Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp872160imm; Thu, 13 Sep 2018 09:00:28 -0700 (PDT) X-Google-Smtp-Source: ANB0VdY6EdnE/kwmwqkhrePSwfTuERzh6VNhJfHE9RpDTkMTeB2x7R/m6/Ed4ex4iltjphtC/ixn X-Received: by 2002:a17:902:7614:: with SMTP id k20-v6mr7892275pll.170.1536854428623; Thu, 13 Sep 2018 09:00:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536854428; cv=none; d=google.com; s=arc-20160816; b=CW9djqISW+XI6nHfqDZFnpcwsMECzCaqnt8+824N7ODnMAnZMPt+Gk58oiFwyMYoT8 DW07UjddDic2fezW9fQdZ4FoQH7g5CwFdv7SaNnbyPsBNvz7dULu0lBbHrXZBA4pPyV8 yyFJ/vVKFnCc66ytmZ/fkbFcH65opT7oBZME+54AN1FZYmk7F+o1mGmlc1aIq0TOdzze e4Wf4qNmSslvLWZUqXnlk+rlSGTypBuVfbn8fchGioYx/3zUxfDIuc3pZNmxiMGsFVTO 74DVreTIS00q7CXjJkVjzBLG14UgBa+y64N/5oq0NVZz6I5XXzGXx8qkHIfO3NDZfOGe Bjjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=IJdFXBIk6uroPhBiFSoOQ/mzQh6Jec+ZscNnn62OHNI=; b=O886VW67xIMFDXv8mY8112xDmYGsCzgIE41EdQl5PEGfcfZBZ3ScgK7SU7k7CTSb8J Zg2D6wLipGUkl669e+dn8J3TlpNoIpTfZvfku+uGqxltlp4kXHMbJcuSMa1TQ1hryHPc OACiKSeES7HdsqJt/7cDzda3kxuUryQlkyCgtTCr0XvsurdsPYNif3i3QsXcuihhE3DK hWCIvB8eCV9nQAl7QyEbor8M2jlIQnFMtxyCHyIzB6YwPfWaKnHK0CxSfE/QWI3e+WWy s6f6Ugqn9Bb1QRDKX1IFobqvfkQP3sgplkRSID/BKkY49dAn5LCnrdZJEX4jn79xIIX/ D7ig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r20-v6si3467296pgk.207.2018.09.13.09.00.00; Thu, 13 Sep 2018 09:00:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728493AbeIMVJQ (ORCPT + 99 others); Thu, 13 Sep 2018 17:09:16 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44880 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727636AbeIMVJQ (ORCPT ); Thu, 13 Sep 2018 17:09:16 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BAE42307DA3C; Thu, 13 Sep 2018 15:59:08 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-40.phx2.redhat.com [10.3.112.40]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BFCB55C1A1; Thu, 13 Sep 2018 15:58:59 +0000 (UTC) Date: Thu, 13 Sep 2018 11:54:18 -0400 From: Richard Guy Briggs To: Ondrej Mosnacek Cc: John Stultz , Linux-Audit Mailing List , Paul Moore , Steve Grubb , Miroslav Lichvar , Thomas Gleixner , Stephen Boyd , Linux kernel mailing list Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments Message-ID: <20180913155418.regeoj6veiivpvlt@madcap2.tricolour.ca> References: <20180824120001.20771-1-omosnace@redhat.com> <20180824120001.20771-2-omosnace@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180512 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Thu, 13 Sep 2018 15:59:08 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-08-27 10:28, Ondrej Mosnacek wrote: > On Fri, Aug 24, 2018 at 8:33 PM John Stultz wrote: > > On Fri, Aug 24, 2018 at 5:00 AM, Ondrej Mosnacek wrote: > > > This patch adds two auxiliary record types that will be used to annotate > > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > > been changed. > > > > > > Next, it adds two functions to the audit interface: > > > - audit_tk_injoffset(), which will be called whenever a timekeeping > > > offset is injected by a syscall from userspace, > > > - audit_ntp_adjust(), which will be called whenever an NTP internal > > > variable is changed by a syscall from userspace. > > > > > > Quick reference for the fields of the new records: > > > AUDIT_TIME_INJOFFSET > > > sec - the 'seconds' part of the offset > > > nsec - the 'nanoseconds' part of the offset > > > AUDIT_TIME_ADJNTPVAL > > > op - which value was adjusted: > > > offset - corresponding to the time_offset variable > > > freq - corresponding to the time_freq variable > > > status - corresponding to the time_status variable > > > adjust - corresponding to the time_adjust variable > > > tick - corresponding to the tick_usec variable > > > tai - corresponding to the timekeeping's TAI offset > > > old - the old value > > > new - the new value > > > > > > Signed-off-by: Ondrej Mosnacek > > > --- > > > include/linux/audit.h | 21 +++++++++++++++++++++ > > > include/uapi/linux/audit.h | 2 ++ > > > kernel/auditsc.c | 15 +++++++++++++++ > > > 3 files changed, 38 insertions(+) > > > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > > index 9334fbef7bae..0d084d4b4042 100644 > > > --- a/include/linux/audit.h > > > +++ b/include/linux/audit.h > > > @@ -26,6 +26,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > > > > #define AUDIT_INO_UNSET ((unsigned long)-1) > > > #define AUDIT_DEV_UNSET ((dev_t)-1) > > > @@ -356,6 +357,8 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); > > > extern void __audit_mmap_fd(int fd, int flags); > > > extern void __audit_log_kern_module(char *name); > > > extern void __audit_fanotify(unsigned int response); > > > +extern void __audit_tk_injoffset(struct timespec64 offset); > > > +extern void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval); > > > > > > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) > > > { > > > @@ -458,6 +461,18 @@ static inline void audit_fanotify(unsigned int response) > > > __audit_fanotify(response); > > > } > > > > > > +static inline void audit_tk_injoffset(struct timespec64 offset) > > > +{ > > > + if (!audit_dummy_context()) > > > + __audit_tk_injoffset(offset); > > > +} > > > + > > > +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) > > > +{ > > > + if (!audit_dummy_context()) > > > + __audit_ntp_adjust(type, oldval, newval); > > > +} > > > + > > > extern int audit_n_rules; > > > extern int audit_signals; > > > #else /* CONFIG_AUDITSYSCALL */ > > > @@ -584,6 +599,12 @@ static inline void audit_log_kern_module(char *name) > > > static inline void audit_fanotify(unsigned int response) > > > { } > > > > > > +static inline void audit_tk_injoffset(struct timespec64 offset) > > > +{ } > > > + > > > +static inline void audit_ntp_adjust(const char *type, s64 oldval, s64 newval) > > > +{ } > > > + > > > static inline void audit_ptrace(struct task_struct *t) > > > { } > > > #define audit_n_rules 0 > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > > index 4e3eaba84175..242ce562b41a 100644 > > > --- a/include/uapi/linux/audit.h > > > +++ b/include/uapi/linux/audit.h > > > @@ -114,6 +114,8 @@ > > > #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ > > > #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ > > > #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ > > > +#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */ > > > +#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > > > > > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > > > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index fb207466e99b..d355d32d9765 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -2422,6 +2422,21 @@ void __audit_fanotify(unsigned int response) > > > AUDIT_FANOTIFY, "resp=%u", response); > > > } > > > > > > +/* We need to allocate with GFP_ATOMIC here, since these two functions will be > > > + * called while holding the timekeeping lock: */ > > > +void __audit_tk_injoffset(struct timespec64 offset) > > > +{ > > > + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_INJOFFSET, > > > + "sec=%lli nsec=%li", (long long)offset.tv_sec, offset.tv_nsec); > > > +} > > > + > > > +void __audit_ntp_adjust(const char *type, s64 oldval, s64 newval) > > > +{ > > > + audit_log(audit_context(), GFP_ATOMIC, AUDIT_TIME_ADJNTPVAL, > > > + "op=%s old=%lli new=%lli", type, > > > + (long long)oldval, (long long)newval); > > > +} > > > > So it looks like you've been careful here, but just want to make sure, > > nothing in the audit_log path calls anything that might possibly call > > back into timekeeping code? We've had a number of issues over time > > where debug calls out to other subsystems end up getting tweaked to > > add some timestamping and we deadlock. :) > > Hm, that's a good point... AFAIK, the only place where audit_log() > might call into timekeeping is when it captures the timestamp for the > record (via ktime_get_coarse_real_ts64()), but this is only called > when the functions are called outside of a syscall and that should > never happen here. I'm thinking I could harden this more by returning > early from these functions if WARN_ON_ONCE(!audit_context() || > !audit_context()->in_syscall)... It is not a perfect solution, but at > least there will be something in the code reminding us about this > issue. It looks like this should be safe already since if there is no context, it won't call into the real audit logging function and as you point out, this should never happen outside of a syscall. > > One approach we've done to make sure we don't create a trap for future > > changes in other subsystems, is avoid calling into other subsystems > > until later when we've dropped the locks, (see clock_was_set). Its a > > little rough for some of the things done deep in the ntp code, but > > might be an extra cautious approach to try. > > I'm afraid that delaying the audit_* calls would complicate things too > much here... Paul/Richard, any thoughts? The other way to address this would be to have your timekeeping audit logging functions save the parameters you want to log somewhere in the struct audit_context union and have it print the record on syscall exit based on the presence of this type and applicable filters. > Ondrej Mosnacek - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635