Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 21:08 UTC (permalink / raw)
  To: Paul Moore
  Cc: Steve Grubb, Kees Cook, Richard Guy Briggs, linux-audit,
	linux-kernel@vger.kernel.org
In-Reply-To: <CAHC9VhQT1dOU3keiDCwwi7UwGttCvGaKSj8nv=bpsttgvtbJjA@mail.gmail.com>

On Fri, Oct 23, 2015 at 1:58 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Oct 23, 2015 at 4:51 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Friday, October 23, 2015 03:38:05 PM Paul Moore wrote:
>>> On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@chromium.org> wrote:
>>> > On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net>
>> wrote:
>>> >> I would argue that, if auditing is off, audit_seccomp shouldn't do
>>> >> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>>> >> policy, and seccomp signals might be ordinary behavior that's internal
>>> >> to the seccomp-using application.  IOW, for people with audit compiled
>>> >> in and subscribed by journald but switched off, I think that the
>>> >> records shouldn't be emitted.
>>> >>
>>> >> If you agree, I can send the two-line patch.
>>> >
>>> > I think signr==0 states (which I would identify as "intended
>>> > behavior") don't need to be reported under any situation, but audit
>>> > folks wanted to keep it around.
>>>
>>> Wearing my libseccomp hat, I would like some logging when the seccomp
>>> filter triggers a result other than allow.  I don't care if this is
>>> via audit or printk(), I just want some notification.  If we go the
>>> printk route and people really don't want to see anything in their
>>> logs, I suppose we could always add a sysctl knob to turn off the
>>> message completely (we would still need to do whatever audit records
>>> are required, see below).
>>>
>>> Wearing my audit hat, I want to make sure we tick off all the right
>>> boxes for the various certifications that people care about.  Steve
>>> Grubb has commented on what he needs in the past, although I'm not
>>> sure it was on-list, so I'll ask him to repeat it here.
>>
>> I went back and reviewed my notes since this came up in the current Common
>> Criteria evaluation. What we decided to do is treat syscall failures which
>> failed due to seccomp the same as syscall failures caused by dropping
>> capabilities. Both are opt-in DAC policies. That means we don't care. Do
>> whatever you like. :-)
>
> Thanks Steve.
>
> Andy, is your objection that you don't want to see any seccomp
> messages, or just seccomp audit records when audit is disabled?
>

My objection is that people who have audit compiled in but disabled at
runtime shouldn't have the overhead or the log noise from these
messages.  If people want the messages, then I think they should turn
on audit (auditctl -e 1 or whatever).

--Andy

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 21:07 UTC (permalink / raw)
  To: Kees Cook; +Cc: linux-audit, linux-kernel@vger.kernel.org, Richard Guy Briggs
In-Reply-To: <CAGXu5j+TnB3=H1zx8j_RW1kEU3GQXDhPcP8Odej7oAyAoW_ZuQ@mail.gmail.com>

On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>
> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> > I would argue that, if auditing is off, audit_seccomp shouldn't do
> > anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
> > policy, and seccomp signals might be ordinary behavior that's internal
> > to the seccomp-using application.  IOW, for people with audit compiled
> > in and subscribed by journald but switched off, I think that the
> > records shouldn't be emitted.
> >
> > If you agree, I can send the two-line patch.
>
> I think signr==0 states (which I would identify as "intended
> behavior") don't need to be reported under any situation, but audit
> folks wanted to keep it around.

Even if there is a nonzero signr, it could just be a program opting to
trap and emulate one of its own syscalls.

--Andy

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Paul Moore @ 2015-10-23 20:58 UTC (permalink / raw)
  To: Steve Grubb, Kees Cook
  Cc: Andy Lutomirski, Richard Guy Briggs, linux-audit,
	linux-kernel@vger.kernel.org
In-Reply-To: <3396234.S0y3javSJ0@x2>

On Fri, Oct 23, 2015 at 4:51 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, October 23, 2015 03:38:05 PM Paul Moore wrote:
>> On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@chromium.org> wrote:
>> > On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net>
> wrote:
>> >> I would argue that, if auditing is off, audit_seccomp shouldn't do
>> >> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>> >> policy, and seccomp signals might be ordinary behavior that's internal
>> >> to the seccomp-using application.  IOW, for people with audit compiled
>> >> in and subscribed by journald but switched off, I think that the
>> >> records shouldn't be emitted.
>> >>
>> >> If you agree, I can send the two-line patch.
>> >
>> > I think signr==0 states (which I would identify as "intended
>> > behavior") don't need to be reported under any situation, but audit
>> > folks wanted to keep it around.
>>
>> Wearing my libseccomp hat, I would like some logging when the seccomp
>> filter triggers a result other than allow.  I don't care if this is
>> via audit or printk(), I just want some notification.  If we go the
>> printk route and people really don't want to see anything in their
>> logs, I suppose we could always add a sysctl knob to turn off the
>> message completely (we would still need to do whatever audit records
>> are required, see below).
>>
>> Wearing my audit hat, I want to make sure we tick off all the right
>> boxes for the various certifications that people care about.  Steve
>> Grubb has commented on what he needs in the past, although I'm not
>> sure it was on-list, so I'll ask him to repeat it here.
>
> I went back and reviewed my notes since this came up in the current Common
> Criteria evaluation. What we decided to do is treat syscall failures which
> failed due to seccomp the same as syscall failures caused by dropping
> capabilities. Both are opt-in DAC policies. That means we don't care. Do
> whatever you like. :-)

Thanks Steve.

Andy, is your objection that you don't want to see any seccomp
messages, or just seccomp audit records when audit is disabled?

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Steve Grubb @ 2015-10-23 20:51 UTC (permalink / raw)
  To: Paul Moore
  Cc: Kees Cook, Andy Lutomirski, Richard Guy Briggs, linux-audit,
	linux-kernel@vger.kernel.org
In-Reply-To: <CAHC9VhQFpOJ5VVty7eEe3p24V1yqkNFB-k6Hps_7_9v2ef4eVg@mail.gmail.com>

On Friday, October 23, 2015 03:38:05 PM Paul Moore wrote:
> On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@chromium.org> wrote:
> > On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> 
wrote:
> >> I would argue that, if auditing is off, audit_seccomp shouldn't do
> >> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
> >> policy, and seccomp signals might be ordinary behavior that's internal
> >> to the seccomp-using application.  IOW, for people with audit compiled
> >> in and subscribed by journald but switched off, I think that the
> >> records shouldn't be emitted.
> >> 
> >> If you agree, I can send the two-line patch.
> > 
> > I think signr==0 states (which I would identify as "intended
> > behavior") don't need to be reported under any situation, but audit
> > folks wanted to keep it around.
> 
> Wearing my libseccomp hat, I would like some logging when the seccomp
> filter triggers a result other than allow.  I don't care if this is
> via audit or printk(), I just want some notification.  If we go the
> printk route and people really don't want to see anything in their
> logs, I suppose we could always add a sysctl knob to turn off the
> message completely (we would still need to do whatever audit records
> are required, see below).
> 
> Wearing my audit hat, I want to make sure we tick off all the right
> boxes for the various certifications that people care about.  Steve
> Grubb has commented on what he needs in the past, although I'm not
> sure it was on-list, so I'll ask him to repeat it here.

I went back and reviewed my notes since this came up in the current Common 
Criteria evaluation. What we decided to do is treat syscall failures which 
failed due to seccomp the same as syscall failures caused by dropping 
capabilities. Both are opt-in DAC policies. That means we don't care. Do 
whatever you like. :-)

-Steve

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Paul Moore @ 2015-10-23 19:38 UTC (permalink / raw)
  To: Kees Cook, Andy Lutomirski, sgrubb
  Cc: Richard Guy Briggs, linux-audit, linux-kernel@vger.kernel.org
In-Reply-To: <CAGXu5j+TnB3=H1zx8j_RW1kEU3GQXDhPcP8Odej7oAyAoW_ZuQ@mail.gmail.com>

On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@chromium.org> wrote:
> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>> I would argue that, if auditing is off, audit_seccomp shouldn't do
>> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>> policy, and seccomp signals might be ordinary behavior that's internal
>> to the seccomp-using application.  IOW, for people with audit compiled
>> in and subscribed by journald but switched off, I think that the
>> records shouldn't be emitted.
>>
>> If you agree, I can send the two-line patch.
>
> I think signr==0 states (which I would identify as "intended
> behavior") don't need to be reported under any situation, but audit
> folks wanted to keep it around.

Wearing my libseccomp hat, I would like some logging when the seccomp
filter triggers a result other than allow.  I don't care if this is
via audit or printk(), I just want some notification.  If we go the
printk route and people really don't want to see anything in their
logs, I suppose we could always add a sysctl knob to turn off the
message completely (we would still need to do whatever audit records
are required, see below).

Wearing my audit hat, I want to make sure we tick off all the right
boxes for the various certifications that people care about.  Steve
Grubb has commented on what he needs in the past, although I'm not
sure it was on-list, so I'll ask him to repeat it here.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Richard Guy Briggs @ 2015-10-23 19:13 UTC (permalink / raw)
  To: Andy Lutomirski; +Cc: linux-audit, linux-kernel@vger.kernel.org
In-Reply-To: <CALCETrWM2_6OmVK6oZGtZpyFY0gAkLN4uadKdZ+zqvW6T_M58w@mail.gmail.com>

On 15/10/23, Andy Lutomirski wrote:
> I would argue that, if auditing is off, audit_seccomp shouldn't do
> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
> policy, and seccomp signals might be ordinary behavior that's internal
> to the seccomp-using application.  IOW, for people with audit compiled
> in and subscribed by journald but switched off, I think that the
> records shouldn't be emitted.
> 
> If you agree, I can send the two-line patch.

This sounds reasonable to me.  It isn't an AVC.  Steve?  Paul?

> --Andy

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Kees Cook @ 2015-10-23 17:01 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: linux-kernel@vger.kernel.org, linux-audit, Richard Guy Briggs
In-Reply-To: <CALCETrWM2_6OmVK6oZGtZpyFY0gAkLN4uadKdZ+zqvW6T_M58w@mail.gmail.com>

On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> I would argue that, if auditing is off, audit_seccomp shouldn't do
> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
> policy, and seccomp signals might be ordinary behavior that's internal
> to the seccomp-using application.  IOW, for people with audit compiled
> in and subscribed by journald but switched off, I think that the
> records shouldn't be emitted.
>
> If you agree, I can send the two-line patch.

I think signr==0 states (which I would identify as "intended
behavior") don't need to be reported under any situation, but audit
folks wanted to keep it around.

-Kees

-- 
Kees Cook
Chrome OS Security

^ permalink raw reply

* Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 16:19 UTC (permalink / raw)
  To: linux-kernel@vger.kernel.org, linux-audit, Kees Cook,
	Richard Guy Briggs

I would argue that, if auditing is off, audit_seccomp shouldn't do
anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
policy, and seccomp signals might be ordinary behavior that's internal
to the seccomp-using application.  IOW, for people with audit compiled
in and subscribed by journald but switched off, I think that the
records shouldn't be emitted.

If you agree, I can send the two-line patch.

--Andy

-- 
Andy Lutomirski
AMA Capital Management, LLC

^ permalink raw reply

* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Paul Moore @ 2015-10-22 20:47 UTC (permalink / raw)
  To: Scott Matheina; +Cc: Eric Paris, linux-audit, linux-kernel, trivial
In-Reply-To: <56282F48.4090800@matheina.com>

On Wed, Oct 21, 2015 at 8:35 PM, Scott Matheina <scott@matheina.com> wrote:
> Thanks for the feedback. I'll resubmit. Now I get to figure out how to resubmit a patch with changes, so a good
> learning experience for me. Pure Hobbyist at this time, but I love to learn.

If you haven't already, go read Documentation/SubmittingPatches in the
kernel source, it will cover a lot of the basics.  Also, as far as I'm
concerned, the #1 absolutely most important thing you must always do
when submitting patches is to make sure that I can simply save your
email and apply it with patch, or import it directly via
stgit/git/whatever; if I have to transform your patch in some way to
get it to apply, I get grumpy, and I don't like to get grumpy.

Beyond that, good luck and have fun :)

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: BSides Portland - The Linux Audit Framework
From: Paul Moore @ 2015-10-22 20:34 UTC (permalink / raw)
  To: Smith, Gary R; +Cc: linux-audit@redhat.com
In-Reply-To: <D24E5481.9F53%gary.smith@pnnl.gov>

On Thu, Oct 22, 2015 at 11:53 AM, Smith, Gary R <Gary.Smith@pnnl.gov> wrote:
> Hello All,
>
> I was at the BSides Portland security conference last weekend and I gave a
> presentation called “The Linux Audit Framework” there. I have put up the
> slides from the presentation on slideshare. I have also put up a file that
> implements the Center for Internet Security RHEL 6 Benchmark for audit
> rules. In addition, I have put up a document that is “Smith’s Audit Cheat
> Sheet”. It is what audit commands to run by analysts during first, second
> and third shift.
>
> The presentation slides are at:
> http://www.slideshare.net/GarySmith99/the-linux-audit-framework
> The CIS audit rules are at:
> http://www.slideshare.net/GarySmith99/linux-auditrules
> The “Cheat Sheet” are at:
> http://www.slideshare.net/GarySmith99/audit-commands-by-shift
>
> I hope you find them useful.

I only just quickly skimmed the slides, but thanks for sharing these;
it's always nice to have more awareness of what functionality exists.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [RFC PATCH 3/7] audit: allow systemd to use queue reserves
From: Richard Guy Briggs @ 2015-10-22 19:51 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <5338619.9WBiI2UOhk@x2>

On 15/10/22, Steve Grubb wrote:
> On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote:
> > Treat systemd the same way as auditd, allowing it to overrun the queue to
> > avoid blocking.
> 
> Do you mind explaining this a little more? I'm having a hard time 
> understanding how systemd is involved.

systemd should only have CAP_AUDIT_READ for the multicast socket and
otherwise behaves as a user client, sending AUDIT_USER_* messages.  It
starts and stops auditd and we don't want it blocking trying to allocate
a buffer on the standard queue in audit_log_start() while it is tasked
with telling auditd to start or stop.

> -Steve
> 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  kernel/audit.c |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 3917aad..384a1a1 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1375,7 +1375,7 @@ struct audit_buffer *audit_log_start(struct
> > audit_context *ctx, gfp_t gfp_mask, return NULL;
> > 
> >  	if (gfp_mask & __GFP_WAIT) {
> > -		if (audit_pid && audit_pid == current->tgid)
> > +		if (current->tgid == 1 || (audit_pid && audit_pid == current->tgid))
> >  			gfp_mask &= ~__GFP_WAIT;
> >  		else
> >  			reserve = 0;

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* Re: [ARCHIVE DEBUG 03/13] audit_debug: proc instrumentation
From: Richard Guy Briggs @ 2015-10-22 19:47 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <5833313.p0DdKMxStc@x2>

On 15/10/22, Steve Grubb wrote:
> What is the permissions on this? Who can view it?

proc_create() was called with mode 0, so I'm guessing it is 777.
Actually, it is 444.  That should be changed to 400 (S_IRUSR) for use on
a system that matters, but again, this is a debug patch set giving
internal read-only stats, not intended for upstream or production use.
Nice catch.

> -Steve
> 
> On Thursday, October 22, 2015 02:58:49 PM Richard Guy Briggs wrote:
> > Add a /proc/audit entry for debugging to instrument many audit subsystem
> > internal parameters not normally visible.
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  include/linux/skbuff.h |   16 ++++++++++++++++
> >  kernel/audit.c         |   48
> > ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64
> > insertions(+), 0 deletions(-)
> > 
> > diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > index f54d665..bcde922 100644
> > --- a/include/linux/skbuff.h
> > +++ b/include/linux/skbuff.h
> > @@ -180,6 +180,7 @@ struct sk_buff_head {
> > 
> >  	__u32		qlen;
> >  	spinlock_t	lock;
> > +	__u32		qlen_max;
> >  };
> > 
> >  struct sk_buff;
> > @@ -1301,6 +1302,11 @@ static inline __u32 skb_queue_len(const struct
> > sk_buff_head *list_) return list_->qlen;
> >  }
> > 
> > +static inline __u32 skb_queue_len_max(const struct sk_buff_head *list_)
> > +{
> > +	return list_->qlen_max;
> > +}
> > +
> >  /**
> >   *	__skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
> > *	@list: queue to initialize
> > @@ -1354,6 +1360,8 @@ static inline void __skb_insert(struct sk_buff *newsk,
> > newsk->prev = prev;
> >  	next->prev  = prev->next = newsk;
> >  	list->qlen++;
> > +	if(list->qlen > list->qlen_max)
> > +		list->qlen_max = list->qlen;
> >  }
> > 
> >  static inline void __skb_queue_splice(const struct sk_buff_head *list,
> > @@ -1381,6 +1389,8 @@ static inline void skb_queue_splice(const struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, (struct sk_buff *) head, head->next);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  	}
> >  }
> > 
> > @@ -1397,6 +1407,8 @@ static inline void skb_queue_splice_init(struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, (struct sk_buff *) head, head->next);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  		__skb_queue_head_init(list);
> >  	}
> >  }
> > @@ -1412,6 +1424,8 @@ static inline void skb_queue_splice_tail(const struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  	}
> >  }
> > 
> > @@ -1429,6 +1443,8 @@ static inline void skb_queue_splice_tail_init(struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  		__skb_queue_head_init(list);
> >  	}
> >  }
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index d4e19fc..82df9fd 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -124,6 +124,7 @@ u32		audit_sig_sid = 0;
> >     4) suppressed due to audit_backlog_limit
> >  */
> >  static atomic_t    audit_lost = ATOMIC_INIT(0);
> > +static atomic_t    audit_hold_lost = ATOMIC_INIT(0);
> > 
> >  /* The netlink socket. */
> >  static struct sock *audit_sock;
> > @@ -381,7 +382,10 @@ static void audit_hold_skb(struct sk_buff *skb)
> >  	     skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
> >  		skb_queue_tail(&audit_skb_hold_queue, skb);
> >  	else
> > +	{
> >  		kfree_skb(skb);
> > +		atomic_inc(&audit_hold_lost);
> > +	}
> >  }
> > 
> >  /*
> > @@ -510,7 +514,10 @@ static void flush_hold_queue(void)
> >  	 * dequeued an skb we need to drop ref
> >  	 */
> >  	if (skb)
> > +	{
> >  		consume_skb(skb);
> > +		atomic_inc(&audit_hold_lost);
> > +	}
> >  }
> > 
> >  static int kauditd_thread(void *dummy)
> > @@ -1174,6 +1181,45 @@ static struct pernet_operations audit_net_ops
> > __net_initdata = { .size = sizeof(struct audit_net),
> >  };
> > 
> > +/* Display information about audit subsystem */
> > +static int proc_auditstats_show(struct seq_file *m, void *v)
> > +{
> > +	//seq_printf(m, "audit_initialized\t%d\n", audit_initialized);
> > +	//seq_printf(m, "audit_enabled\t%u\n", audit_enabled);
> > +	//seq_printf(m, "audit_ever_enabled\t%u\n", audit_ever_enabled);
> > +	//seq_printf(m, "audit_default\t%u\n", audit_default);
> > +	//seq_printf(m, "audit_failure\t%u\n", audit_failure);
> > +	seq_printf(m, "audit_pid\t\t\t%d\n", audit_pid);
> > +	//seq_printf(m, "audit_nlk_portid\t%u\n", audit_nlk_portid);
> > +	//seq_printf(m, "audit_rate_limit\t%u\n", audit_rate_limit);
> > +	//seq_printf(m, "audit_backlog_limit\t%u\n", audit_backlog_limit);
> > +	//seq_printf(m, "audit_backlog_wait_time\t%u\n", audit_backlog_wait_time);
> > +	//seq_printf(m, "audit_sig_uid\t%u\n", from_kuid(&init_user_ns,
> > audit_sig_uid)); +	//seq_printf(m, "audit_sig_pid\t%d\n", audit_sig_pid);
> > +	//seq_printf(m, "audit_sig_sid\t%u\n", audit_sig_sid);
> > +	seq_printf(m, "audit_lost\t\t\t%d\n", atomic_read(&audit_lost));
> > +	seq_printf(m, "audit_hold_lost\t\t\t%d\n", atomic_read(&audit_hold_lost));
> > +	seq_printf(m, "audit_freelist_count\t\t%u\n", audit_freelist_count);
> > +	seq_printf(m, "audit_skb_queue len\t\t%d\n",
> > skb_queue_len(&audit_skb_queue)); +	seq_printf(m, "audit_skb_queue
> > len_max\t\t%d\n", skb_queue_len_max(&audit_skb_queue)); +	seq_printf(m,
> > "audit_skb_hold_queue len\t%d\n", skb_queue_len(&audit_skb_hold_queue));
> > +	seq_printf(m, "audit_skb_hold_queue len_max\t%d\n",
> > skb_queue_len_max(&audit_skb_hold_queue)); +
> > +	return 0;
> > +}
> > +
> > +static int auditstats_open(struct inode *inode, struct file *file)
> > +{
> > +	return single_open(file, proc_auditstats_show, NULL);
> > +}
> > +
> > +static const struct file_operations proc_auditstats_operations = {
> > +	.open = auditstats_open,
> > +	.read = seq_read,
> > +	.llseek = seq_lseek,
> > +	.release = single_release,
> > +};
> > +
> >  /* Initialize audit support at boot time. */
> >  static int __init audit_init(void)
> >  {
> > @@ -1197,6 +1243,8 @@ static int __init audit_init(void)
> >  	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
> >  		INIT_LIST_HEAD(&audit_inode_hash[i]);
> > 
> > +	proc_create("audit", 0, NULL, &proc_auditstats_operations);
> > +
> >  	return 0;
> >  }
> >  __initcall(audit_init);
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* Re: [ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config
From: Richard Guy Briggs @ 2015-10-22 19:28 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2054929.FHXHZSGzHO@x2>

On 15/10/22, Steve Grubb wrote:
> On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> > Debug the possibility of systemd changing the audit config causing
> > shutdown delays by blocking all such requests.
> 
> I don't understand what you are saying here. As long as something something 
> has CAP_AUDIT_CONTROL, it can make changes. But we have to record what made 
> the changes in the logs.

I grouped all the message types that make changes first so that if it
was init or systemd attempting such a change, it would be denied with
-EPERM.  Systemd should only have CAP_AUDIT_READ.  If it isn't process 1
(init or systemd) it will just fallthrough this list of message types as
it did before.  This was done for debug testing only.  This isn't
intended to be accepted upstream.

Does this help?  Perhaps I should have been more explicit that even if
systemd somehow was configured with CAP_AUDIT_CONTROL, it would be
denied.

> -Steve
> 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  kernel/audit.c |   14 ++++++++------
> >  1 files changed, 8 insertions(+), 6 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 30b3b08..93a466b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type) case AUDIT_ADD:
> >  	case AUDIT_DEL:
> >  		return -EOPNOTSUPP;
> > -	case AUDIT_GET:
> >  	case AUDIT_SET:
> > -	case AUDIT_GET_FEATURE:
> >  	case AUDIT_SET_FEATURE:
> > -	case AUDIT_LIST_RULES:
> >  	case AUDIT_ADD_RULE:
> >  	case AUDIT_DEL_RULE:
> > -	case AUDIT_SIGNAL_INFO:
> > -	case AUDIT_TTY_GET:
> > -	case AUDIT_TTY_SET:
> >  	case AUDIT_TRIM:
> >  	case AUDIT_MAKE_EQUIV:
> > +	case AUDIT_TTY_SET:
> > +		if (current->tgid == 1)
> > +			return -EPERM;
> > +	case AUDIT_GET:
> > +	case AUDIT_GET_FEATURE:
> > +	case AUDIT_LIST_RULES:
> > +	case AUDIT_SIGNAL_INFO:
> > +	case AUDIT_TTY_GET:
> >  		/* Only support auditd and auditctl in initial pid namespace
> >  		 * for now. */
> >  		if ((task_active_pid_ns(current) != &init_pid_ns))
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* Re: [RFC PATCH 3/7] audit: allow systemd to use queue reserves
From: Steve Grubb @ 2015-10-22 19:26 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <5292b00da892ca8cedff9d31ecda132ad384b035.1445539473.git.rgb@redhat.com>

On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote:
> Treat systemd the same way as auditd, allowing it to overrun the queue to
> avoid blocking.

Do you mind explaining this a little more? I'm having a hard time 
understanding how systemd is involved.

-Steve

> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3917aad..384a1a1 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1375,7 +1375,7 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, return NULL;
> 
>  	if (gfp_mask & __GFP_WAIT) {
> -		if (audit_pid && audit_pid == current->tgid)
> +		if (current->tgid == 1 || (audit_pid && audit_pid == current->tgid))
>  			gfp_mask &= ~__GFP_WAIT;
>  		else
>  			reserve = 0;

^ permalink raw reply

* Re: [ARCHIVE DEBUG 03/13] audit_debug: proc instrumentation
From: Steve Grubb @ 2015-10-22 19:23 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <a7b545c7cb12dda1c637f0dbde0ffb290a53d2e1.1445536765.git.rgb@redhat.com>

What is the permissions on this? Who can view it?

-Steve

On Thursday, October 22, 2015 02:58:49 PM Richard Guy Briggs wrote:
> Add a /proc/audit entry for debugging to instrument many audit subsystem
> internal parameters not normally visible.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  include/linux/skbuff.h |   16 ++++++++++++++++
>  kernel/audit.c         |   48
> ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64
> insertions(+), 0 deletions(-)
> 
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index f54d665..bcde922 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -180,6 +180,7 @@ struct sk_buff_head {
> 
>  	__u32		qlen;
>  	spinlock_t	lock;
> +	__u32		qlen_max;
>  };
> 
>  struct sk_buff;
> @@ -1301,6 +1302,11 @@ static inline __u32 skb_queue_len(const struct
> sk_buff_head *list_) return list_->qlen;
>  }
> 
> +static inline __u32 skb_queue_len_max(const struct sk_buff_head *list_)
> +{
> +	return list_->qlen_max;
> +}
> +
>  /**
>   *	__skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
> *	@list: queue to initialize
> @@ -1354,6 +1360,8 @@ static inline void __skb_insert(struct sk_buff *newsk,
> newsk->prev = prev;
>  	next->prev  = prev->next = newsk;
>  	list->qlen++;
> +	if(list->qlen > list->qlen_max)
> +		list->qlen_max = list->qlen;
>  }
> 
>  static inline void __skb_queue_splice(const struct sk_buff_head *list,
> @@ -1381,6 +1389,8 @@ static inline void skb_queue_splice(const struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
>  		__skb_queue_splice(list, (struct sk_buff *) head, head->next);
>  		head->qlen += list->qlen;
> +		if(head->qlen > head->qlen_max)
> +			head->qlen_max = head->qlen;
>  	}
>  }
> 
> @@ -1397,6 +1407,8 @@ static inline void skb_queue_splice_init(struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
>  		__skb_queue_splice(list, (struct sk_buff *) head, head->next);
>  		head->qlen += list->qlen;
> +		if(head->qlen > head->qlen_max)
> +			head->qlen_max = head->qlen;
>  		__skb_queue_head_init(list);
>  	}
>  }
> @@ -1412,6 +1424,8 @@ static inline void skb_queue_splice_tail(const struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
>  		__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
>  		head->qlen += list->qlen;
> +		if(head->qlen > head->qlen_max)
> +			head->qlen_max = head->qlen;
>  	}
>  }
> 
> @@ -1429,6 +1443,8 @@ static inline void skb_queue_splice_tail_init(struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
>  		__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
>  		head->qlen += list->qlen;
> +		if(head->qlen > head->qlen_max)
> +			head->qlen_max = head->qlen;
>  		__skb_queue_head_init(list);
>  	}
>  }
> diff --git a/kernel/audit.c b/kernel/audit.c
> index d4e19fc..82df9fd 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -124,6 +124,7 @@ u32		audit_sig_sid = 0;
>     4) suppressed due to audit_backlog_limit
>  */
>  static atomic_t    audit_lost = ATOMIC_INIT(0);
> +static atomic_t    audit_hold_lost = ATOMIC_INIT(0);
> 
>  /* The netlink socket. */
>  static struct sock *audit_sock;
> @@ -381,7 +382,10 @@ static void audit_hold_skb(struct sk_buff *skb)
>  	     skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
>  		skb_queue_tail(&audit_skb_hold_queue, skb);
>  	else
> +	{
>  		kfree_skb(skb);
> +		atomic_inc(&audit_hold_lost);
> +	}
>  }
> 
>  /*
> @@ -510,7 +514,10 @@ static void flush_hold_queue(void)
>  	 * dequeued an skb we need to drop ref
>  	 */
>  	if (skb)
> +	{
>  		consume_skb(skb);
> +		atomic_inc(&audit_hold_lost);
> +	}
>  }
> 
>  static int kauditd_thread(void *dummy)
> @@ -1174,6 +1181,45 @@ static struct pernet_operations audit_net_ops
> __net_initdata = { .size = sizeof(struct audit_net),
>  };
> 
> +/* Display information about audit subsystem */
> +static int proc_auditstats_show(struct seq_file *m, void *v)
> +{
> +	//seq_printf(m, "audit_initialized\t%d\n", audit_initialized);
> +	//seq_printf(m, "audit_enabled\t%u\n", audit_enabled);
> +	//seq_printf(m, "audit_ever_enabled\t%u\n", audit_ever_enabled);
> +	//seq_printf(m, "audit_default\t%u\n", audit_default);
> +	//seq_printf(m, "audit_failure\t%u\n", audit_failure);
> +	seq_printf(m, "audit_pid\t\t\t%d\n", audit_pid);
> +	//seq_printf(m, "audit_nlk_portid\t%u\n", audit_nlk_portid);
> +	//seq_printf(m, "audit_rate_limit\t%u\n", audit_rate_limit);
> +	//seq_printf(m, "audit_backlog_limit\t%u\n", audit_backlog_limit);
> +	//seq_printf(m, "audit_backlog_wait_time\t%u\n", audit_backlog_wait_time);
> +	//seq_printf(m, "audit_sig_uid\t%u\n", from_kuid(&init_user_ns,
> audit_sig_uid)); +	//seq_printf(m, "audit_sig_pid\t%d\n", audit_sig_pid);
> +	//seq_printf(m, "audit_sig_sid\t%u\n", audit_sig_sid);
> +	seq_printf(m, "audit_lost\t\t\t%d\n", atomic_read(&audit_lost));
> +	seq_printf(m, "audit_hold_lost\t\t\t%d\n", atomic_read(&audit_hold_lost));
> +	seq_printf(m, "audit_freelist_count\t\t%u\n", audit_freelist_count);
> +	seq_printf(m, "audit_skb_queue len\t\t%d\n",
> skb_queue_len(&audit_skb_queue)); +	seq_printf(m, "audit_skb_queue
> len_max\t\t%d\n", skb_queue_len_max(&audit_skb_queue)); +	seq_printf(m,
> "audit_skb_hold_queue len\t%d\n", skb_queue_len(&audit_skb_hold_queue));
> +	seq_printf(m, "audit_skb_hold_queue len_max\t%d\n",
> skb_queue_len_max(&audit_skb_hold_queue)); +
> +	return 0;
> +}
> +
> +static int auditstats_open(struct inode *inode, struct file *file)
> +{
> +	return single_open(file, proc_auditstats_show, NULL);
> +}
> +
> +static const struct file_operations proc_auditstats_operations = {
> +	.open = auditstats_open,
> +	.read = seq_read,
> +	.llseek = seq_lseek,
> +	.release = single_release,
> +};
> +
>  /* Initialize audit support at boot time. */
>  static int __init audit_init(void)
>  {
> @@ -1197,6 +1243,8 @@ static int __init audit_init(void)
>  	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
>  		INIT_LIST_HEAD(&audit_inode_hash[i]);
> 
> +	proc_create("audit", 0, NULL, &proc_auditstats_operations);
> +
>  	return 0;
>  }
>  __initcall(audit_init);

^ permalink raw reply

* Re: [ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config
From: Steve Grubb @ 2015-10-22 19:18 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <9307bb8cd95c66773be32c2bff4d1be3efd94d10.1445536765.git.rgb@redhat.com>

On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> Debug the possibility of systemd changing the audit config causing
> shutdown delays by blocking all such requests.

I don't understand what you are saying here. As long as something something 
has CAP_AUDIT_CONTROL, it can make changes. But we have to record what made 
the changes in the logs.

-Steve

> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |   14 ++++++++------
>  1 files changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 30b3b08..93a466b 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> msg_type) case AUDIT_ADD:
>  	case AUDIT_DEL:
>  		return -EOPNOTSUPP;
> -	case AUDIT_GET:
>  	case AUDIT_SET:
> -	case AUDIT_GET_FEATURE:
>  	case AUDIT_SET_FEATURE:
> -	case AUDIT_LIST_RULES:
>  	case AUDIT_ADD_RULE:
>  	case AUDIT_DEL_RULE:
> -	case AUDIT_SIGNAL_INFO:
> -	case AUDIT_TTY_GET:
> -	case AUDIT_TTY_SET:
>  	case AUDIT_TRIM:
>  	case AUDIT_MAKE_EQUIV:
> +	case AUDIT_TTY_SET:
> +		if (current->tgid == 1)
> +			return -EPERM;
> +	case AUDIT_GET:
> +	case AUDIT_GET_FEATURE:
> +	case AUDIT_LIST_RULES:
> +	case AUDIT_SIGNAL_INFO:
> +	case AUDIT_TTY_GET:
>  		/* Only support auditd and auditctl in initial pid namespace
>  		 * for now. */
>  		if ((task_active_pid_ns(current) != &init_pid_ns))

^ permalink raw reply

* [ARCHIVE DEBUG 13/13] audit_debug: print inode nr for each path when listing exe rules
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug to list inode number and path for each audit watch when audit
watch rules are listed.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.h          |    2 ++
 kernel/audit_fsnotify.c |    5 +++++
 kernel/auditfilter.c    |    1 +
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/kernel/audit.h b/kernel/audit.h
index 24ec861..a7cf1ad 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -271,6 +271,7 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev
 
 extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len);
 extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
+extern unsigned int audit_mark_ino(struct audit_fsnotify_mark *mark);
 extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
 extern void audit_remove_mark_rule(struct audit_krule *krule);
 extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev);
@@ -287,6 +288,7 @@ extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark
 #define audit_watch_compare(w, i, d) 0
 
 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
+#define audit_mark_ino(m) 0
 #define audit_mark_path(m) ""
 #define audit_remove_mark(m)
 #define audit_remove_mark_rule(k)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 27c6046..dcf788c 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -61,6 +61,11 @@ static void audit_fsnotify_free_mark(struct fsnotify_mark *mark)
 	audit_fsnotify_mark_free(audit_mark);
 }
 
+unsigned int audit_mark_ino(struct audit_fsnotify_mark *mark)
+{
+	return mark->ino;
+}
+
 char *audit_mark_path(struct audit_fsnotify_mark *mark)
 {
 	return mark->path;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7714d93..0c36546 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -645,6 +645,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 		case AUDIT_EXE:
 			data->buflen += data->values[i] =
 				audit_pack_string(&bufp, audit_mark_path(krule->exe));
+			pr_warn("list: \"%s\" ino=%u\n", audit_mark_path(krule->exe), audit_mark_ino(krule->exe));
 			break;
 		case AUDIT_LOGINUID_SET:
 			if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 12/13] audit_debug: list processes and frequencies waiting for auditd
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug to list each process, its first call time and how many times it is
called while waiting for auditd upon queue overflow.  It is reported and
cleared when the queue is drained sufficiently to clear the condition.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   32 ++++++++++++++++++++++++++++++++
 1 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 76b6878..e4be6f3 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1498,6 +1498,11 @@ static long wait_for_auditd(long sleep_time)
  * will be written at syscall exit.  If there is no associated task, then
  * task context (ctx) should be NULL.
  */
+#define PIDS_WAITING_MAX 1024
+pid_t pids_waiting[PIDS_WAITING_MAX];
+int pids_waiting_c[PIDS_WAITING_MAX];
+char pids_waiting_comm[PIDS_WAITING_MAX][16];
+unsigned long pids_waiting_j[PIDS_WAITING_MAX];
 struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				     int type)
 {
@@ -1539,6 +1544,19 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 
 	while (audit_backlog_limit
 	       && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
+		int c = 0;
+		while (pids_waiting[c] && pids_waiting[c] != current->pid)
+			c++;
+		if (c < PIDS_WAITING_MAX) {
+			if (!pids_waiting[c]) {
+				pids_waiting[c] = current->pid;
+				memcpy(pids_waiting_comm[c], current->comm, 16);
+				pids_waiting_j[c] = jiffies;
+			}
+			pids_waiting_c[c]++;
+		} else
+			pr_warn("overflowed pids_waiting counter\n");
+		
 		if (!overflow_counted) {
 			atomic_inc(&audit_overflows);
 			overflow_counted = 1;
@@ -1572,6 +1590,20 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				}
 			}
 		}
+		if (audit_backlog_wait_time) {
+			int c = 0;
+			if (pids_waiting[0]) {
+				pr_warn("pids_waiting:");
+				while (pids_waiting[c]) {
+					printk(" %d\"%s\"(%lu:%d)", pids_waiting[c], pids_waiting_comm[c], pids_waiting_j[c], pids_waiting_c[c]);
+					pids_waiting[c] = pids_waiting_c[c] = 0;
+					if (c++ >= PIDS_WAITING_MAX) {
+						break;
+						printk("\n");
+					}
+				}
+			}
+		}
 		if (audit_rate_check() && printk_ratelimit())
 			pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
 				skb_queue_len(&audit_skb_queue),
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 11/13] audit_debug: instrument audit_receive timing
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug the timing and stalling of calls to audit_receive() for
processes we care about.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 9e9c02b..76b6878 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1136,6 +1136,18 @@ static void audit_receive(struct sk_buff  *skb)
 	
 	pid_t pid = 0;
 
+	int pr = 0;
+	//pid_t audit_pid_cached;
+	pid_t audit_pid_cached = audit_pid;
+
+	if (current->tgid == 1 || (audit_pid && audit_pid == current->tgid)) {
+		//pr_warn("( %lu )audit_receive apid=%d pid=%d(%s) Qlen=%d\n",
+			//jiffies, audit_pid, current->pid, current->comm, skb_queue_len(&audit_skb_queue));
+		pr = 1;
+	//} else {
+		//audit_pid_cached = audit_pid;
+	}
+
 	if (!mutex_trylock(&audit_cmd_mutex)) {
 		rcu_read_lock();
 		owner = ACCESS_ONCE(audit_cmd_mutex.owner);
@@ -1150,6 +1162,10 @@ static void audit_receive(struct sk_buff  *skb)
 	}
 	audit_receive_skb(skb);
 	mutex_unlock(&audit_cmd_mutex);
+
+	if (pr || current->tgid == 1 || (audit_pid && audit_pid == current->tgid))
+		pr_warn("( %lu %lu )audit_receive-exit apid=%d apid-old=%d pid=%d(%s) Qlen=%d\n",
+			trytime, jiffies - trytime, audit_pid, audit_pid_cached, current->pid, current->comm, skb_queue_len(&audit_skb_queue));
 }
 
 /* Run custom bind function on netlink socket group connect or bind requests. */
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 10/13] audit_debug: bark on impossible reserve process conditions in while loop
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug the expected impossibility of the audit_backlog_queue reserve
being used up.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index d6f4763..9e9c02b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1527,6 +1527,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 			atomic_inc(&audit_overflows);
 			overflow_counted = 1;
 		}
+		if (reserve) {
+			pr_warn("( %lu %lu )"
+				"  Qstuck apid=%d pid=%d comm=%s type=%d reserve=%d Qlen=%d\n",
+				timeout_start, jiffies-timeout_start,
+				audit_pid, current->pid, current->comm, type, reserve, skb_queue_len(&audit_skb_queue));
+		}
 		if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
 			long sleep_time;
 
@@ -1534,6 +1540,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				atomic_inc(&audit_waiters);
 				waiter = 1;
 			}
+			if (reserve) {
+				pr_warn("( %lu %lu )"
+					"   Qreallystuck apid=%d pid=%d comm=%s type=%d reserve=%d Qlen=%d\n",
+					timeout_start, jiffies-timeout_start,
+					audit_pid, current->pid, current->comm, type, reserve, skb_queue_len(&audit_skb_queue));
+			}
 			sleep_time = timeout_start + audit_backlog_wait_time - jiffies;
 			if (sleep_time > 0) {
 				sleep_time = wait_for_auditd(sleep_time);
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 09/13] netlink_debug: instrument timing of calls by init/systemd or audit_pid
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug the timing and stalling of calls to netlink_sendmsg() for
processes we care about with any error return values.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 net/netlink/af_netlink.c |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 05919bf..ba5eedf 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2256,6 +2256,8 @@ static void netlink_cmsg_recv_pktinfo(struct msghdr *msg, struct sk_buff *skb)
 	put_cmsg(msg, SOL_NETLINK, NETLINK_PKTINFO, sizeof(info), &info);
 }
 
+extern int audit_pid;
+
 static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 			   struct msghdr *msg, size_t len)
 {
@@ -2268,10 +2270,19 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 	int err;
 	struct scm_cookie scm;
 	u32 netlink_skb_flags = 0;
+	//unsigned long trytime = 0;
+	unsigned long trytime = jiffies;
+	pid_t audit_pid_cached = audit_pid;
+	int pr;
 
 	if (msg->msg_flags&MSG_OOB)
 		return -EOPNOTSUPP;
 
+	if (current->tgid == 1 || (audit_pid && audit_pid == current->tgid))
+		//pr_warn("( %lu )netlink_sendmsg apid=%d pid=%d(%s)\n",
+			//trytime = jiffies, audit_pid, current->pid, current->comm);
+		pr = 1;
+
 	err = scm_send(sock, msg, &scm, true);
 	if (err < 0)
 		return err;
@@ -2343,6 +2354,11 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 
 out:
 	scm_destroy(&scm);
+
+	if (pr || current->tgid == 1 || (audit_pid && audit_pid == current->tgid))
+		pr_warn("( %lu %lu )netlink_sendmsg-exit apid=%d apid-old=%d pid=%d(%s) err=%d\n",
+			trytime, jiffies - trytime, audit_pid, audit_pid_cached, current->pid, current->comm, err);
+
 	return err;
 }
 
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 08/13] audit_debug: seperate out audit_titles in proc display
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Format debugging output in /proc/audit to seperate titles and data output to one
line each in /proc/audit and /proc/audit_titles.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   20 ++++++++++++++++++--
 1 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index a586bf2..d6f4763 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1204,7 +1204,7 @@ static struct pernet_operations audit_net_ops __net_initdata = {
 };
 
 /* Display information about audit subsystem */
-static int proc_auditstats_show(struct seq_file *m, void *v)
+static int proc_auditstatstitles_show(struct seq_file *m, void *v)
 {
 	//seq_printf(m, "init\t");
 	//seq_printf(m, "en\t");
@@ -1231,7 +1231,23 @@ static int proc_auditstats_show(struct seq_file *m, void *v)
 	seq_printf(m, "recover\t");
 	seq_printf(m, "reserve\t");
 	seq_printf(m, "\n");
+	return 0;
+}
+
+static int auditstatstitles_open(struct inode *inode, struct file *file)
+{
+	return single_open(file, proc_auditstatstitles_show, NULL);
+}
+
+static const struct file_operations proc_auditstatstitles_operations = {
+	.open = auditstatstitles_open,
+	.read = seq_read,
+	.llseek = seq_lseek,
+	.release = single_release,
+};
 
+static int proc_auditstats_show(struct seq_file *m, void *v)
+{
 	//seq_printf(m, "%d\t", audit_initialized);
 	//seq_printf(m, "%u\t", audit_enabled);
 	//seq_printf(m, "%u\t", audit_ever_enabled);
@@ -1257,7 +1273,6 @@ static int proc_auditstats_show(struct seq_file *m, void *v)
 	seq_printf(m, "%d\t", atomic_read(&audit_recovers));
 	seq_printf(m, "%d\t", atomic_read(&audit_reserves));
 	seq_printf(m, "\n");
-
 	return 0;
 }
 
@@ -1296,6 +1311,7 @@ static int __init audit_init(void)
 	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
 		INIT_LIST_HEAD(&audit_inode_hash[i]);
 
+	proc_create("audit_titles", 0, NULL, &proc_auditstatstitles_operations);
 	proc_create("audit", 0, NULL, &proc_auditstats_operations);
 
 	return 0;
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 07/13] audit_debug: instrument audit_cmd_mutex contention
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug contention for the audit_cmd_mutex including timing, stalling
and identies of holder and requestor.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   18 +++++++++++++++++-
 1 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 93a466b..a586bf2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1131,7 +1131,23 @@ static void audit_receive_skb(struct sk_buff *skb)
 /* Receive messages from netlink socket. */
 static void audit_receive(struct sk_buff  *skb)
 {
-	mutex_lock(&audit_cmd_mutex);
+	struct task_struct *owner;
+	unsigned long trytime = jiffies;
+	
+	pid_t pid = 0;
+
+	if (!mutex_trylock(&audit_cmd_mutex)) {
+		rcu_read_lock();
+		owner = ACCESS_ONCE(audit_cmd_mutex.owner);
+		if (owner)
+			pid = owner->pid;
+		rcu_read_unlock();
+		pr_warn("( %lu %lu )audit_cmd_mutex apid=%d Qlen=%d %d(%s) trying, already held by %d\n",
+			trytime, jiffies - trytime, audit_pid, skb_queue_len(&audit_skb_queue), current->pid, current->comm, pid);
+		mutex_lock(&audit_cmd_mutex);
+		pr_warn("( %lu %lu )audit_cmd_mutex apid=%d Qlen=%d %d(%s) acquired, released by %d\n",
+			trytime, jiffies - trytime, audit_pid, skb_queue_len(&audit_skb_queue), current->pid, current->comm, pid);
+	}
 	audit_receive_skb(skb);
 	mutex_unlock(&audit_cmd_mutex);
 }
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Debug the possibility of systemd changing the audit config causing
shutdown delays by blocking all such requests.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 30b3b08..93a466b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 	case AUDIT_ADD:
 	case AUDIT_DEL:
 		return -EOPNOTSUPP;
-	case AUDIT_GET:
 	case AUDIT_SET:
-	case AUDIT_GET_FEATURE:
 	case AUDIT_SET_FEATURE:
-	case AUDIT_LIST_RULES:
 	case AUDIT_ADD_RULE:
 	case AUDIT_DEL_RULE:
-	case AUDIT_SIGNAL_INFO:
-	case AUDIT_TTY_GET:
-	case AUDIT_TTY_SET:
 	case AUDIT_TRIM:
 	case AUDIT_MAKE_EQUIV:
+	case AUDIT_TTY_SET:
+		if (current->tgid == 1)
+			return -EPERM;
+	case AUDIT_GET:
+	case AUDIT_GET_FEATURE:
+	case AUDIT_LIST_RULES:
+	case AUDIT_SIGNAL_INFO:
+	case AUDIT_TTY_GET:
 		/* Only support auditd and auditctl in initial pid namespace
 		 * for now. */
 		if ((task_active_pid_ns(current) != &init_pid_ns))
-- 
1.7.1

^ permalink raw reply related

* [ARCHIVE DEBUG 05/13] audit_debug: proc debug output easier to paste
From: Richard Guy Briggs @ 2015-10-22 18:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1445536765.git.rgb@redhat.com>

Convert /proc/audit debug output from label-value per line to one title
line with one output line.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |   75 ++++++++++++++++++++++++++++++++++++++------------------
 1 files changed, 51 insertions(+), 24 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index ffdec0c..30b3b08 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1188,30 +1188,57 @@ static struct pernet_operations audit_net_ops __net_initdata = {
 /* Display information about audit subsystem */
 static int proc_auditstats_show(struct seq_file *m, void *v)
 {
-	//seq_printf(m, "audit_initialized\t%d\n", audit_initialized);
-	//seq_printf(m, "audit_enabled\t%u\n", audit_enabled);
-	//seq_printf(m, "audit_ever_enabled\t%u\n", audit_ever_enabled);
-	//seq_printf(m, "audit_default\t%u\n", audit_default);
-	//seq_printf(m, "audit_failure\t%u\n", audit_failure);
-	seq_printf(m, "audit_pid\t\t\t%d\n", audit_pid);
-	//seq_printf(m, "audit_nlk_portid\t%u\n", audit_nlk_portid);
-	//seq_printf(m, "audit_rate_limit\t%u\n", audit_rate_limit);
-	//seq_printf(m, "audit_backlog_limit\t%u\n", audit_backlog_limit);
-	//seq_printf(m, "audit_backlog_wait_time\t%u\n", audit_backlog_wait_time);
-	//seq_printf(m, "audit_sig_uid\t%u\n", from_kuid(&init_user_ns, audit_sig_uid));
-	//seq_printf(m, "audit_sig_pid\t%d\n", audit_sig_pid);
-	//seq_printf(m, "audit_sig_sid\t%u\n", audit_sig_sid);
-	seq_printf(m, "audit_lost\t\t\t%d\n", atomic_read(&audit_lost));
-	seq_printf(m, "audit_hold_lost\t\t\t%d\n", atomic_read(&audit_hold_lost));
-	seq_printf(m, "audit_freelist_count\t\t%u\n", audit_freelist_count);
-	seq_printf(m, "audit_skb_queue len\t\t%d\n", skb_queue_len(&audit_skb_queue));
-	seq_printf(m, "audit_skb_queue len_max\t\t%d\n", skb_queue_len_max(&audit_skb_queue));
-	seq_printf(m, "audit_skb_hold_queue len\t%d\n", skb_queue_len(&audit_skb_hold_queue));
-	seq_printf(m, "audit_skb_hold_queue len_max\t%d\n", skb_queue_len_max(&audit_skb_hold_queue));
-	seq_printf(m, "audit_overflows\t\t\t%d\n", atomic_read(&audit_overflows));
-	seq_printf(m, "audit_waiters\t\t\t%d\n", atomic_read(&audit_waiters));
-	seq_printf(m, "audit_recovers\t\t\t%d\n", atomic_read(&audit_recovers));
-	seq_printf(m, "audit_reserves\t\t\t%d\n", atomic_read(&audit_reserves));
+	//seq_printf(m, "init\t");
+	//seq_printf(m, "en\t");
+	//seq_printf(m, "ever_en\t");
+	//seq_printf(m, "def\t");
+	//seq_printf(m, "failure\t");
+	seq_printf(m, "pid\t");
+	//seq_printf(m, "portid\t");
+	//seq_printf(m, "rt_lim\t");
+	//seq_printf(m, "bk_lim\t");
+	//seq_printf(m, "bk_wait\t");
+	//seq_printf(m, "sig_uid\t");
+	//seq_printf(m, "sig_pid\t");
+	//seq_printf(m, "sig_sid\t");
+	seq_printf(m, "lost\t");
+	seq_printf(m, "hlost\t");
+	seq_printf(m, "freelis\t");
+	seq_printf(m, "Qln\t");
+	seq_printf(m, "Qln_mx\t");
+	seq_printf(m, "hQln\t");
+	seq_printf(m, "hQln_mx\t");
+	seq_printf(m, "oflow\t");
+	seq_printf(m, "waiter\t");
+	seq_printf(m, "recover\t");
+	seq_printf(m, "reserve\t");
+	seq_printf(m, "\n");
+
+	//seq_printf(m, "%d\t", audit_initialized);
+	//seq_printf(m, "%u\t", audit_enabled);
+	//seq_printf(m, "%u\t", audit_ever_enabled);
+	//seq_printf(m, "%u\t", audit_default);
+	//seq_printf(m, "%u\t", audit_failure);
+	seq_printf(m, "%d\t", audit_pid);
+	//seq_printf(m, "%u\t", audit_nlk_portid);
+	//seq_printf(m, "%u\t", audit_rate_limit);
+	//seq_printf(m, "%u\t", audit_backlog_limit);
+	//seq_printf(m, "%u\t", audit_backlog_wait_time);
+	//seq_printf(m, "%u\t", from_kuid(&init_user_ns, audit_sig_uid));
+	//seq_printf(m, "%d\t", audit_sig_pid);
+	//seq_printf(m, "%u\t", audit_sig_sid);
+	seq_printf(m, "%d\t", atomic_read(&audit_lost));
+	seq_printf(m, "%d\t", atomic_read(&audit_hold_lost));
+	seq_printf(m, "%u\t", audit_freelist_count);
+	seq_printf(m, "%d\t", skb_queue_len(&audit_skb_queue));
+	seq_printf(m, "%d\t", skb_queue_len_max(&audit_skb_queue));
+	seq_printf(m, "%d\t", skb_queue_len(&audit_skb_hold_queue));
+	seq_printf(m, "%d\t", skb_queue_len_max(&audit_skb_hold_queue));
+	seq_printf(m, "%d\t", atomic_read(&audit_overflows));
+	seq_printf(m, "%d\t", atomic_read(&audit_waiters));
+	seq_printf(m, "%d\t", atomic_read(&audit_recovers));
+	seq_printf(m, "%d\t", atomic_read(&audit_reserves));
+	seq_printf(m, "\n");
 
 	return 0;
 }
-- 
1.7.1

^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox