Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp85529ybx; Mon, 4 Nov 2019 16:18:43 -0800 (PST) X-Google-Smtp-Source: APXvYqyQcQFCgairLsLBgMkk7B83kgas5vmI32gvFNFCLZ2BfvumUPR+vbq6knTwzo+p1qw2LH22 X-Received: by 2002:a50:cb86:: with SMTP id k6mr33006133edi.270.1572913123658; Mon, 04 Nov 2019 16:18:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572913123; cv=none; d=google.com; s=arc-20160816; b=OiXWxaCHbuFeeKW27bXk9Q3+Z1yemmu6D13d1sE97OYZdHniIr65A9ManiQvFmwEUf J5rVENXQTKedjAgYhrWzp5L18+SS4HXFfASv7mSMykXbgnJwZ9KTBeUhuDHKVexOZA6U ZlrYsW+7g1uBFoyUkF6mIAtTJ8EkiGOeLd9dIi3cGBR24E+NhKyRcNqsrylp/1jBpdye j5yWEI8cKww4elq5PDsb9rIZ/xkcOwN1dLBaEN3m8Ttxjb1VhYywsU3CikgcXFzjHEEo 9DA2pmrpZXrWVgEPwMABYzjVPg/iud0BeDmRZAJkHrtKqih2zfBPDjLmHZvZ+vn4N7TS xV0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=QMuC3tr/0UBfYG4ZEfeYIEAvWDx3av1aIgwA3EiGrEs=; b=stg7Xi4Km/XrRsCaRv6j3YeRwHOQHBTr35Lf5j9zusU5kBFF6Rzp70rRgyov7KQ16O lpdBv87R61jDzBAmY6TUXVfyoubE6nht/teM6lwkHixY74khMqfrhQUfQPO2eiWDMdSd 0zpvNrC/gYco23iiWfD/4CXvQwMg5DA2O+vwpGNlsGL5FgzN8sVUD20RbsYSHVi/sCna GT1++5uAaokTtSoZnrB7EH1yWA3SNLjrevAannR4GvEDnmQC3q4hWof3SHp/x/rh4+lw GWzfzB5GTQnRaB5o/IVGPBWDSj0InfhGP2gwAhgbsjGCVOc2CEYoJa+HWY8dg6HAnSPi gYfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=X0ORt4ZC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v42si8488274edc.378.2019.11.04.16.18.20; Mon, 04 Nov 2019 16:18:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=X0ORt4ZC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387519AbfKEAPn (ORCPT + 99 others); Mon, 4 Nov 2019 19:15:43 -0500 Received: from mail-lj1-f196.google.com ([209.85.208.196]:36209 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729607AbfKEAPn (ORCPT ); Mon, 4 Nov 2019 19:15:43 -0500 Received: by mail-lj1-f196.google.com with SMTP id k15so7570127lja.3 for ; Mon, 04 Nov 2019 16:15:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QMuC3tr/0UBfYG4ZEfeYIEAvWDx3av1aIgwA3EiGrEs=; b=X0ORt4ZCPoQz/B0zCqSQ5sZlrzsa41IzaFmvSlpkLQqPL7H1WSbkvONwt6Y3RG4sUE DteCh0InBFu4jV6bXDKszdtkS4AvO6Rnr+R2nfiB4NifikDN1VfzDtSrGnUkBRWC5RZo WdXIGCa+60551Jpc7yYMB4QQZg2/hsjkoD/iAni3/ZGZnch8IEf4I69UAwtyyES4PqvV qkJQmqz/8NYfEPkTDvKkZzIAqC72wqqL2h7YptjWzz3VTHRjl8acrFvaiYxjanDNxlpX +alc1AJqBtu18gOUjxTK+6u1hPSIt1V5qhkKqqQyyspd6Rpz0uAfIhj6JaVC2sTyevie mGBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QMuC3tr/0UBfYG4ZEfeYIEAvWDx3av1aIgwA3EiGrEs=; b=Y9Qd9AZK10RjGE9VbgX//RnuxK8pmtuwvu4uVM+7hGn3DLKGqHfbwR/C9inm72fB7d B00HPqGm2NhHMsWvApXX38GhcpJVjsX4hVGYbpmXqkL9tfVUVArZHKXnCPsosSiVkJhh vg8ZlkQPfJPrhFFL5pVXAWkXVBKu5a0L9p6AlttKPSqOelidSucz0d9Yc8e+j0mcIQhe aGtsqODIBMyrtwDuDPkcBzfm0aamIbOZiRpUKiQmGuPjv92nlMY7Qqyt/3wqGmvsudBo sozUiyd51XxT4HtSoifLPnOjxkpaKrpOjba8P7Y8CH+UvbGlvv7jR8sDxEvvqc6gqQPF Ma0w== X-Gm-Message-State: APjAAAVUIVMrv4QkQEUSizGrZ3132Aa/VacsF1PdV860jIGR9PW1Wql/ Npa2k2Yvn6szQPpfrDYNFVWdDpAf5A4bDm+ZrHDt X-Received: by 2002:a2e:898d:: with SMTP id c13mr17354236lji.54.1572912940893; Mon, 04 Nov 2019 16:15:40 -0800 (PST) MIME-Version: 1.0 References: <20191031163931.1102669-1-clm@fb.com> In-Reply-To: From: Paul Moore Date: Mon, 4 Nov 2019 19:15:29 -0500 Message-ID: Subject: Re: [PATCH] audit: set context->dummy even when audit is off To: Chris Mason Cc: Eric Paris , Dave Jones , "linux-audit@redhat.com" , Kyle McMartin , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 1, 2019 at 9:24 AM Chris Mason wrote: > On 31 Oct 2019, at 19:27, Paul Moore wrote: > > It's been a while, but I thought we suggested Dave try running > > 'auditctl -a never,task' to see if that would solve his problem and I > > believe his answer was no, which confused me a bit as the > > audit_filter_task() call in audit_alloc() should see that rule and > > return a state of AUDIT_DISABLED which not only prevents audit_alloc() > > from allocating an audit_context (and remember if the audit_context is > > NULL then audit_dummy_context() returns true), but it also clears the > > TIF_SYSCALL_AUDIT flag (which I'm guessing you also want). > > Thanks for the reminder on this part, I meant to test it. Yes, auditctl > -a never,task does stop the messages, even without my patch applied. I'm glad to hear that worked, I was going to be *very* confused if you came back and said you were still seeing NTP records. I would suggest that regardless of what happens with audit_enabled you likely want to keep this audit rule as part of your boot configuration, not only does it squelch the audit records, but it should improve performance as well (at the cost of no syscall auditing). A number of Linux distros have this as their default at boot. -- paul moore www.paul-moore.com