Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2759699imm; Fri, 24 Aug 2018 05:01:54 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbDE6NUIMQg8fhWfasQEONYwDhhXu4bsZGZyQS0scEZim2nmQ/9EmQD66NgKua13uQWnyld X-Received: by 2002:a17:902:28aa:: with SMTP id f39-v6mr1459810plb.150.1535112114591; Fri, 24 Aug 2018 05:01:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535112114; cv=none; d=google.com; s=arc-20160816; b=AM/ekzsMS87Ca7sVWdeOWWJxMKJFdhNgdAY8uRROc6VYtBreXyqQPEj4bGI8ifZkEX y3WqaLerM2SyUznxUvQtY+Jhy9XN4Ui9RcnK460+K564IAN47sZ+25HRZUKnpIbbhmaL qFVG19Ed7ZKN4QNRCxfXIFQkzJvjg9N+XYAR5GkJGaTqxoo9F2CCCkQ2KoibsuSIgPjq EA+di+Y8B/R7uHK9gay1HTLMj1ZigyxBv8ssM9WygWIjcZd9bzwyxFbBcxOcM1nSSOIZ 7Ci12Mtv3kM4GdUBBOJnq67eYFWPWC95W20CEinFu6y7rW2mW24Y+FHfU2jGHecQIGLU cByg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=2RFfXUgcQGUTOFNBD5BhZ43XVhqF1gXDVuqB5Xi2mAM=; b=KmiqNLJ5zaDIplxcl9Dw8Es+Kgf/JmTio2nDi2HTQbhZQjHA3dQRXq6ndC5F2jH96t SMVDnYVqROObBQCLHUk6xsje1GxJMp2Zu7xA1wYIzEPPoQcivDC7RsBnHjGnXJUyRk6J dq3JcMgmXBwlbwaQp9GQSNonkqG4QoPhaVuiH/IGppusg0qjdXEZRvUOiYDaPEIv2T8Z 4KITtosFKmintBKib20AJz+6GXCdGUv3A1CLva+InVJCK9ELNyCnPUzFv+o6XWwcDqWC iIYmgMpgRSxedKpkB0MHOrOD079REBZ+8r71EIxSvSN0PRB7h78LDS3WxWdJW9rYCPyg Z5BQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q16-v6si6448492pll.1.2018.08.24.05.01.38; Fri, 24 Aug 2018 05:01:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727836AbeHXPex (ORCPT + 99 others); Fri, 24 Aug 2018 11:34:53 -0400 Received: from mail-wr1-f68.google.com ([209.85.221.68]:35931 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726891AbeHXPew (ORCPT ); Fri, 24 Aug 2018 11:34:52 -0400 Received: by mail-wr1-f68.google.com with SMTP id m27-v6so7276234wrf.3 for ; Fri, 24 Aug 2018 05:00:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2RFfXUgcQGUTOFNBD5BhZ43XVhqF1gXDVuqB5Xi2mAM=; b=lEORxSnA4DWMAl0JSYi2rDGkLdrNtfISmuISlwPUnMhe4IdTNcT7uC21jGwt3CW45j 20h+heOaJ2b+XWahYyk3PwwQlu7msrl7s124MXyU5S4IcjtjkBgRA+/xIe1UnqngO05i 3wINf2PoVi8GGWrh6vgZk2XPKMueqHrqDhi/GHHInMGXeSAC4Xr0aRpWjz9BkeAYruHv WoupacHl/C4Hj2aipXDdRSe6HpGrX1/CaIKbpn5zKtPvcl68occqXRtNDt2qfMbUXM71 80c+LMxlCA6FpdkUprtUUV1B4+CJuBqnRlQzKwKv3SzE3SMAX2u0g3Q2vRPDr2k3o0lZ C9SA== X-Gm-Message-State: APzg51BKW0tD48MngZqU/AIXtgID5SOWWK5dq25SpWr1+r4KfElbWKc1 hUcRrm6xvq83hEUeVOpspI6Sjw== X-Received: by 2002:adf:ee86:: with SMTP id b6-v6mr994780wro.242.1535112028837; Fri, 24 Aug 2018 05:00:28 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id r30-v6sm12318999wrc.90.2018.08.24.05.00.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 24 Aug 2018 05:00:27 -0700 (PDT) From: Ondrej Mosnacek To: linux-audit@redhat.com Cc: Paul Moore , Richard Guy Briggs , Steve Grubb , Miroslav Lichvar , John Stultz , Thomas Gleixner , Stephen Boyd , linux-kernel@vger.kernel.org, Ondrej Mosnacek Subject: [PATCH ghak10 v5 2/2] timekeeping/ntp: Audit clock/NTP params adjustments Date: Fri, 24 Aug 2018 14:00:01 +0200 Message-Id: <20180824120001.20771-3-omosnace@redhat.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180824120001.20771-1-omosnace@redhat.com> References: <20180824120001.20771-1-omosnace@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds logging of all attempts to either inject an offset into the clock (producing an AUDIT_TIME_INJOFFSET record) or adjust an NTP parameter (producing an AUDIT_TIME_ADJNTPVAL record). For reference, running the following commands: auditctl -D auditctl -a exit,always -F arch=b64 -S adjtimex chronyd -q produces audit records like this: type=TIME_ADJNTPVAL msg=audit(1530616044.507:5): op=adjust old=0 new=0 type=SYSCALL msg=audit(1530616044.507:5): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78c00 a1=0 a2=4 a3=7f754ae28c0a items=0 ppid=626 pid=629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.507:5): proctitle=6368726F6E7964002D71 type=SYSCALL msg=audit(1530616044.507:6): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78c00 a1=1 a2=1 a3=7f754ae28c0a items=0 ppid=626 pid=629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.507:6): proctitle=6368726F6E7964002D71 type=TIME_INJOFFSET msg=audit(1530616044.507:7): sec=0 nsec=0 type=TIME_ADJNTPVAL msg=audit(1530616044.507:7): op=status old=64 new=8256 type=SYSCALL msg=audit(1530616044.507:7): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78c00 a1=1 a2=1 a3=7f754ae28c0a items=0 ppid=626 pid=629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.507:7): proctitle=6368726F6E7964002D71 type=TIME_ADJNTPVAL msg=audit(1530616044.507:8): op=status old=8256 new=8257 type=TIME_ADJNTPVAL msg=audit(1530616044.507:8): op=offset old=0 new=0 type=TIME_ADJNTPVAL msg=audit(1530616044.507:8): op=freq old=0 new=0 type=SYSCALL msg=audit(1530616044.507:8): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78ab0 a1=0 a2=55e129c850c0 a3=7f754ae28c0a items=0 ppid=626 pid=629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.507:8): proctitle=6368726F6E7964002D71 type=TIME_ADJNTPVAL msg=audit(1530616044.507:9): op=status old=8257 new=64 type=SYSCALL msg=audit(1530616044.507:9): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78ab0 a1=0 a2=55e129c850c0 a3=7f754ae28c0a items=0 ppid=626 pid=629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.507:9): proctitle=6368726F6E7964002D71 type=SYSCALL msg=audit(1530616044.507:10): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78a70 a1=0 a2=55e129c850c0 a3=7f754ae28c0a items=0 ppid=626 pid=629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.507:10): proctitle=6368726F6E7964002D71 type=TIME_ADJNTPVAL msg=audit(1530616044.511:11): op=freq old=0 new=49180377088000 type=TIME_ADJNTPVAL msg=audit(1530616044.511:11): op=tick old=10000 new=10000 type=SYSCALL msg=audit(1530616044.511:11): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78ad0 a1=0 a2=2710 a3=f42f82a800000 items=0 ppid=626 pid=629 auid=0 uid=385 gid=382 euid=385 suid=385 fsuid=385 egid=382 sgid=382 fsgid=382 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.511:11): proctitle=6368726F6E7964002D71 type=TIME_ADJNTPVAL msg=audit(1530616044.521:12): op=status old=64 new=64 type=SYSCALL msg=audit(1530616044.521:12): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78b40 a1=1 a2=40 a3=f91f6ef84fbab items=0 ppid=626 pid=629 auid=0 uid=385 gid=382 euid=385 suid=385 fsuid=385 egid=382 sgid=382 fsgid=382 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616044.521:12): proctitle=6368726F6E7964002D71 type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145 type=TIME_ADJNTPVAL msg=audit(1530616049.652:13): op=status old=64 new=8256 type=SYSCALL msg=audit(1530616049.652:13): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78270 a1=1 a2=fffffffffffffff0 a3=137b828205ca12 items=0 ppid=626 pid=629 auid=0 uid=385 gid=382 euid=385 suid=385 fsuid=385 egid=382 sgid=382 fsgid=382 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616049.652:13): proctitle=6368726F6E7964002D71 type=TIME_ADJNTPVAL msg=audit(1530616033.783:14): op=freq old=49180377088000 new=49180377088000 type=TIME_ADJNTPVAL msg=audit(1530616033.783:14): op=tick old=10000 new=10000 type=SYSCALL msg=audit(1530616033.783:14): arch=c000003e syscall=159 success=yes exit=5 a0=7fff57e78bc0 a1=0 a2=2710 a3=0 items=0 ppid=626 pid=629 auid=0 uid=385 gid=382 euid=385 suid=385 fsuid=385 egid=382 sgid=382 fsgid=382 tty=(none) ses=1 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:kernel_t:s0 key=(null) type=PROCTITLE msg=audit(1530616033.783:14): proctitle=6368726F6E7964002D71 The chronyd command that produced the above records executed the following adjtimex(2) syscalls (as per strace output): adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0, maxerror=16000000, esterror=16000000, status=STA_UNSYNC, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=507215}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_MAXERROR, offset=0, freq=0, maxerror=0, esterror=16000000, status=STA_UNSYNC, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=507438}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_SETOFFSET|ADJ_NANO, offset=0, freq=0, maxerror=16000000, esterror=16000000, status=STA_UNSYNC|STA_NANO, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=507604737}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_OFFSET|ADJ_STATUS, offset=0, freq=0, maxerror=16000000, esterror=16000000, status=STA_PLL|STA_UNSYNC|STA_NANO, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=507698330}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_STATUS, offset=0, freq=0, maxerror=16000000, esterror=16000000, status=STA_UNSYNC, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=507792}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=0, offset=0, freq=0, maxerror=16000000, esterror=16000000, status=STA_UNSYNC, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=508000}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_FREQUENCY|ADJ_TICK, offset=0, freq=750433, maxerror=16000000, esterror=16000000, status=STA_UNSYNC, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=512146}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_MAXERROR|ADJ_ESTERROR|ADJ_STATUS, offset=0, freq=750433, maxerror=16000000, esterror=16000000, status=STA_UNSYNC, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616044, tv_usec=522506}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_SETOFFSET|ADJ_NANO, offset=0, freq=750433, maxerror=16000000, esterror=16000000, status=STA_UNSYNC|STA_NANO, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616033, tv_usec=778717675}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) adjtimex({modes=ADJ_FREQUENCY|ADJ_TICK, offset=0, freq=750433, maxerror=16000000, esterror=16000000, status=STA_UNSYNC|STA_NANO, constant=2, precision=1, tolerance=32768000, time={tv_sec=1530616033, tv_usec=784644657}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR) (The struct timex fields above are from *after* the syscall was executed, so they contain the current (new) values as set from the kernel, except of the 'modes' field, which contains the original value sent by the caller.) The changes to the time_maxerror, time_esterror, and time_constant variables are not logged, as these are not important for security. Note that the records are emitted even when the actual value does not change (i.e. when there is an explicit attempt to change a value, but the new value equals the old one). An overview of changes that can be done via adjtimex(2) (based on information from Miroslav Lichvar) and whether they are audited: timekeeping_inject_offset() -- injects offset directly into system time (AUDITED) __timekeeping_set_tai_offset() -- sets the offset from the International Atomic Time (AUDITED) NTP variables: time_offset -- can adjust the clock by up to 0.5 seconds per call and also speed it up or slow down by up to about 0.05% (43 seconds per day) (AUDITED) time_freq -- can speed up or slow down by up to about 0.05% time_status -- can insert/delete leap seconds and it also enables/ disables synchronization of the hardware real-time clock (AUDITED) time_maxerror, time_esterror -- change error estimates used to inform userspace applications (NOT AUDITED) time_constant -- controls the speed of the clock adjustments that are made when time_offset is set (NOT AUDITED) time_adjust -- can temporarily speed up or slow down the clock by up to 0.05% (AUDITED) tick_usec -- a more extreme version of time_freq; can speed up or slow down the clock by up to 10% (AUDITED) Cc: Miroslav Lichvar Signed-off-by: Ondrej Mosnacek --- kernel/time/ntp.c | 38 ++++++++++++++++++++++++++++++-------- kernel/time/timekeeping.c | 3 +++ 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index a09ded765f6c..f96c6d326aae 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -18,6 +18,7 @@ #include #include #include +#include #include "ntp_internal.h" #include "timekeeping_internal.h" @@ -294,6 +295,8 @@ static inline s64 ntp_update_offset_fll(s64 offset64, long secs) static void ntp_update_offset(long offset) { + s64 old_offset = time_offset; + s64 old_freq = time_freq; s64 freq_adj; s64 offset64; long secs; @@ -342,6 +345,9 @@ static void ntp_update_offset(long offset) time_freq = max(freq_adj, -MAXFREQ_SCALED); time_offset = div_s64(offset64 << NTP_SCALE_SHIFT, NTP_INTERVAL_FREQ); + + audit_ntp_adjust("offset", old_offset, time_offset); + audit_ntp_adjust("freq", old_freq, time_freq); } /** @@ -669,21 +675,31 @@ static inline void process_adjtimex_modes(struct timex *txc, struct timespec64 *ts, s32 *time_tai) { - if (txc->modes & ADJ_STATUS) - process_adj_status(txc, ts); + if (txc->modes & (ADJ_STATUS | ADJ_NANO | ADJ_MICRO)) { + int old_status = time_status; + + if (txc->modes & ADJ_STATUS) + process_adj_status(txc, ts); - if (txc->modes & ADJ_NANO) - time_status |= STA_NANO; + if (txc->modes & ADJ_NANO) + time_status |= STA_NANO; - if (txc->modes & ADJ_MICRO) - time_status &= ~STA_NANO; + if (txc->modes & ADJ_MICRO) + time_status &= ~STA_NANO; + + audit_ntp_adjust("status", old_status, time_status); + } if (txc->modes & ADJ_FREQUENCY) { + s64 old_freq = time_freq; + time_freq = txc->freq * PPM_SCALE; time_freq = min(time_freq, MAXFREQ_SCALED); time_freq = max(time_freq, -MAXFREQ_SCALED); /* update pps_freq */ pps_set_freq(time_freq); + + audit_ntp_adjust("freq", old_freq, time_freq); } if (txc->modes & ADJ_MAXERROR) @@ -700,14 +716,18 @@ static inline void process_adjtimex_modes(struct timex *txc, time_constant = max(time_constant, 0l); } - if (txc->modes & ADJ_TAI && txc->constant > 0) + if (txc->modes & ADJ_TAI && txc->constant > 0) { + audit_ntp_adjust("tai", *time_tai, txc->constant); *time_tai = txc->constant; + } if (txc->modes & ADJ_OFFSET) ntp_update_offset(txc->offset); - if (txc->modes & ADJ_TICK) + if (txc->modes & ADJ_TICK) { + audit_ntp_adjust("tick", tick_usec, txc->tick); tick_usec = txc->tick; + } if (txc->modes & (ADJ_TICK|ADJ_FREQUENCY|ADJ_OFFSET)) ntp_update_frequency(); @@ -729,6 +749,8 @@ int __do_adjtimex(struct timex *txc, struct timespec64 *ts, s32 *time_tai) /* adjtime() is independent from ntp_adjtime() */ time_adjust = txc->offset; ntp_update_frequency(); + + audit_ntp_adjust("adjust", save_adjust, txc->offset); } txc->offset = save_adjust; } else { diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 4786df904c22..9089ac329e69 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "tick-internal.h" #include "ntp_internal.h" @@ -2308,6 +2309,8 @@ int do_adjtimex(struct timex *txc) ret = timekeeping_inject_offset(&delta); if (ret) return ret; + + audit_tk_injoffset(delta); } getnstimeofday64(&ts); -- 2.17.1