically dismissed as uninteresting. This would be a task,never rule. The way we look at it, is if it boots with audit=1, then we know auditd is expected to run at some point. So, we need all tasks to stay auditable. If they weren't and auditd enabled auditing, then we'd need to walk the whole proctable and stab TIF_AUDIT_SYSCALL into every process in the system. It was decided that this is too ugly. So, we need them all to be auditable if there is any intent to audit. It doesn't matter if there are rules loaded or not. All processes have to stay within reach. What might be acceptable is to add one more state to audit boot variable to indicate that auditing is never expected. We currently have: disabled - which means we'll decide later, enabled, and immutable (no changes allowed). Then have calls to audit_enable or loading rules fail on that flag state so that user space can log that there is a conflict (boot vs daemon) that has to be resolved. As long as we can fail in a discoverable way, I think it would be OK to do something like this. Also, I don't think we want that to be the default state at the moment because the current default is keep all processes auditable. -Steve