Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1194884imu; Tue, 11 Dec 2018 14:33:52 -0800 (PST) X-Google-Smtp-Source: AFSGD/XWd7iK4umzE4WCBEX9WytNw3H2a260apdFQjgUFjPEM/oZPnVYh1LCd9B3NnjP7gqXUQc2 X-Received: by 2002:a17:902:33c1:: with SMTP id b59mr17486805plc.220.1544567632118; Tue, 11 Dec 2018 14:33:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544567632; cv=none; d=google.com; s=arc-20160816; b=mRkynRFx8Rb2+ZiF8iAFgDoLG0DsOAs0RpkIsp/q68g//LhRnq6bMD7HmrO+w6BpKX eJdSUg9WhTW12vX+Ah+FizmE7ltkwQfLHVe7CrclH0eVy8J8pnMTuzVMdxBTcoMm4wk5 vEE18JPMyKKMccfMQkWSJgyrzn+vEEmcGBAv05r6ySPgkFJ0H8/7SuTBa5g+wTDbBkj1 2AYvoMu4eV7ZJogUdPxtleLfsGXqSJO/ren1iq8RzdD9FP/ZG8QWzAPWak/S6hGg1tkN bE5ekV1JNJPquZJkgN424nB8ZnNlCOrhyNe+BM2v24YDDNRy92KPdtflX7aEPMwFjhtj pIDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=jCfBf9iPBwqAS9oUw0LpkftI5ePe20LCu22ZfdQAFHg=; b=0jPKUB7G+MIDLt7f89wK6ZKQwAkFuEVc+uajKU6NVL3kq2FgmNyPiN3/LmZ6UhmIEL U0hvWW1g393kxVXA2V1q//w6y+k+J/CWFkz06FV9KU+wjhkAd+CUxLayL9WdjPoq6JlQ sSn1wIWTyTVZatjvtD2AFEGNpyTGW/f6dwnzu3niRk7v8DXeR+Y5L26WYtGsawdBvD1o 3P9PjuyKm4gZGkiXyRx08EbARW7L5JzjnWWafNMpD45Z6NZSYCKOxO8tJhQzz64Cp5mG 2DsWoo7ZwpvAZ21NJANGhzD484qvKCIJwJrQf09KV2QVlaapOfln7tWbX3ni0IUCD6uh ahLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="VVoq/4u6"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u69si11187892pfj.219.2018.12.11.14.33.36; Tue, 11 Dec 2018 14:33:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="VVoq/4u6"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726251AbeLKWbg (ORCPT + 99 others); Tue, 11 Dec 2018 17:31:36 -0500 Received: from mail-lf1-f68.google.com ([209.85.167.68]:41673 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726183AbeLKWbf (ORCPT ); Tue, 11 Dec 2018 17:31:35 -0500 Received: by mail-lf1-f68.google.com with SMTP id c16so11998514lfj.8 for ; Tue, 11 Dec 2018 14:31:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jCfBf9iPBwqAS9oUw0LpkftI5ePe20LCu22ZfdQAFHg=; b=VVoq/4u6h4g5xkNRBfrHjwTRWXNom+L+lr2PsdBuHv7opMvwBvTUa7TvUqVevCtlAp K+aZDLA0UT/noNxyWyPxd0dXee9PLRPOn5uUrqMdo/mrq4G7wuGt5wQeUs6qkIzd4Zwv ZxS2OUtEVDJ440l7jviaXgGShTupt4MYeDU1T40X7wAUpTzD5AbUbsBaYfoLS+vMxA7d OG0SoBoM4OMM6wepW10OTfIBQLH0q3Xh+sEWPubYNjGRByfY7wVQ72xpmv3wHjT5TlA/ pfo4/dNzA5PMBSpB9z97R+/xcdqMPKo1dmKLYt2Fwiu/O5LKy5WgaVHNxkKXcxSRDC7R UOZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jCfBf9iPBwqAS9oUw0LpkftI5ePe20LCu22ZfdQAFHg=; b=JC92Iu7pFIvx5zPCujsWPYWW6VeAUYhIFqRQ+CDMYYYM8yltCJ2XMXcWaoB0yllaM0 RPTNnCyZr5beZClz+OFYOL/5sN0YT1JQ9mQ62mVkkRQEPyYLcYl8kOE3wYjO6Z/ybIUu BMKEp8FCt4JbZsqV/xy4R1fMbWz9ItkCn8oahPihGdY+A0gMP303i/XIufTYsbixdL/L P94pWuq4dzBL4Ji2f33r4cCNXvvUt/S0DudEo4ASTD1JwnvIfal8QZaN1gUmwYW6gZqt XMbCoDwYQZwSXXwlNltkmyCu7lqNFFHRUxz/nxrbEdEicfPzsnQWE2JkMPiISW07Y9tv S2iQ== X-Gm-Message-State: AA+aEWaAlsTW2y6FLBuWA9wT0wcWd6ZGsDepZOLVGfDL2d1p2aIJjlwk 6zOJbS4AgP4NcXdmur0Ji9WgUXDHYP71AXoeAZiq X-Received: by 2002:a19:a7c1:: with SMTP id q184mr9764663lfe.4.1544567492490; Tue, 11 Dec 2018 14:31:32 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Tue, 11 Dec 2018 17:31:20 -0500 Message-ID: Subject: Re: [PATCH ghak59 V3 0/4] audit: config_change normalizations and event record gathering To: rgb@redhat.com Cc: linux-kernel@vger.kernel.org, linux-audit@redhat.com, Eric Paris , viro@zeniv.linux.org.uk, sgrubb@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote: > Make a number of changes to normalize CONFIG_CHANGE records by adding > missing op= fields, providing more information in existing op fields > (optional last patch) and connecting all records to existing audit > events. The user record needs special-casing since its content isn't > directly related to the call that logs it. > > Since tree purge records are processed after the EOE record is produced, > the order of operation of the EOE record and the purge will have to be > reversed so that the purge records can be included in the event. > > The last patch is included for completeness understanding it may be more > information than necessary. > > For reference, here are the calling methods and function tree for all > CONFIG_CHANGE events with fields: > - audit_log_config_change() > - add "op=set" to fields: "[op] old auid ses subj res" > - AUDIT_SET:AUDIT_STATUS_PID > - AUDIT_SET:AUDIT_STATUS_LOST > - audit_do_config_change() > - AUDIT_SET:AUDIT_STATUS_FAILURE > - AUDIT_SET:AUDIT_STATUS_ENABLED > - AUDIT_SET:AUDIT_STATUS_RATE_LIMIT > - AUDIT_SET:AUDIT_STATUS_BACKLOG_LIMIT > - AUDIT_SET:AUDIT_STATUS_BACKLOG_WAIT_TIME > - audit_log_rule_change() > - fields: "auid ses subj op key list res" > - AUDIT_ADD_RULE -F dir=... > - AUDIT_DEL_RULE -F dir=... > - audit_log_common_recv_msg() > - fields: "pid uid auid ses subj ..." > - AUDIT_*USER* events (not CONFIG_CHANGE like all the rest) > - AUDIT_LOCKED add "op={add,remove}_rule" to "[op] audit_enabled res" > - AUDIT_TRIM "op=trim res" > - AUDIT_MAKE_EQUIV: "op=make_equiv old new res" > - AUDIT_TTY_SET: "op=tty_set old-enabled new-enabled old-log_passwd new-log_passwd res" > - audit_mark_log_rule_change() > - add ":mark" to op in fields: "uid ses op=autoremove_rule[] path key list res" > - audit_autoremove_mark_rule() > - audit_mark_handle_event() > - audit_mark_fsnotify_ops.handle_event > - audit_tree_log_remove_rule() called from kill_rules() > - add to op ":tree:%s" to fields: "op=remove_rule[] dir key list res" > - from trim_marked() > - AUDIT_TRIM: audit_trim_trees() "trim" > - audit_add_tree_rule() iterate_mounts err "add" > - audit_add_rule() > - audit_rule_change() > - AUDIT_ADD_RULE -F dir=... > - AUDIT_MAKE_EQUIV: audit_tag_tree() iterate_mounts err "equiv" > - from audit_kill_trees() > - __audit_free() "free" > - do_exit() > - copy_process() err > - __audit_syscall_exit() "exit" > - from evict_chunk() "evict" > - audit_tree_freeing_mark() > - audit_tree_ops.freeing_mark > - audit_watch_log_rule_change() > add to op ":watch:%s" to fields "auid ses op={updated,remove}_rule[] path key list res" > - audit_update_watch() "updated_rules:watch:inval" : "updated_rules:watch:set" > - audit_watch_handle_event() FS_CREATE|FS_MOVED_TO, FS_DELETE|FS_MOVED_FROM > - audit_watch_fsnotify_ops.handle_event > - audit_remove_parent_watches() "remove_rule:watch:parent" > - audit_watch_handle_event() FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF > - audit_watch_fsnotify_ops.handle_event > - audit_seccomp_actions_logged() > - fields: "op actions old-actions res" > > > See: https://github.com/linux-audit/audit-kernel/issues/50 > See: https://github.com/linux-audit/audit-kernel/issues/59 > > Sources of AUDIT_CONFIG_CHANGE records and their current and proposed > fields are listed here > https://github.com/linux-audit/audit-kernel/issues/59#issuecomment-445055154 > > Changelog: > v3: > - un-clever %s_rule to not break up op values > - create audit_log_user_recv_msg() and squash into record connection > - squash kill_trees context handling with kill-trees before EOE > - rebase on audit/next (v4.20-rc1) with 2a1fe215e730 ("audit: use current whenever possible") > - remove parens in extended format > > v2: > - re-order audit_log_exit() and audit_kill_trees() > - drop EOE reordering patch > - rebase on 4.18-rc1 (audit/next) > > Richard Guy Briggs (4): > audit: give a clue what CONFIG_CHANGE op was involved > audit: add syscall information to CONFIG_CHANGE records > audit: hand taken context to audit_kill_trees for syscall logging > audit: extend config_change mark/watch/tree rule changes > > kernel/audit.c | 33 +++++++++++++++++++++++---------- > kernel/audit.h | 4 ++-- > kernel/audit_fsnotify.c | 4 ++-- > kernel/audit_tree.c | 28 +++++++++++++++------------- > kernel/audit_watch.c | 8 +++++--- > kernel/auditfilter.c | 2 +- > kernel/auditsc.c | 12 ++++++------ > 7 files changed, 54 insertions(+), 37 deletions(-) In order to make sure expectations are set appropriately, as we are at -rc6 right now this is not something that would go into audit/next now (assuming everything looks okay on review), it would go into audit/next *after* the upcoming merge window. -- paul moore www.paul-moore.com