Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3931204imm; Mon, 17 Sep 2018 05:41:10 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaeDpz3aRXmaRJFTaMQZknerVD3tItXJF8/4kz6Qk8wRcVtvWHhddrkf1ajYlsb4Z/++/5Q X-Received: by 2002:a63:3e8b:: with SMTP id l133-v6mr22801023pga.355.1537188070728; Mon, 17 Sep 2018 05:41:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537188070; cv=none; d=google.com; s=arc-20160816; b=Gj1nsnQPgwUpEGeqxuJmb+3AJmePXAOVDKmzKdhdbY6Dy2nMmX0siIuXB926tPsPi7 2qz0MKcKfIZ3XFZPn+rVQ10W1lqSrytQ8pbq1iUFOSxjkj4AG5bb+2GQ3QjDo8DZqJ4C +yQQUYCVTlCCHgqnY7m67U8cYpoxO7WliN93jUVGxgs1k2zIE9+05cH1TlqcBIshpZno 6ySnEStTWoaCjzavstPWd9YkPLXcQ049fIlz8Aw4fao+7hWAPHcKMwKX0mdKMWr+w6UX ufbJZRZGGUD/giCheylmFTTQqwFcmA8HXdvoTIgf0rqAyjkIzjzPPF/LhxrWe+8aT2HO nBaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=Xv0yfF12xsO3aa+GjpeOS04wpnpzdTm2qFOAIby5ZYA=; b=hNTFbiRU6nbw48fC9u+ajtWECelf5s8nS7APrfpj8IJ8AFw4W2F5YgbGuKwt7+Viwn TBJw9DN96GQDV44kniRuFtSVH2EFH3q0PDHgcHxedpOPYmZwcn67iDLKhl/AjDNrL8c3 jjtJIEzXH2HmWhnzbGSJRhwE2q4WyQnN2Hq24QjVlQOk2mifxm9U/qfLemcbfHQ9LPg0 bQoLkH9kykeN7esXCjFjtQujA8K8wWbfWFD0H8h26qVl2aYY+nWxl4/xogATUu8PFmS4 x+KA3EB8eq3AlvenUOCEPwwJwWadZOVssQ1dP4Vj4m1JBYFdDcBGAsJ5YZyh/NDMgcZC fZaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b14-v6si15574829pgk.169.2018.09.17.05.40.55; Mon, 17 Sep 2018 05:41:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728558AbeIQSFk (ORCPT + 99 others); Mon, 17 Sep 2018 14:05:40 -0400 Received: from mail-ot1-f67.google.com ([209.85.210.67]:40043 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726824AbeIQSFk (ORCPT ); Mon, 17 Sep 2018 14:05:40 -0400 Received: by mail-ot1-f67.google.com with SMTP id v10-v6so11071509otk.7 for ; Mon, 17 Sep 2018 05:38:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xv0yfF12xsO3aa+GjpeOS04wpnpzdTm2qFOAIby5ZYA=; b=W4/L6ZZY9ZPUwVN3ead7bJ685EvcmrsWZxBnPbq/jqKx1VlutmsX5AGujMQWHSWZaF io+fh55gDHCt+4kq0xlhG7DxX+YqRT/tferXzUuvqBHSyeNIP3lROKCI28wIptfqh2Ws qZZvPkBUK3JtHoajquoRSLC8pVsgCRRu482wSsrTncoeZdajcENO4Z4CtA10Wn3m4fhv eYXFOVJMyNx4halXsUcSW+/xgGoo7F94XrCy6H0VJt0Z1OzVfwTDjlLIaRqhQL3CiKvc tsc8/808NpjvBebXbsO99+INaErebyUlZwwdPPNSKL1nj5cDI3Wvl+myWJ+CrdExFopw Ei1A== X-Gm-Message-State: APzg51A1z3QkLsGlJdjX4MeNqoqoz+81AkkSBJZF+ScCxZQG8daYxjZl 0XD/14TpTCQQzO+Zvjc2ei1VEdkwYjHKbSZFpjonKg== X-Received: by 2002:a9d:4788:: with SMTP id b8-v6mr12855789otf.214.1537187910931; Mon, 17 Sep 2018 05:38:30 -0700 (PDT) MIME-Version: 1.0 References: <20180824120001.20771-1-omosnace@redhat.com> <20180824120001.20771-2-omosnace@redhat.com> In-Reply-To: From: Ondrej Mosnacek Date: Mon, 17 Sep 2018 14:38:19 +0200 Message-ID: Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments To: Paul Moore Cc: Linux-Audit Mailing List , Richard Guy Briggs , Steve Grubb , Miroslav Lichvar , John Stultz , Thomas Gleixner , Stephen Boyd , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 14, 2018 at 5:19 AM Paul Moore wrote: > On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek wrote: > > This patch adds two auxiliary record types that will be used to annotate > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > been changed. > > > > Next, it adds two functions to the audit interface: > > - audit_tk_injoffset(), which will be called whenever a timekeeping > > offset is injected by a syscall from userspace, > > - audit_ntp_adjust(), which will be called whenever an NTP internal > > variable is changed by a syscall from userspace. > > > > Quick reference for the fields of the new records: > > AUDIT_TIME_INJOFFSET > > sec - the 'seconds' part of the offset > > nsec - the 'nanoseconds' part of the offset > > AUDIT_TIME_ADJNTPVAL > > op - which value was adjusted: > > offset - corresponding to the time_offset variable > > freq - corresponding to the time_freq variable > > status - corresponding to the time_status variable > > adjust - corresponding to the time_adjust variable > > tick - corresponding to the tick_usec variable > > tai - corresponding to the timekeeping's TAI offset > > I understand that reusing "op" is tempting, but the above aren't > really operations, they are state variables which are being changed. I remember Steve (or was it Richard?) convincing me at one of the meetings that "op" is the right filed name to use, despite it not being a name for an operation... But I don't really care, I'm okay with changing it to e.g. "var" as Richard suggests later in this thread. > Using the CONFIG_CHANGE record as a basis, I wonder if we are better > off with something like the following: > > type=TIME_CHANGE = old= > > ... you might need to preface the variable names with something like > "ntp_" or "offset_". You'll notice I'm also suggesting we use a > single record type here; is there any reason why two records types are > required? There are actually two reasons: 1. The injected offset is a timespec64, so it consists of two integer values (and it would be weird to produce two records for it, since IMO it is conceptually still a single variable). 2. In all other cases the variable is reset to the (possibly transformed) input value, while in this case the input value is added directly to the system time. This can be viewed as a kind of variable too, but it would be weird to report old and new value for it, since its value flows with time. Plus, when I look at: type=TIME_INJOFFSET [...]: sec=-16 nsec=124887145 I can immediately see that the time was shifted back by 16-something seconds, while when I look at something like: type=TIME_CHANGE [...]: var=time_sec new=1537185685 old=1537185701 type=TIME_CHANGE [...]: var=time_nsec new=664373417 old=789260562 I can just see some big numbers that I need to do math with before I get an idea of what is the magnitude (or sign) of the change. > > > old - the old value > > new - the new value > > > > Signed-off-by: Ondrej Mosnacek > > --- > > include/linux/audit.h | 21 +++++++++++++++++++++ > > include/uapi/linux/audit.h | 2 ++ > > kernel/auditsc.c | 15 +++++++++++++++ > > 3 files changed, 38 insertions(+) > > A reminder that we need tests for these new records and a RFE page on the wiki: > > * https://github.com/linux-audit/audit-testsuite I was going to start working on this once the format issues are settled. (Although I probably should have kept the RFC in the subject until then...) > * https://github.com/linux-audit/audit-kernel/wiki I admit I forgot about this duty, but again I would like to wait for the discussions to settle before writing that up. > > -- > paul moore > www.paul-moore.com-- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc.