[RFC][PATCH] audit: add feature audit_lost reset
Richard Guy Briggs
rgb at redhat.com
Mon Dec 5 16:52:11 UTC 2016
On 2016-12-05 11:02, Paul Moore wrote:
> On Mon, Dec 5, 2016 at 3:02 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > Add a method to reset the audit_lost value.
> >
> > An AUDIT_GET message will get the current audit_lost value and reset the
> > counter to zero iff (if and only if) the AUDIT_FEATURE_LOST_RESET
> > feature is set.
> >
> > If the flag AUDIT_FEATURE_BITMAP_LOST_RESET is present in the audit
> > feature bitmap, the feature is settable by setting the
> > AUDIT_FEATURE_LOST_RESET flag in the audit feature list with an
> > AUDIT_SET_FEATURE call. This setting is lockable.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/3
> >
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> > Note: The AUDIT_FEATURE_BITMAP_LOST_RESET check may not be necessary if
> > it is possible to read all the entries from audit_feature_names from
> > userspace.
> > ---
> > include/uapi/linux/audit.h | 7 +++++--
> > kernel/audit.c | 9 ++++++---
> > 2 files changed, 11 insertions(+), 5 deletions(-)
>
> Instead of resetting the lost counter on an AUDIT_GET if the reset
> feature is set, how about preserving the AUDIT_GET behavior, skipping
> the AUDIT_FEATURE_* addition, and simply reset the lost value by
> sending a AUDIT_SET message with AUDIT_STATUS_LOST (you obviously have
> to add this to the uapi header).
I realized as I was coding it up that we would potentially lose an
accurate count if the read and reset were not atomic. This was the
reason for using atomic_xchg().
> I'm mixed on adding this to the feature bitmap, it shouldn't be
> strictly necessary as old kernels will simply ignore the
> AUDIT_SET/AUDIT_STATUS_LOST bit, but I can understand if userspace
> might want it ... I just hate to burn a bit in the bitmap for
> something that has no ill effect on behavior.
As pointed out, we may not need the bitmap addition if we can read the
array of audit_feature_names.
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 208df7b..5eb2dc2 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -330,10 +330,12 @@ enum {
> > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> > #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> > #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
> > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000010
> > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> > - AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
> > + AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> > + AUDIT_FEATURE_BITMAP_LOST_RESET)
> >
> > /* deprecated: AUDIT_VERSION_* */
> > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
> > @@ -440,7 +442,8 @@ struct audit_features {
> >
> > #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0
> > #define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1
> > -#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE
> > +#define AUDIT_FEATURE_LOST_RESET 2
> > +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOST_RESET
> >
> > #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
> > #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index f1ca116..6b52da6 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -122,7 +122,7 @@
> > 3) suppressed due to audit_rate_limit
> > 4) suppressed due to audit_backlog_limit
> > */
> > -static atomic_t audit_lost = ATOMIC_INIT(0);
> > +static atomic_t audit_lost = ATOMIC_INIT(0);
> >
> > /* The netlink socket. */
> > static struct sock *audit_sock;
> > @@ -150,9 +150,10 @@
> > .features = 0,
> > .lock = 0,};
> >
> > -static char *audit_feature_names[2] = {
> > +static char *audit_feature_names[3] = {
> > "only_unset_loginuid",
> > "loginuid_immutable",
> > + "lost_reset",
> > };
> >
> >
> > @@ -854,7 +855,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > s.pid = audit_pid;
> > s.rate_limit = audit_rate_limit;
> > s.backlog_limit = audit_backlog_limit;
> > - s.lost = atomic_read(&audit_lost);
> > + s.lost = is_audit_feature_set(AUDIT_FEATURE_LOST_RESET) ?
> > + atomic_xchg(&audit_lost, 0) :
> > + atomic_read(&audit_lost);
> > s.backlog = skb_queue_len(&audit_skb_queue);
> > s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
> > s.backlog_wait_time = audit_backlog_wait_time_master;
> > --
> > 1.7.1
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list