tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'audit-pr-20220321' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit update from Paul Moore:
"Just one audit patch queued for v5.18:

- Change the AUDIT_TIME_* record generation so that they are
generated at syscall exit time and subject to all of the normal
syscall exit filtering.

This should help reduce noise and ensure those records which are
most relevant to the admin's audit configuration are recorded in
the audit log"

* tag 'audit-pr-20220321' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: log AUDIT_TIME_* records only from rules

Linus Torvalds b47d5a4f c269497d

+71 -20
+4
kernel/audit.h
··· 201 201 struct { 202 202 char *name; 203 203 } module; 204 + struct { 205 + struct audit_ntp_data ntp_data; 206 + struct timespec64 tk_injoffset; 207 + } time; 204 208 }; 205 209 int fds[2]; 206 210 struct audit_proctitle proctitle;
+67 -20
kernel/auditsc.c
··· 1340 1340 from_kuid(&init_user_ns, name->fcap.rootid)); 1341 1341 } 1342 1342 1343 + static void audit_log_time(struct audit_context *context, struct audit_buffer **ab) 1344 + { 1345 + const struct audit_ntp_data *ntp = &context->time.ntp_data; 1346 + const struct timespec64 *tk = &context->time.tk_injoffset; 1347 + static const char * const ntp_name[] = { 1348 + "offset", 1349 + "freq", 1350 + "status", 1351 + "tai", 1352 + "tick", 1353 + "adjust", 1354 + }; 1355 + int type; 1356 + 1357 + if (context->type == AUDIT_TIME_ADJNTPVAL) { 1358 + for (type = 0; type < AUDIT_NTP_NVALS; type++) { 1359 + if (ntp->vals[type].newval != ntp->vals[type].oldval) { 1360 + if (!*ab) { 1361 + *ab = audit_log_start(context, 1362 + GFP_KERNEL, 1363 + AUDIT_TIME_ADJNTPVAL); 1364 + if (!*ab) 1365 + return; 1366 + } 1367 + audit_log_format(*ab, "op=%s old=%lli new=%lli", 1368 + ntp_name[type], 1369 + ntp->vals[type].oldval, 1370 + ntp->vals[type].newval); 1371 + audit_log_end(*ab); 1372 + *ab = NULL; 1373 + } 1374 + } 1375 + } 1376 + if (tk->tv_sec != 0 || tk->tv_nsec != 0) { 1377 + if (!*ab) { 1378 + *ab = audit_log_start(context, GFP_KERNEL, 1379 + AUDIT_TIME_INJOFFSET); 1380 + if (!*ab) 1381 + return; 1382 + } 1383 + audit_log_format(*ab, "sec=%lli nsec=%li", 1384 + (long long)tk->tv_sec, tk->tv_nsec); 1385 + audit_log_end(*ab); 1386 + *ab = NULL; 1387 + } 1388 + } 1389 + 1343 1390 static void show_special(struct audit_context *context, int *call_panic) 1344 1391 { 1345 1392 struct audit_buffer *ab; ··· 1500 1453 } else 1501 1454 audit_log_format(ab, "(null)"); 1502 1455 1456 + break; 1457 + case AUDIT_TIME_ADJNTPVAL: 1458 + case AUDIT_TIME_INJOFFSET: 1459 + /* this call deviates from the rest, eating the buffer */ 1460 + audit_log_time(context, &ab); 1503 1461 break; 1504 1462 } 1505 1463 audit_log_end(ab); ··· 2901 2849 2902 2850 void __audit_tk_injoffset(struct timespec64 offset) 2903 2851 { 2904 - audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET, 2905 - "sec=%lli nsec=%li", 2906 - (long long)offset.tv_sec, offset.tv_nsec); 2907 - } 2852 + struct audit_context *context = audit_context(); 2908 2853 2909 - static void audit_log_ntp_val(const struct audit_ntp_data *ad, 2910 - const char *op, enum audit_ntp_type type) 2911 - { 2912 - const struct audit_ntp_val *val = &ad->vals[type]; 2913 - 2914 - if (val->newval == val->oldval) 2915 - return; 2916 - 2917 - audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL, 2918 - "op=%s old=%lli new=%lli", op, val->oldval, val->newval); 2854 + /* only set type if not already set by NTP */ 2855 + if (!context->type) 2856 + context->type = AUDIT_TIME_INJOFFSET; 2857 + memcpy(&context->time.tk_injoffset, &offset, sizeof(offset)); 2919 2858 } 2920 2859 2921 2860 void __audit_ntp_log(const struct audit_ntp_data *ad) 2922 2861 { 2923 - audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET); 2924 - audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ); 2925 - audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS); 2926 - audit_log_ntp_val(ad, "tai", AUDIT_NTP_TAI); 2927 - audit_log_ntp_val(ad, "tick", AUDIT_NTP_TICK); 2928 - audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST); 2862 + struct audit_context *context = audit_context(); 2863 + int type; 2864 + 2865 + for (type = 0; type < AUDIT_NTP_NVALS; type++) 2866 + if (ad->vals[type].newval != ad->vals[type].oldval) { 2867 + /* unconditionally set type, overwriting TK */ 2868 + context->type = AUDIT_TIME_ADJNTPVAL; 2869 + memcpy(&context->time.ntp_data, ad, sizeof(*ad)); 2870 + break; 2871 + } 2929 2872 } 2930 2873 2931 2874 void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,