Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3943278imu; Mon, 28 Jan 2019 13:50:41 -0800 (PST) X-Google-Smtp-Source: ALg8bN7zx7H1JvwUC61rBGduZRU/VhqJ0+R33b80+GZBrWQHJer14aai3Rf+OAq2DWrtWmX7hJN/ X-Received: by 2002:a62:1c86:: with SMTP id c128mr24480023pfc.54.1548712241472; Mon, 28 Jan 2019 13:50:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548712241; cv=none; d=google.com; s=arc-20160816; b=0MRqyG6USznK/cu4wt1M+DyGTRC7+Hsd+UvOPfYIMwsJDZn1+09NSPvBUS6iU19qUp ucZVP/QvyPiikIYQEH/pBfBE65t7RU6TvurmNegf+qa+I7/AaOnbaXzQTHLQxrbGlc35 BLMq5Q43LhQbqpAdZuuOSkZwKDKz+Dewj0dl9BRc32yg6NOdPwrcX69Ry3vq8wcUz6rZ cWU34Da90iBaPk14gA80ZraIlt48/Yt8ikI3JdFOU05pGlzUjNL48RAkj8c2ypoqAJ03 0N9K+pXxAaULriF9WEMb8SKktSZFctISa8zciNtRpp0rr3isRYO9u28GNqgcva46Z0nr Cy2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=l5guXviAdkNpB+c0x2VwJnEi3yU/hmlVKfQGSxNT1WE=; b=AB8RRxLP3QqDJo+d11ZWvBspeJ83W28Xvw9Z2nqEN9u+dXAbGzSSZ9UKbIQn2PTND1 LakzAumYKrgNgJa7jvMQBaF6wHQG4aq5dnAjs+ijAX9ZLlEOMshtymQPzQd+Sy9uuJ1M ho473Php8vZIwbu+UUsoaweJPqPJDUIS35m141XOz6bChhL0H9AlelcbBA1YvOGNjjR1 Yt2DAFRXO1ZV5NGaONLggEMQEeDZ2iwiBomWPpZfzlq3/nWA+uDtvtDuMCwm0dnLj9fi qGCIqX9OKn98mXkCqcqldOEPPqlMxTMJ1yLLMjjSG1hmS/aLjRihAys673yAlrbPlVvU 3M4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s5si7756500pgl.481.2019.01.28.13.50.25; Mon, 28 Jan 2019 13:50:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728248AbfA1Vtb (ORCPT + 99 others); Mon, 28 Jan 2019 16:49:31 -0500 Received: from mx1.redhat.com ([209.132.183.28]:48390 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726890AbfA1Vta (ORCPT ); Mon, 28 Jan 2019 16:49:30 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F2DB07E9D3; Mon, 28 Jan 2019 21:49:29 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-23.phx2.redhat.com [10.3.112.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0BF4E5C234; Mon, 28 Jan 2019 21:49:21 +0000 (UTC) Date: Mon, 28 Jan 2019 16:49:19 -0500 From: Richard Guy Briggs To: Steve Grubb Cc: Paul Moore , "Sverdlin, Alexander (Nokia - DE/Ulm)" , Daniel Borkmann , Greg Kroah-Hartman , "linux-kernel@vger.kernel.org" , Alexei Starovoitov , "linux-audit@redhat.com" Subject: Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled Message-ID: <20190128214919.5nmpfns3ahuvza6f@madcap2.tricolour.ca> References: <20151208164237.15736.42955.stgit@localhost> <5490ae28-251b-bfda-38a6-5be201a4a8d8@nokia.com> <4fb6def1-a1d9-8af0-394c-f92224884d18@nokia.com> <8bf5d613-9b27-381d-283b-c8892483f424@nokia.com> <20190128210328.64b7719c@ivy-bridge> <20190128221951.57a5e03b@ivy-bridge> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190128221951.57a5e03b@ivy-bridge> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Mon, 28 Jan 2019 21:49:30 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-01-28 22:19, Steve Grubb wrote: > On Mon, 28 Jan 2019 15:08:56 -0500 > Paul Moore wrote: > > > On Mon, Jan 28, 2019 at 3:03 PM Steve Grubb wrote: > > > On Mon, 28 Jan 2019 11:26:51 -0500 > > > Paul Moore wrote: > > > > > > > On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - > > > > DE/Ulm) wrote: > > > > > Hello Paul, > > > > > > > > > > On 28/01/2019 15:52, Paul Moore wrote: > > > > > >>>>> time also enables syscall auditing; this patch simplifies > > > > > >>>>> the Kconfig menus by removing the option to disable > > > > > >>>>> syscall auditing when audit is selected and the target > > > > > >>>>> arch supports it. > > > > > >>>>> > > > > > >>>>> Signed-off-by: Paul Moore > > > > > >>>> this patch is responsible for massive performance > > > > > >>>> degradation for those who used only > > > > > >>>> CONFIG_SECURITY_APPARMOR. > > > > > >>>> > > > > > >>>> And the numbers are, take the following test for instance: > > > > > >>>> > > > > > >>>> dd if=/dev/zero of=/dev/null count=2M > > > > > >>>> > > > > > >>>> ARM64: 500MB/s -> 350MB/s > > > > > >>>> ARM: 400MB/s -> 300MB/s > > > > > >>> Hi there. > > > > > >>> > > > > > >>> Out of curiosity, what kernel/distribution are you running, > > > > > >>> or is this a custom kernel compile? Can you also share the > > > > > >>> output of 'auditctl > > > > > >> This test was carried out with Linux 4.9. Custom built. > > > > > > I suspected that was the case, thanks. > > > > > > > > > > > >>> -l' from your system? The general approach taken by > > > > > >>> everyone to turn-off the per-syscall audit overhead is to > > > > > >>> add the "-a never,task" rule to their audit configuration: > > > > > >>> > > > > > >>> # auditctl -a never,task > > > > > >>> > > > > > >>> If you are using Fedora/CentOS/RHEL, or a similarly > > > > > >>> configured system, > > > > > >> This is an embedded distribution. We are not using auditctl > > > > > >> or any other audit-related user-space packages. > > > > > >> > > > > > >>> you can find this configuration in > > > > > >>> the /etc/audit/audit.rules file (be warned, that file is > > > > > >>> automatically generated based on /etc/audit/rules.d). > > > > > >> I suppose in this case rule list must be empty. Is there a > > > > > >> way to check this without extra user-space packages? > > > > > > Yes, unless you are loading rules through some other method I > > > > > > would expect that your audit rule list is empty. > > > > > > > > > > > > I'm not aware of any other tools besides auditctl to load > > > > > > audit rules into the kernel, although I haven't ever had a > > > > > > need for another tool so I haven't looked very hard. If you > > > > > > didn't want to bring auditctl into your distribution, I > > > > > > expect it would be a rather trivial task to create a small > > > > > > tool to load a single "-a never,task" into the kernel. > > > > > > > > > > I've done a quick test on my x86_64 PC and got the following > > > > > results: > > > > > > > > ... > > > > > > > > > Which brings me to an idea, that the subject patch should have > > > > > been accompanied by a default "never,task" rule inside the > > > > > kernel, otherwise you require an extra user-space package > > > > > (audit) just to bring Linux 4.5+ to 4.4 performance levels. > > > > > > > > [NOTE: I dropped pmoore@redhat.com from the To/CC line, I left > > > > Red Hat for greener pastures several months ago.] > > > > > > > > Well, it generally hasn't been an issue as 1) most people that > > > > enable audit also enable syscall auditing and 2) most people that > > > > enable audit have some sort of audit userspace tools to work with > > > > the audit logs (and configure audit if necessary). I don't want > > > > to diminish your report, but this change was made several years > > > > ago and we really haven't heard of many issues surrounding the > > > > change. If we can ever get all of the different arches to > > > > support syscall auditing, I'd love to get rid of the syscall > > > > auditing Kconfig knob entirely. > > > > > > > > If you wanted to put together a patch that added a single "-a > > > > never,task" rule on boot I could get behind that, just make it > > > > default to off. > > > > > > That will make processes unauditable for everyone. That's how it > > > gets a speedup is not entering into the audit machinery. > > > > That is pretty much what is being asked for in this thread. It's > > really no different from what Fedora/CentOS/RHEL (and who knows how > > many others) ship with their default audit config. It's important to > > note that you could always delete this rule at runtime; all that is > > being proposed is to have the kernel populate the the audit ruleset > > with the "-a never,task" rule *IF* the proposed kernel Kconfig option > > is enabled (and it would default to being off, you would have to turn > > it on during build). > > Yes, but you can't add the auditable flag back to the task struct > because syscalls never enter audit machinery where it can be added back. > Meaning that even if you wanted to audit, there will be processes you > never can audit. Whereas deciding via auditd, they become unauditable > only after auditd loads the rule. Prior to that they are and all > processes are auditable if you decide to audit. So, this is > fundamentally different than what fedora does. I did see a patch proposed at one point that actually went through and checked/flipped the TIF_SYSCALL_AUDIT bit when auditing was switched off. > -Steve > > > > I suppose its possible that people may want MAC hardwired events > > > but no syscall events. I don't know if there are other kconfig > > > audit options. but maybe getting it down to audit enabled and > > > syscall auditing as the only choices is probably the most > > > performant. > > > > > > -Steve - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635