lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 23 Nov 2019 09:57:19 +0100
From:   Jiri Olsa <jolsa@...hat.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     Alexei Starovoitov <alexei.starovoitov@...il.com>,
        linux-audit@...hat.com, Jiri Olsa <jolsa@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Network Development <netdev@...r.kernel.org>,
        bpf <bpf@...r.kernel.org>, Andrii Nakryiko <andriin@...com>,
        Yonghong Song <yhs@...com>, Martin KaFai Lau <kafai@...com>,
        Jakub Kicinski <jakub.kicinski@...ronome.com>,
        Steve Grubb <sgrubb@...hat.com>,
        David Miller <davem@...hat.com>,
        Eric Paris <eparis@...hat.com>, Jiri Benc <jbenc@...hat.com>
Subject: Re: [PATCH] bpf: emit audit messages upon successful prog load and
 unload

On Fri, Nov 22, 2019 at 04:19:55PM -0500, Paul Moore wrote:
> On Fri, Nov 22, 2019 at 2:24 PM Jiri Olsa <jolsa@...hat.com> wrote:
> > Paul,
> > would following output be ok:
> >
> >     type=SYSCALL msg=audit(1574445211.897:28015): arch=c000003e syscall=321 success=no exit=-13 a0=5 a1=7fff09ac6c60 a2=78 a3=6 items=0 ppid=1408 pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="test_verifier" exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> >     type=PROCTITLE msg=audit(1574445211.897:28015): proctitle="./test_verifier"
> >     type=BPF msg=audit(1574445211.897:28016): prog-id=8103 event=LOAD
> >
> >     type=SYSCALL msg=audit(1574445211.897:28016): arch=c000003e syscall=321 success=yes exit=14 a0=5 a1=7fff09ac6b80 a2=78 a3=0 items=0 ppid=1408 pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="test_verifier" exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> >     type=PROCTITLE msg=audit(1574445211.897:28016): proctitle="./test_verifier"
> >     type=BPF msg=audit(1574445211.897:28017): prog-id=8103 event=UNLOAD
> 
> There is some precedence in using "op=" instead of "event=" (an audit
> "event" is already a thing, using "event=" here might get confusing).
> I suppose if we are getting really nit-picky you might want to
> lower-case the LOAD/UNLOAD, but generally Steve cares more about these
> things than I do.
> 
> For reference, we have a searchable database of fields here:
> * https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv

I'm fine with "op", Daniel, Alexei?

> 
> > I assume for audit-userspace and audit-testsuite the change will
> > go in as github PR, right? I have the auditd change ready and will
> > add test shortly.
> 
> You can submit the audit-testsuite either as a GH PR or as a
> patch(set) to the linux-audit mailing list, both work equally well.  I
> believe has the same policy for his userspace tools, but I'll let him
> speak for himself.

ok

> 
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 18925d924c73..c69d2776d197 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -358,8 +358,6 @@ static inline void audit_ptrace(struct task_struct *t)
> >                 __audit_ptrace(t);
> >  }
> >
> > -extern void audit_log_task(struct audit_buffer *ab);
> > -
> >                                 /* Private API (for audit.c only) */
> >  extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> >  extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> > @@ -648,8 +646,6 @@ static inline void audit_ntp_log(const struct audit_ntp_data *ad)
> >  static inline void audit_ptrace(struct task_struct *t)
> >  { }
> >
> > -static inline void audit_log_task(struct audit_buffer *ab)
> > -{ }
> >  #define audit_n_rules 0
> >  #define audit_signals 0
> >  #endif /* CONFIG_AUDITSYSCALL */
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 9bf1045fedfa..4effe01ebbe2 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2545,7 +2545,7 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
> >         audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
> >  }
> >
> > -void audit_log_task(struct audit_buffer *ab)
> > +static void audit_log_task(struct audit_buffer *ab)
> 
> I'm slightly concerned that this is based on top of your other patch
> which was NACK'ed.  I might not have been clear before, but with the
> merge window set to open in a few days, and this change affecting the
> kernel interface (uapi, etc.) and lacking a test, this isn't something
> that I see as a candidate for the upcoming merge window.  *Please*
> revert your original patch first; if you think I'm cranky now I can
> promise I'll be a lot more cranky if I see the original patch in -rc1
> ;)

no worries, I'm used to cranky ;-)
Alexei already asked Dave to revert this in previous email,
so that should happen

thanks,
jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ