[RFC][PATCH] audit: add feature audit_lost reset

Paul Moore paul at paul-moore.com
Mon Dec 5 16:02:29 UTC 2016 

On Mon, Dec 5, 2016 at 3:02 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> Add a method to reset the audit_lost value.
>
> An AUDIT_GET message will get the current audit_lost value and reset the
> counter to zero iff (if and only if) the AUDIT_FEATURE_LOST_RESET
> feature is set.
>
> If the flag AUDIT_FEATURE_BITMAP_LOST_RESET is present in the audit
> feature bitmap, the feature is settable by setting the
> AUDIT_FEATURE_LOST_RESET flag in the audit feature list with an
> AUDIT_SET_FEATURE call.  This setting is lockable.
>
> See: https://github.com/linux-audit/audit-kernel/issues/3
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> Note: The AUDIT_FEATURE_BITMAP_LOST_RESET check may not be necessary if
> it is possible to read all the entries from audit_feature_names from
> userspace.
> ---
>  include/uapi/linux/audit.h |    7 +++++--
>  kernel/audit.c             |    9 ++++++---
>  2 files changed, 11 insertions(+), 5 deletions(-)

Instead of resetting the lost counter on an AUDIT_GET if the reset
feature is set, how about preserving the AUDIT_GET behavior, skipping
the AUDIT_FEATURE_* addition, and simply reset the lost value by
sending a AUDIT_SET message with AUDIT_STATUS_LOST (you obviously have
to add this to the uapi header).

I'm mixed on adding this to the feature bitmap, it shouldn't be
strictly necessary as old kernels will simply ignore the
AUDIT_SET/AUDIT_STATUS_LOST bit, but I can understand if userspace
might want it ... I just hate to burn a bit in the bitmap for
something that has no ill effect on behavior.

> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 208df7b..5eb2dc2 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -330,10 +330,12 @@ enum {
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
>  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH   0x00000004
>  #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND    0x00000008
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                0x00000010
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>                                   AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>                                   AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> -                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
> +                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> +                                 AUDIT_FEATURE_BITMAP_LOST_RESET)
>
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST           AUDIT_FEATURE_BITMAP_ALL
> @@ -440,7 +442,8 @@ struct audit_features {
>
>  #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID      0
>  #define AUDIT_FEATURE_LOGINUID_IMMUTABLE       1
> -#define AUDIT_LAST_FEATURE                     AUDIT_FEATURE_LOGINUID_IMMUTABLE
> +#define AUDIT_FEATURE_LOST_RESET               2
> +#define AUDIT_LAST_FEATURE                     AUDIT_FEATURE_LOST_RESET
>
>  #define audit_feature_valid(x)         ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
>  #define AUDIT_FEATURE_TO_MASK(x)       (1 << ((x) & 31)) /* mask for __u32 */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f1ca116..6b52da6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -122,7 +122,7 @@
>     3) suppressed due to audit_rate_limit
>     4) suppressed due to audit_backlog_limit
>  */
> -static atomic_t    audit_lost = ATOMIC_INIT(0);
> +static atomic_t        audit_lost = ATOMIC_INIT(0);
>
>  /* The netlink socket. */
>  static struct sock *audit_sock;
> @@ -150,9 +150,10 @@
>                                    .features = 0,
>                                    .lock = 0,};
>
> -static char *audit_feature_names[2] = {
> +static char *audit_feature_names[3] = {
>         "only_unset_loginuid",
>         "loginuid_immutable",
> +       "lost_reset",
>  };
>
>
> @@ -854,7 +855,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>                 s.pid                   = audit_pid;
>                 s.rate_limit            = audit_rate_limit;
>                 s.backlog_limit         = audit_backlog_limit;
> -               s.lost                  = atomic_read(&audit_lost);
> +               s.lost                  = is_audit_feature_set(AUDIT_FEATURE_LOST_RESET) ?
> +                                               atomic_xchg(&audit_lost, 0) :
> +                                               atomic_read(&audit_lost);
>                 s.backlog               = skb_queue_len(&audit_skb_queue);
>                 s.feature_bitmap        = AUDIT_FEATURE_BITMAP_ALL;
>                 s.backlog_wait_time     = audit_backlog_wait_time_master;
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list