[RFC][PATCH] audit: add feature audit_lost reset

Richard Guy Briggs rgb at redhat.com
Mon Dec 5 16:52:11 UTC 2016 

On 2016-12-05 11:02, Paul Moore wrote:
> On Mon, Dec 5, 2016 at 3:02 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > Add a method to reset the audit_lost value.
> >
> > An AUDIT_GET message will get the current audit_lost value and reset the
> > counter to zero iff (if and only if) the AUDIT_FEATURE_LOST_RESET
> > feature is set.
> >
> > If the flag AUDIT_FEATURE_BITMAP_LOST_RESET is present in the audit
> > feature bitmap, the feature is settable by setting the
> > AUDIT_FEATURE_LOST_RESET flag in the audit feature list with an
> > AUDIT_SET_FEATURE call.  This setting is lockable.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/3
> >
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> > Note: The AUDIT_FEATURE_BITMAP_LOST_RESET check may not be necessary if
> > it is possible to read all the entries from audit_feature_names from
> > userspace.
> > ---
> >  include/uapi/linux/audit.h |    7 +++++--
> >  kernel/audit.c             |    9 ++++++---
> >  2 files changed, 11 insertions(+), 5 deletions(-)
> 
> Instead of resetting the lost counter on an AUDIT_GET if the reset
> feature is set, how about preserving the AUDIT_GET behavior, skipping
> the AUDIT_FEATURE_* addition, and simply reset the lost value by
> sending a AUDIT_SET message with AUDIT_STATUS_LOST (you obviously have
> to add this to the uapi header).

I realized as I was coding it up that we would potentially lose an
accurate count if the read and reset were not atomic.  This was the
reason for using atomic_xchg().

> I'm mixed on adding this to the feature bitmap, it shouldn't be
> strictly necessary as old kernels will simply ignore the
> AUDIT_SET/AUDIT_STATUS_LOST bit, but I can understand if userspace
> might want it ... I just hate to burn a bit in the bitmap for
> something that has no ill effect on behavior.

As pointed out, we may not need the bitmap addition if we can read the
array of audit_feature_names.

> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 208df7b..5eb2dc2 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -330,10 +330,12 @@ enum {
> >  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> >  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH   0x00000004
> >  #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND    0x00000008
> > +#define AUDIT_FEATURE_BITMAP_LOST_RESET                0x00000010
> >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> >                                   AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> >                                   AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> > -                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
> > +                                 AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> > +                                 AUDIT_FEATURE_BITMAP_LOST_RESET)
> >
> >  /* deprecated: AUDIT_VERSION_* */
> >  #define AUDIT_VERSION_LATEST           AUDIT_FEATURE_BITMAP_ALL
> > @@ -440,7 +442,8 @@ struct audit_features {
> >
> >  #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID      0
> >  #define AUDIT_FEATURE_LOGINUID_IMMUTABLE       1
> > -#define AUDIT_LAST_FEATURE                     AUDIT_FEATURE_LOGINUID_IMMUTABLE
> > +#define AUDIT_FEATURE_LOST_RESET               2
> > +#define AUDIT_LAST_FEATURE                     AUDIT_FEATURE_LOST_RESET
> >
> >  #define audit_feature_valid(x)         ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
> >  #define AUDIT_FEATURE_TO_MASK(x)       (1 << ((x) & 31)) /* mask for __u32 */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index f1ca116..6b52da6 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -122,7 +122,7 @@
> >     3) suppressed due to audit_rate_limit
> >     4) suppressed due to audit_backlog_limit
> >  */
> > -static atomic_t    audit_lost = ATOMIC_INIT(0);
> > +static atomic_t        audit_lost = ATOMIC_INIT(0);
> >
> >  /* The netlink socket. */
> >  static struct sock *audit_sock;
> > @@ -150,9 +150,10 @@
> >                                    .features = 0,
> >                                    .lock = 0,};
> >
> > -static char *audit_feature_names[2] = {
> > +static char *audit_feature_names[3] = {
> >         "only_unset_loginuid",
> >         "loginuid_immutable",
> > +       "lost_reset",
> >  };
> >
> >
> > @@ -854,7 +855,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >                 s.pid                   = audit_pid;
> >                 s.rate_limit            = audit_rate_limit;
> >                 s.backlog_limit         = audit_backlog_limit;
> > -               s.lost                  = atomic_read(&audit_lost);
> > +               s.lost                  = is_audit_feature_set(AUDIT_FEATURE_LOST_RESET) ?
> > +                                               atomic_xchg(&audit_lost, 0) :
> > +                                               atomic_read(&audit_lost);
> >                 s.backlog               = skb_queue_len(&audit_skb_queue);
> >                 s.feature_bitmap        = AUDIT_FEATURE_BITMAP_ALL;
> >                 s.backlog_wait_time     = audit_backlog_wait_time_master;
> > --
> > 1.7.1
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 
> 
> -- 
> paul moore
> www.paul-moore.com

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list