Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5647618imm; Mon, 27 Aug 2018 01:31:22 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdb/V+GYz/SSj0MEfk+g+ceH+R8DtU5Ke7MK2+heEH/EKf+RAc5IBbOBjL7uJZtT3kD/7boy X-Received: by 2002:a62:25c5:: with SMTP id l188-v6mr13078187pfl.179.1535358682030; Mon, 27 Aug 2018 01:31:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535358681; cv=none; d=google.com; s=arc-20160816; b=zjOax9nkgoV9LPRk7kZbphfT0e9gdXxWvkzd6vUTHfK2Jpo6uHyQDiNTl64ScOrb6p 0nyRjOsXN0U5yzGdEQDZDRGgm5sJaM3t5VNuVnmo9SWPqIMRfNW/DunUKOwpqt8dHLc+ dkXyjz/jk+Zy7W5aAtEWoolDaJ3X8rSlMnF6yfhFgpslPQR9xdHjzQfgaLqmTBlReF51 y76AQo2vdvcb5PfWneBDHS/8oZDc3YscrYY9s4kotqGmzhnBazmnh38gS8gwI7Sb2g+e af5DN8nyrbihl86GH2W9mQ0rXOterFRFvHWlq4f5QkRsxmLHyxc3XF3AJHpEt43a2NnA 5/qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:arc-authentication-results; bh=ONNzXop+iXz4kxRxZhE5SwuP7zkcGvl71ot5B8fA+KA=; b=Zp2MAwJMtmNSTYj2EzeuA/wi8hQrNn58te02FDwGjR34NX72u/vf28IsPLxNLUA8Nw MO8TJf0W382CuPlQwH7Hd8Eoq/rzRyrHL0cA8j32xnlWnvuehFizs6l9epJi7iqv9Q3V gf6VWYCoIwYLxTJiRNYWBTzGjwFXTuWq95/Y+voatZvRWQNqadI4Iw69Q7E0DQChE2Ck 2Nq2V/IGJTsnRsyWYuhON9Dd+tTEJxb5uoM/uDNfYXajYu4lN44sKjS/vFPMmcwyLHce UuVpo3tFthBjik0qd4kVTTUlGLH0U6CJlJI6r7ZO2079ik/iqGgAY42w6gx3Sl+Iw2H0 VrEg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c22-v6si12678312plo.271.2018.08.27.01.31.05; Mon, 27 Aug 2018 01:31:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727105AbeH0MOS (ORCPT + 99 others); Mon, 27 Aug 2018 08:14:18 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:40082 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726802AbeH0MOS (ORCPT ); Mon, 27 Aug 2018 08:14:18 -0400 Received: by mail-oi0-f66.google.com with SMTP id l202-v6so18937845oig.7 for ; Mon, 27 Aug 2018 01:28:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ONNzXop+iXz4kxRxZhE5SwuP7zkcGvl71ot5B8fA+KA=; b=RJogWZJH5Hj4q+qjLplAdYrYHMZX7kL6A2JAaDrerSbZzC9nQWbfzacPPNPdvmishA HYecFm1FVu6inWdIu4TAhMQ5zk7Dyhh7c0ZrepOXwCl2uyAvF2J4uC3KJGH45ELivIR6 /o7TK2ENTiujRxQYGS/2hSVyT9NVqOUBMgk2MesywHYOzs95XZt3qIQGA5i9eRtKXL9s j7juhdJ5D27T4K+rSCUSfiRL7rC2s6qAOuiOFMh5MB5vS2w58n4BwkvuixGUNVVopnHC 97QE0FC9IU8CssE9tIvu4NzB0cq0PYsyn1S6W4jI7uM9Chgtlm2Tkw1cj9orHOA7dzKt UQRw== X-Gm-Message-State: APzg51BhbDsFJ3ASwGWx9qayh9IcWuXKmpenRe+L0JSZLT3tkW4pWkfZ RuFcFdVrKlY5EwVjquGFkZUbIoOYzXJinZLWN4pAeA== X-Received: by 2002:aca:3f55:: with SMTP id m82-v6mr12293330oia.237.1535358519321; Mon, 27 Aug 2018 01:28:39 -0700 (PDT) MIME-Version: 1.0 References: <20180824120001.20771-1-omosnace@redhat.com> <20180824120001.20771-2-omosnace@redhat.com> In-Reply-To: From: Ondrej Mosnacek Date: Mon, 27 Aug 2018 10:28:27 +0200 Message-ID: Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments To: John Stultz Cc: Linux-Audit Mailing List , Paul Moore , Richard Guy Briggs , Steve Grubb , Miroslav Lichvar , Thomas Gleixner , Stephen Boyd , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 24, 2018 at 8:33 PM John Stultz wrote: > On Fri, Aug 24, 2018 at 5:00 AM, Ondrej Mosnacek wrote: > > This patch adds two auxiliary record types that will be used to annotate > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > been changed. > > > > Next, it adds two functions to the audit interface: > > - audit_tk_injoffset(), which will be called whenever a timekeeping > > offset is injected by a syscall from userspace, > > - audit_ntp_adjust(), which will be called whenever an NTP internal > > variable is changed by a syscall from userspace. > > > > Quick reference for the fields of the new records: > > AUDIT_TIME_INJOFFSET > > sec - the 'seconds' part of the offset > > nsec - the 'nanoseconds' part of the offset > > AUDIT_TIME_ADJNTPVAL > > op - which value was adjusted: > > offset - corresponding to the time_offset variable > > freq - corresponding to the time_freq variable > > status - corresponding to the time_status variable > > adjust - corresponding to the time_adjust variable > > tick - corresponding to the tick_usec variable > > tai - corresponding to the timekeeping's TAI offset > > old - the old value > > new - the new value > > > > Signed-off-by: Ondrej Mosnacek > > --- > > include/linux/audit.h | 21 +++++++++++++++++++++ > > include/uapi/linux/audit.h | 2 ++ > > kernel/auditsc.c | 15 +++++++++++++++ > > 3 files changed, 38 insertions(+) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 9334fbef7bae..0d084d4b4042 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -26,6 +26,7 @@ > > #include > > #include > > #include > > +#include > > > > #define AUDIT_INO_UNSET ((unsigned long)-1) > > #define AUDIT_DEV_UNSET ((dev_t)-1) > > @@ -356,6 +357,8 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); > > extern void __audit_mmap_fd(int fd, int flags); > > extern void __audit_log_kern_module(char *name); > > extern void __audit_fanotify(unsigned int response); > > +extern void __audit_tk_injoffset(struct timespec64 offset); > > +extern void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval); > > > > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) > > { > > @@ -458,6 +461,18 @@ static inline void audit_fanotify(unsigned int response) > > __audit_fanotify(response); > > } > > > > +static inline void audit_tk_injoffset(struct timespec64 offset) > > +{ > > + if (!audit_dummy_context()) > > + __audit_tk_injoffset(offset); > > +} > > + > > +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) > > +{ > > + if (!audit_dummy_context()) > > + __audit_ntp_adjust(type, oldval, newval); > > +} > > + > > extern int audit_n_rules; > > extern int audit_signals; > > #else /* CONFIG_AUDITSYSCALL */ > > @@ -584,6 +599,12 @@ static inline void audit_log_kern_module(char *name) > > static inline void audit_fanotify(unsigned int response) > > { } > > > > +static inline void audit_tk_injoffset(struct timespec64 offset) > > +{ } > > + > > +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) > > +{ } > > + > > static inline void audit_ptrace(struct task_struct *t) > > { } > > #define audit_n_rules 0 > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index 4e3eaba84175..242ce562b41a 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -114,6 +114,8 @@ > > #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ > > #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ > > #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ > > +#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */ > > +#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > > > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index fb207466e99b..d355d32d9765 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -2422,6 +2422,21 @@ void __audit_fanotify(unsigned int response) > > AUDIT_FANOTIFY, "resp=%u", response); > > } > > > > +/* We need to allocate with GFP_ATOMIC here, since these two functions will be > > + * called while holding the timekeeping lock: */ > > +void __audit_tk_injoffset(struct timespec64 offset) > > +{ > > + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_INJOFFSET, > > + "sec=%lli nsec=%li", (long long)offset.tv_sec, offset.tv_nsec); > > +} > > + > > +void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval) > > +{ > > + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_ADJNTPVAL, > > + "op=%s old=%lli new=%lli", type, > > + (long long)oldval, (long long)newval); > > +} > > So it looks like you've been careful here, but just want to make sure, > nothing in the audit_log path calls anything that might possibly call > back into timekeeping code? We've had a number of issues over time > where debug calls out to other subsystems end up getting tweaked to > add some timestamping and we deadlock. :) Hm, that's a good point... AFAIK, the only place where audit_log() might call into timekeeping is when it captures the timestamp for the record (via ktime_get_coarse_real_ts64()), but this is only called when the functions are called outside of a syscall and that should never happen here. I'm thinking I could harden this more by returning early from these functions if WARN_ON_ONCE(!audit_context() || !audit_context()->in_syscall)... It is not a perfect solution, but at least there will be something in the code reminding us about this issue. > > One approach we've done to make sure we don't create a trap for future > changes in other subsystems, is avoid calling into other subsystems > until later when we've dropped the locks, (see clock_was_set). Its a > little rough for some of the things done deep in the ntp code, but > might be an extra cautious approach to try. I'm afraid that delaying the audit_* calls would complicate things too much here... Paul/Richard, any thoughts? -- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc.