Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2759694imm; Fri, 24 Aug 2018 05:01:54 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbGMVRP/3n06t9Vt/NxXneZnf9MjxU7SB/c3/fNDL/Gf4jgsRxrzV2j39HrxR8W6LWDmkaA X-Received: by 2002:a65:41c6:: with SMTP id b6-v6mr1463201pgq.174.1535112114475; Fri, 24 Aug 2018 05:01:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535112114; cv=none; d=google.com; s=arc-20160816; b=bD7hnv+enyPvJ7xQOcamWVnqy6M4N1cE6jYEpKefCUf0xOBnyTjepFZJdlriDKjp2K XlqE78ofi3ttfJ0QlfLVfnuVdAckSp+k/r+RL2xZivVeEYTBfGQgOcyWc5GTvrEgJc1R 8sL2rgKL4B92xttjx4IU1HxrbBAvt1HQ3cgbI0tVmAnKRfhOV9lly4TMRsafgrK98Q9t EnPDLfT/WQnEmHf0YNOAjxloXDx6vN+tuAPUK5TWFX5u2eUT2lXwjlexeMyNs99ZWT2y rAJY0OTGCvsRGkH1Fdd+V65P5qnPcAjNRSWUBwRV51xQeJIpM997hBCuz6sdgZAtNt9j oVPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=wUNZjBs3x2BpYeObbya9Dwob7XVqYxjZ99LkVl+ORG8=; b=W/aeaXVPT6EzCC5n/JLg8kQplrnL622bA/Bm5o2asX9xEJuO5wa2yu52yzMuoZeNf2 Mw4VS+LChvUm2oGXXNqabN2TZoTT1bdzhLImWblDfZNZq9izoRLzu4hLhkMvHP1lXsQ8 Bn0hUDUBTF8BiMk+CCh5KS3gtRwuWWs6tjA6Pe9v+UCpggju+YBo7chagOiKrQncJiYb kAOsXgcNY8RnJObZ+Ca5iMA/F0p8rJ3l3rDm0C0dL4q/TQlpm/nqhyaVTyQc0HA6JPu6 Dn2on8Sdq2qhGNgzmkQmz4Xf0axpuZRBni3VYHWkF5esOfUBP5ldk3Un2TuRTv7+673G 104g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t4-v6si6902875plb.498.2018.08.24.05.01.38; Fri, 24 Aug 2018 05:01:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727729AbeHXPev (ORCPT + 99 others); Fri, 24 Aug 2018 11:34:51 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:38201 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726871AbeHXPet (ORCPT ); Fri, 24 Aug 2018 11:34:49 -0400 Received: by mail-wm0-f67.google.com with SMTP id t25-v6so1401297wmi.3 for ; Fri, 24 Aug 2018 05:00:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wUNZjBs3x2BpYeObbya9Dwob7XVqYxjZ99LkVl+ORG8=; b=hIQRJMa3FtsD1lGLxlGJt7gsckUSORoWoXA1/nLjrzbyaXxS/Tgtgm8A8PheYvrfzz Mt92JyS8hQ2TOfl1zLWN4+uHN27QM3bBymL4hg8fhVSyH82KUZfxvW3fScm6o/sZUlL2 XHniq0ijK/1yhzgrQ14b068XTB/c40Ue4q6gjhhYygGnz12FLdMY9lZsAT659TLt7BLA U8oBwdRTgF91flJfbT4HXJxD2NDnE8AdSbt3CMu4feTdOhvybrX8kJ7QHD3yheDfQPn/ LKeVh6Y0bSW/GkPhDcj5golqEdSmRa99xHy3UZ/1bMy9jpb4y/SxO8Fvg2g2XNIaWn8F 11Jg== X-Gm-Message-State: APzg51Al3jxflqJCmr4jZGEAtQY4x83J5nqd5pYkgRiT4Lohb083TZYB wB1nCZ1Kl9B+h8o4VTWjRi4zyw== X-Received: by 2002:a1c:b45:: with SMTP id 66-v6mr1203959wml.45.1535112027290; Fri, 24 Aug 2018 05:00:27 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id r30-v6sm12318999wrc.90.2018.08.24.05.00.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 24 Aug 2018 05:00:26 -0700 (PDT) From: Ondrej Mosnacek To: linux-audit@redhat.com Cc: Paul Moore , Richard Guy Briggs , Steve Grubb , Miroslav Lichvar , John Stultz , Thomas Gleixner , Stephen Boyd , linux-kernel@vger.kernel.org, Ondrej Mosnacek Subject: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments Date: Fri, 24 Aug 2018 14:00:00 +0200 Message-Id: <20180824120001.20771-2-omosnace@redhat.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180824120001.20771-1-omosnace@redhat.com> References: <20180824120001.20771-1-omosnace@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds two auxiliary record types that will be used to annotate the adjtimex SYSCALL records with the NTP/timekeeping values that have been changed. Next, it adds two functions to the audit interface: - audit_tk_injoffset(), which will be called whenever a timekeeping offset is injected by a syscall from userspace, - audit_ntp_adjust(), which will be called whenever an NTP internal variable is changed by a syscall from userspace. Quick reference for the fields of the new records: AUDIT_TIME_INJOFFSET sec - the 'seconds' part of the offset nsec - the 'nanoseconds' part of the offset AUDIT_TIME_ADJNTPVAL op - which value was adjusted: offset - corresponding to the time_offset variable freq - corresponding to the time_freq variable status - corresponding to the time_status variable adjust - corresponding to the time_adjust variable tick - corresponding to the tick_usec variable tai - corresponding to the timekeeping's TAI offset old - the old value new - the new value Signed-off-by: Ondrej Mosnacek --- include/linux/audit.h | 21 +++++++++++++++++++++ include/uapi/linux/audit.h | 2 ++ kernel/auditsc.c | 15 +++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9334fbef7bae..0d084d4b4042 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -26,6 +26,7 @@ #include #include #include +#include #define AUDIT_INO_UNSET ((unsigned long)-1) #define AUDIT_DEV_UNSET ((dev_t)-1) @@ -356,6 +357,8 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); +extern void __audit_tk_injoffset(struct timespec64 offset); +extern void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -458,6 +461,18 @@ static inline void audit_fanotify(unsigned int response) __audit_fanotify(response); } +static inline void audit_tk_injoffset(struct timespec64 offset) +{ + if (!audit_dummy_context()) + __audit_tk_injoffset(offset); +} + +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) +{ + if (!audit_dummy_context()) + __audit_ntp_adjust(type, oldval, newval); +} + extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ @@ -584,6 +599,12 @@ static inline void audit_log_kern_module(char *name) static inline void audit_fanotify(unsigned int response) { } +static inline void audit_tk_injoffset(struct timespec64 offset) +{ } + +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) +{ } + static inline void audit_ptrace(struct task_struct *t) { } #define audit_n_rules 0 diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4e3eaba84175..242ce562b41a 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -114,6 +114,8 @@ #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ +#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */ +#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fb207466e99b..d355d32d9765 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2422,6 +2422,21 @@ void __audit_fanotify(unsigned int response) AUDIT_FANOTIFY, "resp=%u", response); } +/* We need to allocate with GFP_ATOMIC here, since these two functions will be + * called while holding the timekeeping lock: */ +void __audit_tk_injoffset(struct timespec64 offset) +{ + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_INJOFFSET, + "sec=%lli nsec=%li", (long long)offset.tv_sec, offset.tv_nsec); +} + +void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval) +{ + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_ADJNTPVAL, + "op=%s old=%lli new=%lli", type, + (long long)oldval, (long long)newval); +} + static void audit_log_task(struct audit_buffer *ab) { kuid_t auid, uid; -- 2.17.1