On Wed, Feb 16, 2022 at 3:33 PM Richard Guy Briggs <r...@redhat.com> wrote: > > AUDIT_TIME_* events are generated when there are syscall rules present that > are > not related to time keeping. This will produce noisy log entries that could > flood the logs and hide events we really care about. > > Rather than immediately produce the AUDIT_TIME_* records, store the data in > the > context and log it at syscall exit time respecting the filter rules. > > Note: This eats the audit_buffer, unlike any others in show_special(). > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 > > Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters adjustment") > Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments") > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > Changelog: > v2: > - rename __audit_ntp_log_ to audit_log_ntp > - pre-check ntp before storing > - move tk out of the context union and move ntp logging to the bottom of > audit_show_special() > - restructure logging of ntp to use ab and allocate more only if more > - add Fixes lines > v3 > - move tk into union > - rename audit_log_ntp() to audit_log_time() and add tk > - key off both AUDIT_TIME_* but favour NTP > v4 > - drop tk goto in favour of ntp if clause > - add comments to clarify calling function buffer expectations > v5 > - hold my nose and swallow the audit_buffer in audit_log_time() > > kernel/audit.h | 4 +++ > kernel/auditsc.c | 85 ++++++++++++++++++++++++++++++++++++------------ > 2 files changed, 69 insertions(+), 20 deletions(-)
... > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index fce5d43a933f..53d684966350 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1340,6 +1340,51 @@ static void audit_log_fcaps(struct audit_buffer *ab, > struct audit_names *name) > from_kuid(&init_user_ns, name->fcap.rootid)); > } > > +void audit_log_time(struct audit_context *context, struct audit_buffer **ab) It seems like audit_log_time() could be declared as a static function, no? We're only ever going to use it from show_special(), right? > +{ > + const struct audit_ntp_data *ntp = &context->time.ntp_data; > + const struct timespec64 *tk = &context->time.tk_injoffset; > + const char *ntp_name[] = { > + "offset", > + "freq", > + "status", > + "tai", > + "tick", > + "adjust", > + }; Similarly, should the ntp_name array be declared as a static const array? FWIW, a modern checkpatch would have flagged this. > + int type; > + > + if (context->type == AUDIT_TIME_ADJNTPVAL) { > + for (type = 0; type < AUDIT_NTP_NVALS; type++) { > + if (ntp->vals[type].newval != ntp->vals[type].oldval) > { > + if (!*ab) { > + *ab = audit_log_start(context, > GFP_KERNEL, > + > AUDIT_TIME_ADJNTPVAL); > + if (!*ab) > + return; > + } > + audit_log_format(*ab, "op=%s old=%lli > new=%lli", > + ntp_name[type], > ntp->vals[type].oldval, > + ntp->vals[type].newval); > + audit_log_end(*ab); > + *ab = NULL; > + } > + } > + } > + if (tk->tv_sec != 0 || tk->tv_nsec != 0) { > + if (!*ab) { > + *ab = audit_log_start(context, GFP_KERNEL, > + AUDIT_TIME_INJOFFSET); > + if (!*ab) > + return; > + } > + audit_log_format(*ab, "sec=%lli nsec=%li", > + (long long)tk->tv_sec, tk->tv_nsec); > + audit_log_end(*ab); > + *ab = NULL; > + } > +} -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit