Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3835971imm; Mon, 20 Aug 2018 05:40:06 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxp7dRX/aqaNfeUQZtw6c0JDBVoolctpvXHQrwdZsF0yl4McRbCRoVIes7afy5i9vkpRhVi X-Received: by 2002:a62:f587:: with SMTP id b7-v6mr48235401pfm.158.1534768806463; Mon, 20 Aug 2018 05:40:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534768806; cv=none; d=google.com; s=arc-20160816; b=ayowsbjfSi2W4j6CHBmaxcFtmHENMyZBoFG1ZeBJ8u/jqJFnhlxbf7VfWa463kNz0g v6fJrBKfL8EPsfwvKKoL8YnxRTnIQbANTRw3oWEGn4kQMHGfMCOUmkwq8kHBxO2zDWLA NazYg43QgKKLhgEqSE9NcLXB1ImwBAPBgqgmZpJa5+jQ2aTyeKlpBTNJuapjXR4XwOAt 8CnnqCukG9Dw9/1sYGbZa9hCfe9rZWtA3Vv6Sf1ildnk7M9CR7ACGUGq4CWQyYiA5hXq 2epkgvtQpSBX6lkGWZioK1VXf55lYoD9MCyJJnO2KrQSjxf+TNvT7L3fKgx+6+BPRAtD bdNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=fZlnPHcqfGZWO0vA0m6jg1ljS2GcV/pMA/5Nmzlil6w=; b=SkDBiCb0r3lzyF9HnyNikFMv+iVK6SYxQRE71zy65gngZbn3kOfvtfOboW1eej6ZR7 i56gwD/qySx0omh0+dGhYCCcyOSCVYfZHLkd3nMwDYV7+WwpOH6MsEABrtQSOMLDV6FN F9V4OweCqDZOtUeYTLdr4yQDALwnW+dqzBdt2i4P56TTtq+UE8fqnZx2x+GZn1+dhEMB VaRSBCk8NPb4dtoy9gOXYEuCa9onTQ+oK2gmE4Pr9gvanTLNpXGOpUUO3B+RC63rLDWE P2VlU/Q8QwntxkAxeyZtERyP+nDyQhymbAmob9NWCi/skjOeEMeumtAzf7sEg0CwNYHF Ucmg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id go14si6520775plb.458.2018.08.20.05.39.51; Mon, 20 Aug 2018 05:40:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726848AbeHTPyL (ORCPT + 99 others); Mon, 20 Aug 2018 11:54:11 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:38368 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726563AbeHTPyK (ORCPT ); Mon, 20 Aug 2018 11:54:10 -0400 Received: by mail-wm0-f67.google.com with SMTP id t25-v6so13693065wmi.3 for ; Mon, 20 Aug 2018 05:38:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fZlnPHcqfGZWO0vA0m6jg1ljS2GcV/pMA/5Nmzlil6w=; b=jUQYKRnDCKL+sc+ERK29CN12iw6aKvvxawCWk6ylGvtt1K34r8TRDEaiBxeKHb54oL 4ANP1rrhGHdkKM65iVwiLHgyAAjWafG2RAlyxO1D/Awm2jtqR1Jd8i7I4x2u77CT/V6K Zpnru+/FLGJmXB3UD2LOH31AXbm3cXIafmc036vkUFQtJmrPJYL0z0BBgqZriZHJqGv7 VKZZRS7P2nz0UXRTQvIreoh/D8QJWbMyc6HS5vBlpqC51nObnZ2FSSntFxzJsmY0YH+k lPu2w+PJ8EDu/DrRH0OSp6F1afKOBxNWzO7gJWacEEULnT0ugfmNYBiQgg+XWsnz4tam n9HA== X-Gm-Message-State: AOUpUlEPxDmNMIoXHRbnhwPvYJbRhgq3dJf5kFTedZtthWVdeLzAp4Rb PectdALDn98LgYmo1bn6HyIaFw== X-Received: by 2002:a1c:3743:: with SMTP id e64-v6mr24888328wma.63.1534768720100; Mon, 20 Aug 2018 05:38:40 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id v2-v6sm496917wme.36.2018.08.20.05.38.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 20 Aug 2018 05:38:39 -0700 (PDT) From: Ondrej Mosnacek To: linux-audit@redhat.com Cc: Paul Moore , Richard Guy Briggs , Steve Grubb , John Stultz , Thomas Gleixner , Stephen Boyd , linux-kernel@vger.kernel.org, Ondrej Mosnacek Subject: [RFC PATCH ghak10 v4 1/2] audit: Add functions to log time adjustments Date: Mon, 20 Aug 2018 14:38:17 +0200 Message-Id: <20180820123818.27547-2-omosnace@redhat.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180820123818.27547-1-omosnace@redhat.com> References: <20180820123818.27547-1-omosnace@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds two auxiliary record types that will be used to annotate the adjtimex SYSCALL records with the NTP/timekeeping values that have been changed. Next, it adds two functions to the audit interface: - audit_tk_injoffset(), which will be called whenever a timekeeping offset is injected by a syscall from userspace, - audit_ntp_adjust(), which will be called whenever an NTP internal variable is changed by a syscall from userspace. Quick reference for the fields of the new records: AUDIT_TIME_INJOFFSET sec - the 'seconds' part of the offset nsec - the 'nanoseconds' part of the offset AUDIT_TIME_ADJNTPVAL op - which value was adjusted: offset - corresponding to the time_offset variable freq - corresponding to the time_freq variable status - corresponding to the time_status variable maxerr - corresponding to the time_maxerror variable esterr - corresponding to the time_esterror variable const - corresponding to the time_constant variable adjust - corresponding to the time_adjust variable tick - corresponding to the tick_usec variable tai - corresponding to the timekeeping's TAI offset old - the old value new - the new value Signed-off-by: Ondrej Mosnacek --- include/linux/audit.h | 21 +++++++++++++++++++++ include/uapi/linux/audit.h | 2 ++ kernel/auditsc.c | 15 +++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9334fbef7bae..0d084d4b4042 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -26,6 +26,7 @@ #include #include #include +#include #define AUDIT_INO_UNSET ((unsigned long)-1) #define AUDIT_DEV_UNSET ((dev_t)-1) @@ -356,6 +357,8 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); +extern void __audit_tk_injoffset(struct timespec64 offset); +extern void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -458,6 +461,18 @@ static inline void audit_fanotify(unsigned int response) __audit_fanotify(response); } +static inline void audit_tk_injoffset(struct timespec64 offset) +{ + if (!audit_dummy_context()) + __audit_tk_injoffset(offset); +} + +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) +{ + if (!audit_dummy_context()) + __audit_ntp_adjust(type, oldval, newval); +} + extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ @@ -584,6 +599,12 @@ static inline void audit_log_kern_module(char *name) static inline void audit_fanotify(unsigned int response) { } +static inline void audit_tk_injoffset(struct timespec64 offset) +{ } + +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) +{ } + static inline void audit_ptrace(struct task_struct *t) { } #define audit_n_rules 0 diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4e3eaba84175..242ce562b41a 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -114,6 +114,8 @@ #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ +#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */ +#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fb207466e99b..d355d32d9765 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2422,6 +2422,21 @@ void __audit_fanotify(unsigned int response) AUDIT_FANOTIFY, "resp=%u", response); } +/* We need to allocate with GFP_ATOMIC here, since these two functions will be + * called while holding the timekeeping lock: */ +void __audit_tk_injoffset(struct timespec64 offset) +{ + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_INJOFFSET, + "sec=%lli nsec=%li", (long long)offset.tv_sec, offset.tv_nsec); +} + +void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval) +{ + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_ADJNTPVAL, + "op=%s old=%lli new=%lli", type, + (long long)oldval, (long long)newval); +} + static void audit_log_task(struct audit_buffer *ab) { kuid_t auid, uid; -- 2.17.1