Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4076997imm; Mon, 17 Sep 2018 07:52:14 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdb80ubswsg2V67hMIkDaOstEBaSDEOIBxUULHIJwVy/pd9otChMTrABSDG8EoYrayJ2BQD+ X-Received: by 2002:a65:6102:: with SMTP id z2-v6mr24077549pgu.46.1537195934696; Mon, 17 Sep 2018 07:52:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537195934; cv=none; d=google.com; s=arc-20160816; b=vx4OOMA2LnsAP5vY0JmHrBb3fGucDKBqd5qVvI1ZIPJAg0v4qeu7k1mJxEFSwkcQXL E7bLkLW/YzX94+Gn2RjrpzoCZuSyNnfVRvPpQf5NCg7s2Udi8n3Ha4hx86n5B+EdLVOB fwyPIZK4Pc9ORBfX/bjUJ3q5zg6Ksk/HI8wl8NAxW6uiXES0Fg86K/aHX2jACTFntca9 VmJEQouJBPMqAS2N5H/Jk005Ach+DauUZPlezXWL3G8BP0nMkBFeNMfaIxSwrWc0tyMZ MJZnIebx6QCdLkiVkYJ+505dwt8pv6y7xfZj206JbwIIg50gJ84yE+z3TBMzfMPAW/lM nAuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=OxqryL9iXOL37JnZMrEHvO8DFYjQmv5awHEdDAfZjo4=; b=VurIXGIHep6hubwedaxHuNNzTbZTv9nyef4ze8yFPjppr/hKdaW1W5vPpal2mnek3L 3+3u72zWtiQtzAKr0CHfGspZ1TpbBrxIoF0+aWI39jIYai89ThwfPklZqzGKwhH/o+hq YIY3zWikc2mhGuLHeVIoJ9br4S2WCkPy4xrO9ucB1RZboXYldIYN/s/ZEHPFY81PH6Ed 8PaeEMNI5pYPCpBr6fSchqmVTp+Dh5d00Y0oVIcmv78wJWu5fmlxoYpugdwVd8P+tY/I oPgjYoOB2WvfnP6E9y4d/9IjMfsPTY526dt+IqKRalYedfMQfs3IuH45aQoG8xGtt5Bt R7rw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ImpZ3ONa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j67-v6si16107082pfg.34.2018.09.17.07.51.59; Mon, 17 Sep 2018 07:52:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ImpZ3ONa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728952AbeIQUSw (ORCPT + 99 others); Mon, 17 Sep 2018 16:18:52 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:40746 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728158AbeIQUSw (ORCPT ); Mon, 17 Sep 2018 16:18:52 -0400 Received: by mail-lf1-f65.google.com with SMTP id x26-v6so13838674lfi.7 for ; Mon, 17 Sep 2018 07:51:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OxqryL9iXOL37JnZMrEHvO8DFYjQmv5awHEdDAfZjo4=; b=ImpZ3ONafhMfd15iWxMDoQiFJ+ODVb816P9yKrsjtIGEwZ/zX9hiGU0VLz9BQZ78Qb lilhIP2DUJaPgDtW+betV0sRxhNysF+68X02AkjyGrtQVb7jg83Xz9tLH6Gr7ZyxT7q6 OQ5UBfgnmrihRU9Jvz85onwafLy/j+v1r06RzJx2lnBe/o1nRM04ovK2NQfsweWiekut x1Dr5uep+xQmNlO62J/BtabTe3U0BdK24xadOoPDErYcNHTK29+20ersM1LplNyqe6EG EDNj3D0Ga8kSZa25vK9z0IC6wDNhAEy9MZ0wKByr+kNJNAGwqbrg/C2jqY0gRQieMeOj +T/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OxqryL9iXOL37JnZMrEHvO8DFYjQmv5awHEdDAfZjo4=; b=ePvJ3NcZOWfzPcJkLz0LjV7UigPP0BJY4Juz3NqM0QhyN72P5YOTtGWdi5mSoBSpK/ 2oRzV30DzyQut0od30rd+CkgjjFHGLp1ZpZFyedD0Myy6dy0o0CGCf7vAzBktFrGyDUu SL4hF1Ons8xAVUxaPvfgOzercGoNnBVjJCKVfFUojRVyAfQqcQ4Se0T264LYwnAJFUAM IKZwpJgMoXZHLuBRS8dIK/6TKKc5I6DSzt71YiHo9pgN+uODk3kO6aDUeU6RtymN67cN /lGuIlpOeqGYH6CtqcZiW5YKdGBgZlMU0a4oeazaVV6Z6chMzqmUwkzlj+GTpaBDNq9j x6wQ== X-Gm-Message-State: APzg51BGIE3B/LKjuFh2KL56V1ed1Ao5MWdg/Qev2x15Z5rQbeXvzOis YgwJpOZujIQsNW8GdI2Xer6jWULpWXySeo4cT0og X-Received: by 2002:a19:d789:: with SMTP id q9-v6mr4209264lfi.27.1537195869250; Mon, 17 Sep 2018 07:51:09 -0700 (PDT) MIME-Version: 1.0 References: <20180824120001.20771-1-omosnace@redhat.com> <20180824120001.20771-2-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Mon, 17 Sep 2018 10:50:57 -0400 Message-ID: Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments To: omosnace@redhat.com Cc: linux-audit@redhat.com, rgb@redhat.com, sgrubb@redhat.com, mlichvar@redhat.com, john.stultz@linaro.org, tglx@linutronix.de, sboyd@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 17, 2018 at 8:38 AM Ondrej Mosnacek wrote: > > On Fri, Sep 14, 2018 at 5:19 AM Paul Moore wrote: > > On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek wrote: > > > This patch adds two auxiliary record types that will be used to annotate > > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > > been changed. > > > > > > Next, it adds two functions to the audit interface: > > > - audit_tk_injoffset(), which will be called whenever a timekeeping > > > offset is injected by a syscall from userspace, > > > - audit_ntp_adjust(), which will be called whenever an NTP internal > > > variable is changed by a syscall from userspace. > > > > > > Quick reference for the fields of the new records: > > > AUDIT_TIME_INJOFFSET > > > sec - the 'seconds' part of the offset > > > nsec - the 'nanoseconds' part of the offset > > > AUDIT_TIME_ADJNTPVAL > > > op - which value was adjusted: > > > offset - corresponding to the time_offset variable > > > freq - corresponding to the time_freq variable > > > status - corresponding to the time_status variable > > > adjust - corresponding to the time_adjust variable > > > tick - corresponding to the tick_usec variable > > > tai - corresponding to the timekeeping's TAI offset > > > > I understand that reusing "op" is tempting, but the above aren't > > really operations, they are state variables which are being changed. > > I remember Steve (or was it Richard?) convincing me at one of the > meetings that "op" is the right filed name to use, despite it not > being a name for an operation... But I don't really care, I'm okay > with changing it to e.g. "var" as Richard suggests later in this > thread. As I said before, this seems like an abuse of the "op" field. > > Using the CONFIG_CHANGE record as a basis, I wonder if we are better > > off with something like the following: > > > > type=TIME_CHANGE = old= > > > > ... you might need to preface the variable names with something like > > "ntp_" or "offset_". You'll notice I'm also suggesting we use a > > single record type here; is there any reason why two records types are > > required? > > There are actually two reasons: > 1. The injected offset is a timespec64, so it consists of two integer > values (and it would be weird to produce two records for it, since IMO > it is conceptually still a single variable). > 2. In all other cases the variable is reset to the (possibly > transformed) input value, while in this case the input value is added > directly to the system time. This can be viewed as a kind of variable > too, but it would be weird to report old and new value for it, since > its value flows with time. > > Plus, when I look at: > type=TIME_INJOFFSET [...]: sec=-16 nsec=124887145 > > I can immediately see that the time was shifted back by 16-something > seconds, while when I look at something like: > > type=TIME_CHANGE [...]: var=time_sec new=1537185685 old=1537185701 > type=TIME_CHANGE [...]: var=time_nsec new=664373417 old=789260562 > > I can just see some big numbers that I need to do math with before I > get an idea of what is the magnitude (or sign) of the change. Okay, with that in mind, perhaps when recording the offset values we omit the "old" values (arguably that doesn't make much sense here) and keep the sec/nsec split: type=TIME_CHANGE [...]: offset_sec= offset_nsec= ... and for all others we stick with: type=TIME_CHANGE [...]: ntp_= old= ... and if that results in multiple TIME_CHANGE records for a given event, that's fine with me. > > A reminder that we need tests for these new records and a RFE page on the wiki: > > > > * https://github.com/linux-audit/audit-testsuite > > I was going to start working on this once the format issues are > settled. (Although I probably should have kept the RFC in the subject > until then...) > > > * https://github.com/linux-audit/audit-kernel/wiki > > I admit I forgot about this duty, but again I would like to wait for > the discussions to settle before writing that up. That is fine, do it in whatever order works best for you, just understand that I'm probably not going to merge patches like this until I see both documentation and tests. -- paul moore www.paul-moore.com