From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Jiri Kosina <jikos@kernel.org>, Andy Lutomirski <luto@kernel.org>,
linux-audit@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Oleg Nesterov <oleg@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated
Date: Sat, 10 Mar 2018 11:15:35 +0100 [thread overview]
Message-ID: <20180310111535.2e3202bc@ivy-bridge> (raw)
In-Reply-To: <CAHC9VhTipRUv+RB6JPTrHYkVW1vktg5yodD7iZCqgR9Z57Y+zg@mail.gmail.com>
On Wed, 7 Mar 2018 18:43:42 -0500
Paul Moore <paul@paul-moore.com> wrote:
> ... and I just realized that linux-audit isn't on the To/CC line,
> adding them now.
>
> Link to the patch is below.
>
> * https://marc.info/?t=152041887600003&r=1&w=2
Yes...I wished I was in on the beginning of this discussion. Here's the
problem. We need all tasks auditable unless specifically dismissed as
uninteresting. This would be a task,never rule.
The way we look at it, is if it boots with audit=1, then we know auditd
is expected to run at some point. So, we need all tasks to stay
auditable. If they weren't and auditd enabled auditing, then we'd need
to walk the whole proctable and stab TIF_AUDIT_SYSCALL into every
process in the system. It was decided that this is too ugly.
So, we need them all to be auditable if there is any intent to audit.
It doesn't matter if there are rules loaded or not. All processes have
to stay within reach.
What might be acceptable is to add one more state to audit boot variable
to indicate that auditing is never expected. We currently have:
disabled - which means we'll decide later, enabled, and immutable (no
changes allowed). Then have calls to audit_enable or loading rules
fail on that flag state so that user space can log that there is a
conflict (boot vs daemon) that has to be resolved. As long as we can
fail in a discoverable way, I think it would be OK to do something like
this. Also, I don't think we want that to be the default state at the
moment because the current default is keep all processes auditable.
-Steve
next prev parent reply other threads:[~2018-03-10 10:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-07 10:32 [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Jiri Kosina
2018-03-07 16:40 ` Andy Lutomirski
2018-03-07 16:48 ` Jiri Kosina
2018-03-07 23:41 ` Paul Moore
2018-03-07 23:43 ` Paul Moore
2018-03-08 9:12 ` Richard Guy Briggs
2018-03-08 14:30 ` Andy Lutomirski
2018-03-08 16:03 ` Richard Guy Briggs
2018-03-10 10:15 ` Steve Grubb [this message]
2018-03-14 0:22 ` Andy Lutomirski
2018-03-14 0:28 ` Jiri Kosina
2018-03-14 0:35 ` Andy Lutomirski
2018-03-19 17:15 ` Steve Grubb
2018-03-19 17:04 ` Steve Grubb
2018-03-08 1:06 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180310111535.2e3202bc@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=jikos@kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox