From: Casey Schaufler <casey@schaufler-ca.com>
To: Richard Guy Briggs <rgb@redhat.com>, Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@parisplace.org>,
Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: [PATCH ghak122 v1] audit: store event sockaddr in case of no rules
Date: Mon, 13 Jul 2020 10:55:15 -0700 [thread overview]
Message-ID: <9ec00f40-e7e9-950e-4ed9-48533a9ee223@schaufler-ca.com> (raw)
In-Reply-To: <20200713174014.mjsdugomgjtl3kgz@madcap2.tricolour.ca>
On 7/13/2020 10:40 AM, Richard Guy Briggs wrote:
> On 2020-07-08 18:49, Paul Moore wrote:
>> On Fri, Jul 3, 2020 at 1:18 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>>> When there are no rules present, the event SOCKADDR record is not
>>> generated due to audit_dummy_context() generated at syscall entry from
>>> audit_n_rules. Store this information if there is a context present to
>>> store it so that mandatory events are more complete (startup, LSMs...).
I don't know for sure, but this looks a lot like the issues
I have had to address for LSM stacking in
[PATCH v18 20/23] Audit: Add new record for multiple process LSM attributes
I don't know if the approach I took will help here, or be
acceptable at all for that matter. But it might be worth taking
a look.
>>>
>>> Please see the upstream issue
>>> https://github.com/linux-audit/audit-kernel/issues/122
>>>
>>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>>> ---
>>> Passes audit-testsuite.
>>>
>>> include/linux/audit.h | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>> Do we have any certification requirements driving this change? I ask
>> because if we make this change, why not do the same for PATH records?
> I filed the issue because I noticed the SOCKADDR record missing from
> configuration events required for certification.
>
>> The problem of course is that doing this for both is going to be
>> costly, the PATH records in particular seem like they would raise a
>> performance regression.
> I had a minor concern about performance for SOCKADDR. I filed SOCKADDR
> because I noticed it missing, but intended to file others as noticed.
>
> I agree the PATH records would have a larger performance concern, but if
> they are required to support event records that are required for
> certification then either we store them when the context is present or
> generate them retroactively once a required event record is generated.
>
> In the case of SOCKADDR it may be possible to store that information
> once the required record has been generated rather than whenever there
> is a valid audit context, but it is currently collected earlier than
> config records are emitted.
>
>> I agree it would be nice to have this information, but I fear that
>> gating this on audit_dummy_context() is the right thing to do unless
>> there is a strong requirement that we always record this information.
> That would have been great feedback when the issue was filed.
> However, there may be a middle ground as descirbed above.
>
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index 03c4035a532b..07fecd99741a 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -448,7 +448,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args)
>>>
>>> static inline int audit_sockaddr(int len, void *addr)
>>> {
>>> - if (unlikely(!audit_dummy_context()))
>>> + if (audit_context())
>>> return __audit_sockaddr(len, addr);
>>> return 0;
>>> }
>> paul moore
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-07-13 17:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-03 17:17 [PATCH ghak122 v1] audit: store event sockaddr in case of no rules Richard Guy Briggs
2020-07-08 22:49 ` Paul Moore
2020-07-13 17:40 ` Richard Guy Briggs
2020-07-13 17:55 ` Casey Schaufler [this message]
2020-07-13 20:02 ` Richard Guy Briggs
2020-07-13 23:08 ` Casey Schaufler
2020-07-14 0:11 ` Paul Moore
2020-07-14 0:28 ` Casey Schaufler
2020-07-14 0:47 ` Paul Moore
2020-07-14 1:08 ` Richard Guy Briggs
2020-07-14 1:19 ` Paul Moore
2020-07-14 2:37 ` Casey Schaufler
2020-07-13 22:30 ` Paul Moore
2020-07-13 22:37 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9ec00f40-e7e9-950e-4ed9-48533a9ee223@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox