Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp106210ybx; Mon, 4 Nov 2019 16:42:21 -0800 (PST) X-Google-Smtp-Source: APXvYqy1WdApU/jdLZrzhpj5KZdCUhBzBBIXsMDZ5zV2XsTA2hiBTbsLed6+Cc+uJjAQEfEK6TKx X-Received: by 2002:a17:906:b246:: with SMTP id ce6mr19537277ejb.298.1572914541865; Mon, 04 Nov 2019 16:42:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1572914541; cv=pass; d=google.com; s=arc-20160816; b=zYAhkjz4H4mHTlbX99EhR6BCXaOi0EG1dowAtDp2h3Z0OWuX22/ibIgvmDTkel2PAp mArhRuUGAiZ9YTVzahVtcZfU5GYAek88xx/S6FtZBPvhKs7Tk/CjcPWwqxGm3X8OVpgC YS1pSXcGH1N1WnEvGmy9ipjnKWPKCSKYyoY6UnhDKn2Unv9sHObgCobV4QSUV61ZfuTB PVM+nW3d/QddNCBWm0tBcoFZ/+hIre84fDGxc0MWVMyD0EaB85DnwTG8LvTeEpWoTu2g UgH0rNfYSF7lUEVdw+0K/aX756BYCThRBQsC5q64UT4czhPYjDhfuFge8TiFYGdroICj +H5A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature :dkim-signature; bh=C0t6QsbAdivta8eG8TEIVBUAXPYDxDCLyoSwV0RVde4=; b=BP4k2Lw56m5z+ZelKTb1RmRQnK6FrQWM04ew7wgSxdtC8y2sVoAYvyM3jOuDyINBos BbE2OIYcxUgO/rmOMwFA+cW9GsURnt2TyYw6HkRbUO+5aHw4odHwjAbm/7c3jYhjR3qo UsItsFXVr3QDp/EI1S2DtS7kC3ehlecmbVmu3jJFhIZtPtSWAIH/tSztSjZ+TtbNVi3/ HywKAZfYVHvfOASOxLkTrFEUU7T8W37dOeYOM/w17n5tygUgCIQ5YHjUtpxc61UDhFLq YLLgoKpdr60OZt8rUQMS+UO1EqygCfyPOLjJ9KPn5RYT2eDfNCKksymFdmlkiUw8xJsU TH7g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@fb.com header.s=facebook header.b="qYE/tD59"; dkim=pass header.i=@fb.onmicrosoft.com header.s=selector2-fb-onmicrosoft-com header.b=YOd0PWje; arc=pass (i=1 spf=pass spfdomain=fb.com dkim=pass dkdomain=fb.com dmarc=pass fromdomain=fb.com); spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=fb.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z65si10948008ede.388.2019.11.04.16.41.58; Mon, 04 Nov 2019 16:42:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@fb.com header.s=facebook header.b="qYE/tD59"; dkim=pass header.i=@fb.onmicrosoft.com header.s=selector2-fb-onmicrosoft-com header.b=YOd0PWje; arc=pass (i=1 spf=pass spfdomain=fb.com dkim=pass dkdomain=fb.com dmarc=pass fromdomain=fb.com); spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=fb.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729811AbfKEAja (ORCPT + 99 others); Mon, 4 Nov 2019 19:39:30 -0500 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:61562 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729607AbfKEAja (ORCPT ); Mon, 4 Nov 2019 19:39:30 -0500 Received: from pps.filterd (m0001303.ppops.net [127.0.0.1]) by m0001303.ppops.net (8.16.0.42/8.16.0.42) with SMTP id xA50bKGk002561; Mon, 4 Nov 2019 16:39:25 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=facebook; bh=C0t6QsbAdivta8eG8TEIVBUAXPYDxDCLyoSwV0RVde4=; b=qYE/tD59EgI2eA3A4SQvkcRilIvFkbr3Hr4sulGrcxTE+Pn6JhCqZHV/moF/ga58W/6e wQ+04Q+U+EyEjpWrnw9VMyxtNftBZGIPi8sjYsZXr/Ja37RO82oVWNfR2xlbIQf9DIru Lh0MSqMUiPyPJ+Kg4pXUrwGruoN5q6ZWgA4= Received: from mail.thefacebook.com (mailout.thefacebook.com [199.201.64.23]) by m0001303.ppops.net with ESMTP id 2w15fjupyh-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 04 Nov 2019 16:39:25 -0800 Received: from prn-mbx07.TheFacebook.com (2620:10d:c081:6::21) by prn-hub02.TheFacebook.com (2620:10d:c081:35::126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5; Mon, 4 Nov 2019 16:39:23 -0800 Received: from prn-hub06.TheFacebook.com (2620:10d:c081:35::130) by prn-mbx07.TheFacebook.com (2620:10d:c081:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5; Mon, 4 Nov 2019 16:39:23 -0800 Received: from NAM02-BL2-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5 via Frontend Transport; Mon, 4 Nov 2019 16:39:23 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dv9hgZjuGZLcWghDTu0v4/yPz5OqQJ1pmTOeLsW62B8pWhsHh2PFXRp5wGoLgngd7iHGD/t6t6BsPCM0sR4gsIpYM0mfftyLBsTcMYF3Ba+6XQK/rOsN1Vz6URZ7zHUIHEeWjDvXPAy+msSMEU9qDbpMeOwPyDRafEvQTELoXgrdt5MmGnF6ZiHNBgcZn53iQBM3FVfl9stomflod7dHoYORFnZe1MdYqmt3AXyo5xRDQKU9BdUThoPbTZC+cTKiAmuyFm1BfMSzSy8Q4l5PX2Dy9feOhAX4NgfLh9X0m+FdtTJXZPixMGwJCjnjATpvWiuwVwpHyg0+rQvy6adobg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C0t6QsbAdivta8eG8TEIVBUAXPYDxDCLyoSwV0RVde4=; b=c0RRHy3nJK+Gmq+nvtp/edCQWOYQVJ8fcyYAkwFSGU1zcbKFbEJWm3YdIPKd8TGjtkXxS9yY3MVBXtasuf+5dL0ikWLwceZglsko4BsZreskCPdOfpqaDHjCJtVQic0zUaX54TkwdopIDRqsGwy0XGT2NXxGZfjRRfJPpBUBOcZYgUHj3AQMS4vT2pQgZw77W6hr7aomLKSZZgJmZwdoH+qq8zfDPb2xWq6ycEfCtFMlrK5ftuI3p9PaemfC3MmTmG/fpCa+42UbEkUH3K0Ue/fCEKsAzc/YvWB5Uh5e14yC5zB6CoG8d1YFkHoffKS6RKuqGQUAheDZM1/Xw8VCeg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fb.com; dmarc=pass action=none header.from=fb.com; dkim=pass header.d=fb.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector2-fb-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C0t6QsbAdivta8eG8TEIVBUAXPYDxDCLyoSwV0RVde4=; b=YOd0PWjejOUlXTJxd4EzHkc/wVnHOq1Cs9HYpCYBgwdDHnmKN79I3LO23c6f0XuLjsIWwFup4pIKTsiaB8TiAsdd8uEn8Oj/6JImxD4ge9JGdP1GLd1aHDS6JhaGM51qAKpYY9cExaLVJ114soNzerbL8nb32hhmpBgRzVG1DZk= Received: from SN6PR15MB2446.namprd15.prod.outlook.com (52.135.65.158) by SN6PR15MB2494.namprd15.prod.outlook.com (52.135.66.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Tue, 5 Nov 2019 00:39:21 +0000 Received: from SN6PR15MB2446.namprd15.prod.outlook.com ([fe80::5d9c:c9a8:a074:f902]) by SN6PR15MB2446.namprd15.prod.outlook.com ([fe80::5d9c:c9a8:a074:f902%7]) with mapi id 15.20.2408.024; Tue, 5 Nov 2019 00:39:21 +0000 From: Chris Mason To: Paul Moore CC: Eric Paris , Dave Jones , "linux-audit@redhat.com" , Kyle McMartin , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] audit: set context->dummy even when audit is off Thread-Topic: [PATCH] audit: set context->dummy even when audit is off Thread-Index: AQHVkAncrhonQVVxy06vYxt2pY3gVKd1ZVQAgACm2QCABbABgIAABqgA Date: Tue, 5 Nov 2019 00:39:21 +0000 Message-ID: <5E08422A-BFE2-4515-A804-3DB42B7D8550@fb.com> References: <20191031163931.1102669-1-clm@fb.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: MailMate (1.13r5655) x-clientproxiedby: BL0PR02CA0090.namprd02.prod.outlook.com (2603:10b6:208:51::31) To SN6PR15MB2446.namprd15.prod.outlook.com (2603:10b6:805:24::30) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [2620:10d:c091:480::5e73] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 83541d98-df51-4afb-3f92-08d76188997c x-ms-traffictypediagnostic: SN6PR15MB2494: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-forefront-prvs: 0212BDE3BE x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(39860400002)(366004)(396003)(376002)(346002)(199004)(189003)(51914003)(14454004)(33656002)(66946007)(6436002)(66446008)(64756008)(7736002)(2906002)(5660300002)(478600001)(25786009)(305945005)(54906003)(86362001)(316002)(81166006)(186003)(476003)(8676002)(81156014)(11346002)(486006)(36756003)(6116002)(50226002)(8936002)(446003)(76176011)(102836004)(52116002)(99286004)(6506007)(6916009)(2616005)(6512007)(4326008)(229853002)(71200400001)(71190400001)(66476007)(386003)(256004)(14444005)(66556008)(46003)(53546011)(6246003)(6486002);DIR:OUT;SFP:1102;SCL:1;SRVR:SN6PR15MB2494;H:SN6PR15MB2446.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: XGCMiCYhSIdeal55YyRSzMoEQyBB/06Uvw8qAVLa5S9lKskHZaXglS4ru0xUcYR4gNhO0IUD4ofzyVClLeatBifrcX58agFe6TrKuvmQL8/L/j2Pg/ihFKqjh7Wenio5fkevmB+rw59VN9/ztdHPkFCkIyANa8/7NbpwRVKT1i9VT0VrQ2m+kd22k/2/N9GbGUD9njj/085R/WbbEJCcc22EHx8WIMT/c89rdrHZhwubTwDKjHLaoDZdJDtvYTg53Gq1Ugtf/SUzQBvceVZp/w0ZV/CDvoEIyVzELxBwpQQMHx8SftnJMfKxHA93equJOWOJd1y0pG7z/MmASjRt1TfYuycXxFIx2P8c8IMnDZA6v29IFZsfHL4AMcHkwQy3jhZOKlApSPuXEBdao9TkHOzlDDHPilNdaYRlMOW6244EbnhCjxBFlh5MNHQZhlTq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 83541d98-df51-4afb-3f92-08d76188997c X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2019 00:39:21.6346 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Q2ZXB4/R/Ki2O5Tu9LVd2wA6f5G6o7pvrP0PgKCvNorBOiuQl0RL0/ZPlaC6d1QI X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR15MB2494 X-OriginatorOrg: fb.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-11-04_12:2019-11-04,2019-11-04 signatures=0 X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 mlxlogscore=999 spamscore=0 mlxscore=0 malwarescore=0 phishscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 bulkscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1911050002 X-FB-Internal: deliver Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4 Nov 2019, at 19:15, Paul Moore wrote: > On Fri, Nov 1, 2019 at 9:24 AM Chris Mason wrote: >> On 31 Oct 2019, at 19:27, Paul Moore wrote: >>> It's been a while, but I thought we suggested Dave try running >>> 'auditctl -a never,task' to see if that would solve his problem and=20 >>> I >>> believe his answer was no, which confused me a bit as the >>> audit_filter_task() call in audit_alloc() should see that rule and >>> return a state of AUDIT_DISABLED which not only prevents=20 >>> audit_alloc() >>> from allocating an audit_context (and remember if the audit_context=20 >>> is >>> NULL then audit_dummy_context() returns true), but it also clears=20 >>> the >>> TIF_SYSCALL_AUDIT flag (which I'm guessing you also want). >> >> Thanks for the reminder on this part, I meant to test it. Yes,=20 >> auditctl >> -a never,task does stop the messages, even without my patch applied. > > I'm glad to hear that worked, I was going to be *very* confused if you > came back and said you were still seeing NTP records. > > I would suggest that regardless of what happens with audit_enabled you > likely want to keep this audit rule as part of your boot > configuration, not only does it squelch the audit records, but it > should improve performance as well (at the cost of no syscall > auditing). A number of Linux distros have this as their default at > boot. > Definitely, we'll be testing auditctl -a never,task internally. Before=20 we went down that path I wanted to fully understand what was going on,=20 but I think all the big questions have been answered at this point. I'm happy to try variations on my patch, but if you want to include it,=20 please do remember that I've really only tested it with auditing off. -chris