Re: [PATCH V4] audit: add feature audit_lost reset

[Steve Grubb <sgrubb@redhat.com>]

On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> Add a method to reset the audit_lost value.
> 
> An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> will return a positive value repesenting the current audit_lost value
> and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> only flag set, the reset command will be ignored.  The value sent with
> the command is ignored.  The return value will be the +ve lost value at
> reset time.
> 
> An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> daemon.  The message will be a standard CONFIG_CHANGE message with the
> fields "lost=0" and "old=" with the latter containing the value of
> audit_lost at reset time.

This passes testing and event looks good.
Acked-by: Steve Grubb <sgrubb@redhat.com>

This clears the way for audit-2.7.1 release today.

-Steve

> See: https://github.com/linux-audit/audit-kernel/issues/3
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> There is a merge conflict anticipated with the exclude filter
> FEATURE_BITMAP patch (ghak5)
> 
> v2:
>    Switch from AUDIT_GET to AUDIT_SET
>    Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
>    Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> 
> v3:
>    Switch, from reply to sender, to queue to audit log
> 
> v4:
>    Switch from LOST_RESET to CONFIG_CHANGE log msg
>    Re-add AUDIT_FEATURE_BITMASK
> ---
> ---
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/audit.c             |    8 +++++++-
>  2 files changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index c8dc97b..3f24110 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -326,15 +326,19 @@ enum {
>  #define AUDIT_STATUS_RATE_LIMIT		0x0008
>  #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> +#define AUDIT_STATUS_LOST		0x0040
> 
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
>  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
>  #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> +
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>  				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> -				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> +				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> +				  AUDIT_FEATURE_BITMAP_LOST_RESET)
> 
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 57acf25..25dd70a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
>     3) suppressed due to audit_rate_limit
>     4) suppressed due to audit_backlog_limit
>  */
> -static atomic_t    audit_lost = ATOMIC_INIT(0);
> +static atomic_t	audit_lost = ATOMIC_INIT(0);
> 
>  /* The netlink socket. */
>  static struct sock *audit_sock;
> @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh) if (err < 0)
>  				return err;
>  		}
> +		if (s.mask == AUDIT_STATUS_LOST) {
> +			u32 lost = atomic_xchg(&audit_lost, 0);
> +
> +			audit_log_config_change("lost", 0, lost, 1);
> +			return lost;
> +		}
>  		break;
>  	}
>  	case AUDIT_GET_FEATURE: