Re: Can AUDIT_LIST_RULES causes kthreadd-spam?

Rinat Gadelshin Fri, 05 May 2023 15:12:48 -0700

On 05.05.2023 01:53, Tetsuo Handa wrote:

On 2023/05/05 3:40, Paul Moore wrote:

On Wed, May 3, 2023 at 10:50 PM Tetsuo Handa
<penguin-ker...@i-love.sakura.ne.jp> wrote:

On 2023/05/04 7:12, Rinat Gadelshin wrote:

On 04.05.2023 00:27, Paul Moore wrote:

Can you be more specific about the kernel threads you are seeing, are
you seeing multiple "kauditd" threads?


% ps -fC kauditd
UID          PID    PPID  C STIME TTY          TIME CMD
root          89       2  0 Apr28 ?        00:00:00 [kauditd]

I don't think so.

kernel audit subsystem uses kthread_run() in order to run short-lived kernel 
threads.

Thanks Tetsuo, I agree that's far more likely.  Ever since I took over
shepherding the audit code, all of the thread issues have been around
the main audit queue thread so it's a bit reflexive to assume that is
the case :)

Since kthread_run(audit_send_list_thread) is called by 
audit_receive_msg(AUDIT_LIST_RULES)
via audit_list_rules_send(), trying to audit fork request via AUDIT_LIST_RULES 
will cause
spams. Maybe something is going wrong with "And such events occurred 1208 times 
when
AUDIT_LIST_RULES is sending." part; let's wait for what printk() says.

By the way, why do we need to use kthread_run() for short-lived tasks? Can't we 
use
a dedicated workqueue which would significantly reduce frequency of fork 
request for
AUDIT_LIST_RULES request?

Hello there =)
Sorry for my long absence.

I've managed to build and install the custom kernel (from Linus' branchwith Tetsuo's patch for logging).

The following rules were dictated by my netlink (with disabled pollrule's logic:


-a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
-a always,exit -F arch=b64 -S clone,fork,vfork,execve,execveat
-a never,exit -F pid=4641
-a never,exit -F ppid=4641
-a never,exit -F pid=1
-a never,exit -F ppid=1
-a always,exit -F arch=b64 -S kill,ptrace
-a always,exit -F arch=b32 -S ptrace,kill
-a always,exit -F arch=b64 -S exit,exit_group
-a always,exit -F arch=b32 -S exit,exit_group
-a always,exit -F arch=b64 -S connect,accept,accept4
-a always,exit -F arch=b32 -S connect,accept4
-a always,exit -F arch=b64 -S open,creat,openat,437
-a always,exit -F arch=b64 -S rename,renameat,renameat2
-a always,exit -F arch=b32 -S rename,renameat,renameat2
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
-a always,exit -F arch=b64 -S link,symlink,linkat,symlinkat
-a always,exit -F arch=b32 -S link,symlink,linkat,symlinkat
-a always,exit -F arch=b64 -S mount,umount2
-a always,exit -F arch=b32 -S mount,umount,umount2

-a always,exit -F arch=b64 -Ssetuid,setgid,setreuid,setregid,setresuid,setresgid-a always,exit -F arch=b32 -Ssetuid,setgid,setreuid,setregid,setresuid,setresgid

-a always,exit -F arch=b64 -S mmap,mprotect -F a2=0x7
-a always,exit -F arch=b32 -S mmap,mprotect -F a2=0x7
-a always,exit -F arch=b64 -S unlink,unlinkat
-a always,exit -F arch=b32 -S unlink,unlinkat
-a always,exit -F arch=b64 -S ioctl -F a2=0x40086602
-a always,exit -F arch=b32 -S ioctl -F a2=0x40086602

The only one `auditctl -l` request was performed.
I see the following response in syslog for the request:

May 6 01:01:19 gadelshin-ri-nb kernel: [ 110.474111] audit: Startedaudit_send_reply_threadMay 6 01:01:19 gadelshin-ri-nb kernel: [ 110.474123] audit: Finishedaudit_send_reply_threadMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972014] audit: Startedaudit_send_list_threadMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972020] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972023] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972023] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972024] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972025] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972026] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972026] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972027] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972028] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972029] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972029] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972030] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972030] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972031] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972032] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972032] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972033] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972034] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972034] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972035] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972035] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972036] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972037] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972038] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972038] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972039] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972039] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972040] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972040] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972041] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972042] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972043] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972044] audit: Callingnetlink unicastMay 6 01:01:20 gadelshin-ri-nb kernel: [ 111.972045] audit: Finishedaudit_send_list_threadMay 6 01:01:21 gadelshin-ri-nb kernel: [ 112.485659] audit: Startedaudit_send_reply_threadMay 6 01:01:21 gadelshin-ri-nb kernel: [ 112.485689] audit: Finishedaudit_send_reply_threadMay 6 01:01:23 gadelshin-ri-nb kernel: [ 114.501072] audit: Startedaudit_send_reply_threadMay 6 01:01:23 gadelshin-ri-nb kernel: [ 114.501076] audit: Finishedaudit_send_reply_threadMay 6 01:01:24 gadelshin-ri-nb auditd[1210]: Audit daemon rotating logfilesMay 6 01:01:25 gadelshin-ri-nb kernel: [ 116.506645] audit: Startedaudit_send_reply_threadMay 6 01:01:25 gadelshin-ri-nb kernel: [ 116.506656] audit: Finishedaudit_send_reply_threadMay 6 01:01:27 gadelshin-ri-nb kernel: [ 118.512282] audit: Startedaudit_send_reply_threadMay 6 01:01:27 gadelshin-ri-nb kernel: [ 118.512306] audit: Finishedaudit_send_reply_thread


`git describes` shows: v6.3-13027-g1a5304fecee5
Distributive is  Ubuntu 20.04 (x64)

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Can AUDIT_LIST_RULES causes kthreadd-spam?

Reply via email to