Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp926274imm;
        Fri, 14 Sep 2018 08:23:17 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbP4DGEjCV8aF+PavPvWHYDrTYR7LHuUJjh+SDF+KvqmeKEc36Cr2grx3el0+6wne3fR4+j
X-Received: by 2002:a62:7d8d:: with SMTP id y135-v6mr12943709pfc.259.1536938597160;
        Fri, 14 Sep 2018 08:23:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536938597; cv=none;
        d=google.com; s=arc-20160816;
        b=lhIbTIPYtlxaqfVQNZWFPlm8/6bfO+8PVlicwJ97H8k3iwOjX85yFt4/Fdppo/lhs7
         Y7nK4oPaekfTBnYSD2m2H4kynNxM0NN+576es3kutj4WCXUjrTzT1XPnWan77c1K5Nwl
         9Zs51tLFt/ljGFlacBsnAnKK1q93eD7hrJb+Lh96AxrXyLVqE0tMOcy2IMvdWTOUYQCA
         KVzoAnAXmCh1tbgudncdqFiDh7wV7O/f3d3IDDt7ih4ZJMCyi/XKa5Ip1o3N1X+QyRZl
         KfW8LO5bJvzuopXFA/qXNyQJ+pcX+HLtQv2k1HqSkLZCZSvtyyWVoPYIYGNznavn3BS6
         IIiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=ZLUHABdlMHx0Ikjh+dA4CBcGbEPZ6HHBVIc1ffsMedI=;
        b=z1kyyHYNVmMhkgY9EsSS3aHx/mOHshHoxrWcuWMF6+BM7dHVflIqco0NRrcgPx4MV2
         edWtJBkCVdDrHuTZTMTy+P7zTuDCk14XYW8kgECstHt+JQnLFb2RasWOJpsQEsz/brzT
         XolC+MIpbYfJEeIqisX1K9wjOpTggedPuwoLUEzyWRRUu8WXqSHqo3omf6KLvj3WUs+i
         Yhn/+oQT5Ei8kJOQXQk1uJ7fK5NYTSHGo1Zy+A2h/I+nrlPYTLSLft/TbcA22OuiAEQm
         /Ncm0dK7dOj/3XWYuXl7wZ3R+wNAxFLy4Oe7zlVmWsRuS6fOuTrhBNrA89yniBC7PxSw
         nHDA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c126-v6si7186349pfa.130.2018.09.14.08.23.01;
        Fri, 14 Sep 2018 08:23:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728163AbeINUg3 (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Fri, 14 Sep 2018 16:36:29 -0400
Received: from mx1.redhat.com ([209.132.183.28]:46390 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727805AbeINUg3 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Sep 2018 16:36:29 -0400
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id E1937307CF58;
        Fri, 14 Sep 2018 15:21:29 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-112-40.phx2.redhat.com [10.3.112.40])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 6B6B26531A;
        Fri, 14 Sep 2018 15:21:26 +0000 (UTC)
Date:   Fri, 14 Sep 2018 11:16:43 -0400
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Paul Moore <paul@paul-moore.com>
Cc:     omosnace@redhat.com, linux-audit@redhat.com, sgrubb@redhat.com,
        mlichvar@redhat.com, john.stultz@linaro.org, tglx@linutronix.de,
        sboyd@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time
 adjustments
Message-ID: <20180914151643.gwvm5te4nvion5ex@madcap2.tricolour.ca>
References: <20180824120001.20771-1-omosnace@redhat.com>
 <20180824120001.20771-2-omosnace@redhat.com>
 <CAHC9VhTZkrmgt7rxNYWTgYvm+TVGgRD6iFu9dDtZ7eYNXBKqHQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHC9VhTZkrmgt7rxNYWTgYvm+TVGgRD6iFu9dDtZ7eYNXBKqHQ@mail.gmail.com>
User-Agent: NeoMutt/20180512
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Fri, 14 Sep 2018 15:21:30 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018-09-13 23:18, Paul Moore wrote:
> On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > This patch adds two auxiliary record types that will be used to annotate
> > the adjtimex SYSCALL records with the NTP/timekeeping values that have
> > been changed.
> >
> > Next, it adds two functions to the audit interface:
> >  - audit_tk_injoffset(), which will be called whenever a timekeeping
> >    offset is injected by a syscall from userspace,
> >  - audit_ntp_adjust(), which will be called whenever an NTP internal
> >    variable is changed by a syscall from userspace.
> >
> > Quick reference for the fields of the new records:
> >     AUDIT_TIME_INJOFFSET
> >         sec - the 'seconds' part of the offset
> >         nsec - the 'nanoseconds' part of the offset
> >     AUDIT_TIME_ADJNTPVAL
> >         op - which value was adjusted:
> >             offset - corresponding to the time_offset variable
> >             freq   - corresponding to the time_freq variable
> >             status - corresponding to the time_status variable
> >             adjust - corresponding to the time_adjust variable
> >             tick   - corresponding to the tick_usec variable
> >             tai    - corresponding to the timekeeping's TAI offset
> 
> I understand that reusing "op" is tempting, but the above aren't
> really operations, they are state variables which are being changed.
> Using the CONFIG_CHANGE record as a basis, I wonder if we are better
> off with something like the following:
> 
>  type=TIME_CHANGE <var>=<value_new> old=<value_old>
> 
> ... you might need to preface the variable names with something like
> "ntp_" or "offset_".  You'll notice I'm also suggesting we use a
> single record type here; is there any reason why two records types are
> required?

Why not do something like:

	 type=TIME_CHANGE var=<var> new=<value_new> old=<value_old>

So that we don't pollute the field namespace *and* create 8 variants on
the same record format?  This shouldn't be much of a concern with binary
record formats, but we're stuck with the current parsing scheme for now.

> >         old - the old value
> >         new - the new value
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >  include/linux/audit.h      | 21 +++++++++++++++++++++
> >  include/uapi/linux/audit.h |  2 ++
> >  kernel/auditsc.c           | 15 +++++++++++++++
> >  3 files changed, 38 insertions(+)
> 
> A reminder that we need tests for these new records and a RFE page on the wiki:
> 
> * https://github.com/linux-audit/audit-testsuite
> * https://github.com/linux-audit/audit-kernel/wiki
> 
> -- 
> paul moore
> www.paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635