Re: [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Paris <eparis@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Philipp Kern <pkern@google.com>,
	"H. Peter Anvin" <hpa@linux.intel.com>,
	linux-kernel@vger.kernel.org, "H. J. Lu" <hjl.tools@gmail.com>,
	security@kernel.org, greg@kroah.com, linux-audit@redhat.com
Subject: Re: [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text
Date: Wed, 28 May 2014 22:09:27 -0400	[thread overview]
Message-ID: <1401329367.13555.25.camel@localhost> (raw)
In-Reply-To: <ff8ecb985119c06510e2c45c078b41cd5df3aaea.1401327752.git.luto@amacapital.net>

NAK

On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> Here are some issues with the code:
>  - It thinks that syscalls have four arguments.

Not true at all.  It records the registers that would hold the first 4
entries on syscall entry, for use later if needed, as getting those
later on some arches is not feasible (see ia64).  It makes no assumption
about how many syscalls a function has.

>  - It's a performance disaster.

Only if you enable it.  If you don't use audit it is a single branch.
Hardly a disaster.

>  - It assumes that syscall numbers are between 0 and 2048.

There could well be a bug here.  Not questioning that.  Although that
would be patch 1/2

>  - It's unclear whether it's supposed to be reliable.

Unclear to whom?

>  - It's broken on things like x32.
>  - It can't support ARM OABI.

Some arches aren't supported?  And that makes it BROKEN?  

>  - Its approach to freeing memory is terrifying.

What?

None of your reasons hold water.  Bugs need to be fixed.  Try reporting
them...  This is just stupid.

> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> ---
>  init/Kconfig | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/init/Kconfig b/init/Kconfig
> index 9d3585b..24d4b53 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -296,13 +296,16 @@ config HAVE_ARCH_AUDITSYSCALL
>  	bool
>  
>  config AUDITSYSCALL
> -	bool "Enable system-call auditing support"
> -	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
> +	bool "Enable system-call auditing support (not recommended)"
> +	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL && BROKEN
>  	default y if SECURITY_SELINUX
>  	help
> -	  Enable low-overhead system-call auditing infrastructure that
> -	  can be used independently or with another kernel subsystem,
> -	  such as SELinux.
> +	  Enable system-call auditing infrastructure that can be used
> +	  independently or with another kernel subsystem, such as
> +	  SELinux.
> +
> +	  AUDITSYSCALL has serious performance and correctness issues.
> +	  Use it with extreme caution.
>  
>  config AUDIT_WATCH
>  	def_bool y

next prev parent reply	other threads:[~2014-05-29  2:09 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-29  1:43 [PATCH v2 0/2] Fix auditsc DoS and mark it BROKEN Andy Lutomirski
2014-05-29  1:44 ` [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking Andy Lutomirski
2014-05-29  2:23   ` Eric Paris
2014-05-29  2:27     ` Andy Lutomirski
2014-05-29  2:43       ` Eric Paris
2014-05-29  2:46         ` Andy Lutomirski
2014-05-29 13:04         ` Steve Grubb
2014-07-08 19:37           ` Richard Guy Briggs
2014-05-29  1:44 ` [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text Andy Lutomirski
2014-05-29  2:09   ` Eric Paris [this message]
2014-05-29  2:40     ` Andy Lutomirski
2014-05-29  2:54       ` Eric Paris
2014-05-29  3:01         ` Andy Lutomirski
2014-05-29 13:05       ` Steve Grubb
2014-05-29 16:04         ` Andy Lutomirski
2014-05-29 16:25           ` Steve Grubb
2014-05-29 16:25             ` Steve Grubb
2014-05-29 16:46             ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1401329367.13555.25.camel@localhost \
    --to=eparis@redhat.com \
    --cc=greg@kroah.com \
    --cc=hjl.tools@gmail.com \
    --cc=hpa@linux.intel.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=pkern@google.com \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.