From: Greg Edwards <gedwards@ddn.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com
Subject: Re: [PATCH v2] audit: do not panic kernel on invalid audit parameter
Date: Wed, 21 Feb 2018 15:51:57 -0700 [thread overview]
Message-ID: <20180221225156.GA6657@psuche> (raw)
In-Reply-To: <161ba322928.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com>
On Wed, Feb 21, 2018 at 04:08:25PM -0500, Paul Moore wrote:
> On February 21, 2018 11:19:09 AM Greg Edwards <gedwards@ddn.com> wrote:
>> If you pass in an invalid audit kernel boot parameter, e.g. 'audit=off',
>> the kernel panics very early in boot with no output on the console
>> indicating the problem.
>>
>> Instead, print the error indicating an invalid audit parameter value,
>> but leave auditing enabled.
>
> Thanks for the quick follow-up, it's actually a little *too* quick if
> I'm honest, I still haven't fully thought through all the different
> options here :)
>
> However, in the interest in capitalizing on your enthusiasm and
> willingness to help, here are some of the things I was thinking about,
> in no particular order:
>
> #1 - We might want to consider accepting both "0" and "off" as
> acceptable inputs. It should be a trivial change, and if we are going
> to default to on/enabled it seems like we should make a reasonable
> effort to do the right thing when people attempt to disable audit
> (unfortunately the kernel command line parameters seem to use both "0"
> and "off" so we can't blame people too much when they use "off").
Yes, I think this would be a good idea, and for what it's worth,
'audit=off' worked until 4.15. One of our CI tests that verifies
upstream kernels picked this up starting with 4.15.
For example, booting a 4.14.20 kernel (defconfig + kvmconfig):
[ 0.000000] Linux version 4.14.20 (gedwards@psuche) (gcc version 7.3.1 20180130 (Red Hat 7.3.1-2) (GCC)) #1 SMP Wed Feb 21 15:14:25 M
ST 2018
[ 0.000000] Command line: root=/dev/vda1 console=ttyS0,115200n8 audit=off
...
[ 0.000000] Kernel command line: root=/dev/vda1 console=ttyS0,115200n8 audit=off
[ 0.000000] audit: disabled (until reboot)
^^^^^^^^
> #2 - If panic("<msg>") doesn't work, does pr_err("<msg>")? If it
> does, I would be curious to understand why.
Yes, pr_err() does work. Booting 4.16-rc2 (defconfig + kvmconfig) with
this patch:
[ 0.000000] Linux version 4.16.0-rc2+ (gedwards@psuche) (gcc version 7.3.1 20180130 (Red Hat 7.3.1-2) (GCC)) #1 SMP Wed Feb 21 15:23:10 MST 2018
[ 0.000000] Command line: root=/dev/vda1 console=ttyS0,115200n8 audit=off
...
[ 0.000000] Kernel command line: root=/dev/vda1 console=ttyS0,115200n8 audit=off
[ 0.000000] audit: invalid 'audit' parameter value (off)
[ 0.000000] audit: enabled (after initialization)
I suspect what is happening with the current audit_enable() code is the
serial console has not been fully initialized yet by the time we call
panic(), so we never see the early printk messages queued up. I will
try and confirm.
> #3 - Related to #2 above, but there are other calls to panic() and
> pr_*() in audit_enable() that should probably be re-evaluated and
> changed. If we can't notify users/admins here, why are we trying?
I haven't looked at those other calls to panic(), but I would bet they
display the same behavior.
> #4 - Related to #2 and #3, if we can't emit messages in audit_enable()
> we need to find a way to "remember" that the user specified a bogus
> audit setting and let them know as soon as we can. One possibility
> might be to overload the audit_default variable (most places seem to
> treat it as a true/false value) with a "AUDIT_DEFAULT_INVALID" value
> (make it non-zero, say "3"?) and we could display a message in
> audit_init() or similar. Full disclosure, this *should* work ... I
> think ... but I might be missing some crucial detail.
I'm unclear why we would need this, given that #2 above does work. This
is the first time I've ever looked at the audit code, though. I was
just doing a drive-by. ;)
> I realize this is probably much more than you bargained for when you
> first submitted your patch, and if you're not interested in taking
> this any further I understand .... however, if you are willing to play
> a bit more I would be very grateful :)
Sure, I'm happy to look at the above.
Greg
next prev parent reply other threads:[~2018-02-21 22:51 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-20 21:33 [PATCH] audit: do not panic kernel on invalid audit parameter Greg Edwards
2018-02-20 21:45 ` Paul Moore
2018-02-20 22:00 ` Greg Edwards
2018-02-20 22:06 ` Paul Moore
2018-02-21 5:12 ` Richard Guy Briggs
2018-02-21 16:18 ` [PATCH v2] " Greg Edwards
2018-02-21 21:08 ` Paul Moore
2018-02-21 22:51 ` Greg Edwards [this message]
2018-02-22 1:13 ` Richard Guy Briggs
2018-02-21 22:52 ` Steve Grubb
2018-03-05 22:05 ` [PATCH] audit: do not panic on invalid boot parameter Greg Edwards
2018-03-06 3:24 ` Richard Guy Briggs
2018-03-06 14:38 ` Paul Moore
2018-03-06 18:53 ` Paul Moore
2018-03-07 4:13 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180221225156.GA6657@psuche \
--to=gedwards@ddn.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).