Received: by 10.213.65.68 with SMTP id h4csp1899796imn; Mon, 19 Mar 2018 16:54:55 -0700 (PDT) X-Google-Smtp-Source: AG47ELt/kpM0EmhcHfw8eA87Xm1SKQGA1hoxC4BA4aGk6BeYC75IzWIU48HL7JT125OlIqRhvRb9 X-Received: by 2002:a17:902:8545:: with SMTP id d5-v6mr14226191plo.20.1521503695158; Mon, 19 Mar 2018 16:54:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521503695; cv=none; d=google.com; s=arc-20160816; b=khNhj+QX6wl7ykgjm/lC4rY/qPXrLL1D59IjwfEOkVK+9PKayNvonLDYdQT66piWZh r/Vap2NwwGNXqOUULMyQY/r0jAxjFuFHeVE/MwlIRuTjMDacRaHyWhs0xAZBC0XuxtOp HwHL0C1cQYjgJ+z0cov+1jA2CE4KQX+ormsoo0VGGtCNT8zTdvPy9Y5EAfiHhgkH1y+0 LTDNHl+K1xpBN8aS0mAUoNFXsZqGAlpEiW2PnhC7eY6CfKFs48rbqTzmqAO0iVNLLmBE Xbu0gRfQjO65AR59adcUOrsn49xXQmDHoIWlEgfRjiafPHVh84cdLPwA1XwxAGtJB9uP c2Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:arc-authentication-results; bh=B4k+0jKGrUPaAKEt8RHwI/Ts5rzlGfIV8xFJbzwZzX8=; b=ww7CQadsYVHCYjjCWeltQ0ULrLUPamkh60gQJlwnI6B2TUr2nGaOE+XWEP/5gWJW2y iqMJvef9riot+Bre+oHJhDwqe9Wt1I1jqcA0Ha9XL6ZctcgLNmJF3Wi6IvQpkA1vpxcY k4gr8LJmnpc+/L398Ein8rTqNVNQ8VdMJvTphF3o3S6E+mOmHKCbxSoahCq66A4PE8r3 qBZ3DkIhH6bCSNANjEh/z/NCwTZUrriGJ2v1JiVYoVejRbQ9cHhyXtCibHi+XEqtuQRg FAICEj9EFg7ntqN+LPqslF6id8M4iE6liqbdAaFE1HHgw/SMRjaHanIN8FyIOA8xQmyN uxSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d15-v6si65031pli.692.2018.03.19.16.54.38; Mon, 19 Mar 2018 16:54:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967944AbeCSRPk (ORCPT + 99 others); Mon, 19 Mar 2018 13:15:40 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58182 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S967805AbeCSRP2 (ORCPT ); Mon, 19 Mar 2018 13:15:28 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 15C10406EA5F; Mon, 19 Mar 2018 17:15:27 +0000 (UTC) Received: from x2.localnet (ovpn-123-76.rdu2.redhat.com [10.10.123.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6A46B1101E88; Mon, 19 Mar 2018 17:15:22 +0000 (UTC) From: Steve Grubb To: Andy Lutomirski Cc: Jiri Kosina , Paul Moore , linux-audit@redhat.com, Andrew Morton , Michal Hocko , Oleg Nesterov , LKML Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Date: Mon, 19 Mar 2018 13:15:22 -0400 Message-ID: <1703251.0Aix3r8zCV@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 19 Mar 2018 17:15:27 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 19 Mar 2018 17:15:27 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, March 13, 2018 8:35:44 PM EDT Andy Lutomirski wrote: > On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote: > > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > >> > Yes...I wished I was in on the beginning of this discussion. Here's > >> > the > >> > problem. We need all tasks auditable unless specifically dismissed as > >> > uninteresting. This would be a task,never rule. > >> > > >> > The way we look at it, is if it boots with audit=1, then we know > >> > auditd > >> > is expected to run at some point. So, we need all tasks to stay > >> > auditable. If they weren't and auditd enabled auditing, then we'd need > >> > to walk the whole proctable and stab TIF_AUDIT_SYSCALL into every > >> > process in the system. It was decided that this is too ugly. > >> > >> When was that decided? That's what this patch does. > > > > I'd like to see some more justification as well. > > > > Namely, if I compare "setting TIF_AUDIT_SYSCALL for every process on a > > need-to-be-so basis" to "we always go through the slow path and > > pessimistically assume that audit is enabled and has reasonable ruleset > > loaded", I have my own (different) opinion of what is too ugly. > > Me too. > > That being said, on re-review of my old code, I think that > audit_dec_n_rules() may be the wrong approach. It may be better to > leave TIF_AUDIT_SYSCALL set but to make the audit code itself clear > the flag the next time through. That way we don't end up with a > partially filled in syscall audit record that never gets consumed if > we clear TIF_AUDIT_SYSCALL in the middle of a syscall. So what happened when auditd is being restarted due to system update? Its possible to have no auditd, no rules, and audit_enabled == 0. But its getting ready to start a new auditd, enable audit, and load rules. In this case, we expect tasks already dismissed by task filter to stay dismissed because the task filter only runs at fork time. For example, suppose httpd is not desired to be audited. The admin sets up a task rule that sets it to never for httpd. The rule triggers at fork and marks it inauditable. Would this patch cause httpd to suddenly become auditable again during an auditd restart? Rather than play run time games which is ultimately racey and prone to missing something, what about the approach of controlling this from a boot variable and letting user space see an error should auditing try to do its normal thing when its not wanted? This way auditd can exit and there aren't any races. -Steve