Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4358738yba; Tue, 9 Apr 2019 17:27:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqyMzlXN/BGvx5WIe/Z/PqCY7NXqEU4QNns4sWRsX2SclXy5+jtA3jp+PynyfudWbe1F9gq1 X-Received: by 2002:a17:902:2f84:: with SMTP id t4mr19395076plb.6.1554856029806; Tue, 09 Apr 2019 17:27:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554856029; cv=none; d=google.com; s=arc-20160816; b=Yl5QyUk43k8RrtspO2VLhGHSHAe9825VaB8w6PNuPP7CywhBfYq6ehhG5hN1gUQ1pu 0LY8HPqnDUuw9b8X84N56jtd3pHAY61ktaDVPWEHBsGHkcEkm+fppHxuDbA5erqz1qa0 Z78NRcDl+VYhmW85gOzhMGeFRDBQDzVNh88Bv8SXr4+kWF17B5AQVmVGbpPO2wj+20kB eWUWIIEjPR6C3Rvl54IPzGr9nSmuuoh10TgVS4O2XPJYm8udGr3g3SClh0BJo8cqwRak 726Djblr7+d+sTgyserUEK2OMMNTqiJl9m1PJC+Thlq8F0jKEAIKeAt0efwRXQhUW2iM bqqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=I2gXfre7j0DoaGqedWMcshVhy6rrmzhoHurzA13P5zQ=; b=HPbjeHvIgMKForB6kZqEwEgqlxVlgudrWF8l+VZJwOTL3mhnFoI4Mr6h38Ry2aDg6v yjvge/ECc/F2ACWTnziY+XOBLJXt9Hy63169EYUKUWm2BNr1J7QiTrh/4kL8JKYGosJ4 0my2gBSunaUzeXxb15f2roPeaJ+oplXbLZaRD+x/rYmsfFVacCXl7l/mrVmOq0Xore2K 9IVexsGOLuWwfjY/+XskIFs6SSRX1NdyiwV0Rl0vVG+B5npTyZehO4vEsJsacSEGIurI vSZOGGWJOAr3vQuZqf5eWFLFwFWIXZx+SIIWEZJZursFNzdJyGmDScX04NJx75qNtWIm MjDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m9si29722184pgv.559.2019.04.09.17.26.42; Tue, 09 Apr 2019 17:27:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726862AbfDJA0G (ORCPT + 99 others); Tue, 9 Apr 2019 20:26:06 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:37470 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726592AbfDJA0G (ORCPT ); Tue, 9 Apr 2019 20:26:06 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1hE13z-0006Nk-FD; Tue, 09 Apr 2019 18:26:03 -0600 Received: from ip72-206-97-68.om.om.cox.net ([72.206.97.68] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1hE13y-0005Fl-JI; Tue, 09 Apr 2019 18:26:03 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Richard Guy Briggs Cc: Steve Grubb , LKML , Linux-Audit Mailing List , Paul Moore , omosnace@redhat.com, eparis@parisplace.org, oleg@redhat.com References: <20190409080138.745d18a1@ivy-bridge> <20190409140259.n4t6rxb24eu3uzvp@madcap2.tricolour.ca> <20190409173716.1a0308fb@ivy-bridge> <20190409155728.dfp4qwseo6jxdmqr@madcap2.tricolour.ca> Date: Tue, 09 Apr 2019 19:25:44 -0500 In-Reply-To: <20190409155728.dfp4qwseo6jxdmqr@madcap2.tricolour.ca> (Richard Guy Briggs's message of "Tue, 9 Apr 2019 11:57:28 -0400") Message-ID: <875zrmaepj.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1hE13y-0005Fl-JI;;;mid=<875zrmaepj.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=72.206.97.68;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+2ZIHWLNdNII0fmfwQ5R+N+v3eGsk8n94= X-SA-Exim-Connect-IP: 72.206.97.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa05.xmission.com X-Spam-Level: * X-Spam-Status: No, score=1.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_XMDrugObfuBody_06,XMSubLong autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa05 1397; Body=1 Fuz1=1 Fuz2=1] * 1.0 T_XMDrugObfuBody_06 obfuscated drug references X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Richard Guy Briggs X-Spam-Relay-Country: X-Spam-Timing: total 483 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.4 (0.7%), b_tie_ro: 2.3 (0.5%), parse: 1.50 (0.3%), extract_message_metadata: 7 (1.4%), get_uri_detail_list: 3.6 (0.8%), tests_pri_-1000: 7 (1.4%), tests_pri_-950: 1.99 (0.4%), tests_pri_-900: 1.62 (0.3%), tests_pri_-90: 38 (7.9%), check_bayes: 36 (7.5%), b_tokenize: 12 (2.5%), b_tok_get_all: 12 (2.4%), b_comp_prob: 3.6 (0.8%), b_tok_touch_all: 3.7 (0.8%), b_finish: 0.76 (0.2%), tests_pri_0: 407 (84.3%), check_dkim_signature: 0.71 (0.1%), check_dkim_adsp: 2.4 (0.5%), poll_dns_idle: 0.44 (0.1%), tests_pri_10: 2.2 (0.4%), tests_pri_500: 6 (1.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Minor nit about the description of this patch (as I presume it will need to respun). You are talking about audit signal information. You are not talking about struct siginfo (aka siginfo_t). The structure siginfo_t is part of posix and userspace ABI and is part of the stack frame for a delivered signal. The summary had me thinking you were messing with when siginfo is collected and delivered to userspace. Richard Guy Briggs writes: > On 2019-04-09 17:37, Steve Grubb wrote: >> On Tue, 9 Apr 2019 10:02:59 -0400 >> Richard Guy Briggs wrote: >> >> > On 2019-04-09 08:01, Steve Grubb wrote: >> > > On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs >> > > wrote: >> > > > When a process signals the audit daemon (shutdown, rotate, resume, >> > > > reconfig) but syscall auditing is not enabled, we still want to >> > > > know the identity of the process sending the signal to the audit >> > > > daemon. >> > > >> > > Why? If syscall auditing is disabled, then there is no requirement >> > > to provide anything. What is the real problem that you are seeing? >> > >> > Shutdown messages with -1 in them rather than the real values. >> >> OK. We can fix that by patching auditd to see if auditing is enabled >> before requesting signal info. If auditing is disabled, the proper >> action is for the kernel to ignore any audit userspace messages except >> the configuration commands. > > If auditing is disabled in the kernel, none of this is trackable. It is > for those as yet unsupported arches that can run audit enabled but > without auditsyscall support. > > Here's a current sample with CONFIG_AUDIT and ~CONFIG_AUDITSYSCALL > configured, note "auid=" and "pid=": > > killall -HUP auditd > type=DAEMON_CONFIG msg=audit(2019-04-09 11:37:04.508:3266) op=reconfigure state=changed auid=unset pid=-1 subj=? res=success > > killall -TERM auditd > type=DAEMON_END msg=audit(2019-04-09 11:51:50.441:5709) : op=terminate auid=unset pid=-1 subj=? res=success > > and the same with the patch applied: > > killall -HUP auditd > type=DAEMON_CONFIG msg=audit(2019-04-09 11:42:40.851:8924) op=reconfigure state=changed auid=root pid=652 subj=? res=success > > killall -TERM auditd > type=DAEMON_END msg=audit(2019-04-09 11:51:50.441:5709) : op=terminate auid=root pid=652 subj=? res=success > > The USR1 "rotate" and USR2 "resume" log messages need to be fixed in > userspace. Hmm. You mention -1 as beeing a problem. You don't say if auid is a concern. It looks like all you care about is the sending processes pid. That information is saved in the sending processes siginfo. As such you may be able to remove some of the magic from the code by looking at the siginfo of the signal. Why it appears the kernel is logging when userspace receives a signal is beyond me so I don't know using siginfo makes sense. I just figure I will toss it out there in case it shakes some ideas loose. Eric