Re: [RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for... | netdev

[RFC PATCH ghak90 (was ghak32) V3 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2018-06-06
[RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Steve Grubb <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Richard Guy Briggs <hidden> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 01/10] audit: add container id · Richard Guy Briggs <hidden> · 2018-07-30
[RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-07-21
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-07-22
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-07-22
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-07-22
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-07-23
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-07-23
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-07-23
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2018-07-23
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-07-26
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-07-31
Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2018-07-23
[RFC PATCH ghak90 (was ghak32) V3 03/10] audit: add containerid support for ptrace and signals · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 03/10] audit: add containerid support for ptrace and signals · Paul Moore <paul@paul-moore.com> · 2018-07-20
[RFC PATCH ghak90 (was ghak32) V3 07/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 07/10] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 07/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 07/10] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 07/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-07-26
[RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Steve Grubb <hidden> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Paul Moore <paul@paul-moore.com> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Laura Garcia <hidden> · 2018-07-21
[RFC PATCH ghak90 (was ghak32) V3 09/10] debug audit: read container ID of a process · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 09/10] debug audit: read container ID of a process · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 09/10] debug audit: read container ID of a process · Richard Guy Briggs <hidden> · 2018-07-21
[RFC PATCH ghak90 (was ghak32) V3 10/10] rfkill: fix spelling mistake contidion to condition · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 10/10] rfkill: fix spelling mistake contidion to condition · Paul Moore <paul@paul-moore.com> · 2018-07-18
[RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for non-syscall auxiliary records · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for non-syscall auxiliary records · Paul Moore <paul@paul-moore.com> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-07-26
[RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid support for tty_audit · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid support for tty_audit · Paul Moore <paul@paul-moore.com> · 2018-07-20
Re: [RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid support for tty_audit · Richard Guy Briggs <hidden> · 2018-07-24
Re: [RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid support for tty_audit · Paul Moore <paul@paul-moore.com> · 2018-07-24
[RFC PATCH ghak90 (was ghak32) V3 06/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2018-06-06
Re: [RFC PATCH ghak90 (was ghak32) V3 06/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2018-07-20

Re: [RFC PATCH ghak90 (was ghak32) V3 04/10] audit: add support for non-syscall auxiliary records

From: Paul Moore <paul@paul-moore.com>
Date: 2018-07-24 23:05:45
Also in: cgroups, linux-api, linux-fsdevel, lkml

On Tue, Jul 24, 2018 at 3:40 PM Richard Guy Briggs [off-list ref] wrote:

On 2018-07-20 18:14, Paul Moore wrote:

quoted

On Wed, Jun 6, 2018 at 1:01 PM Richard Guy Briggs [off-list ref] wrote:

quoted

Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone.  This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s).  The
context is discarded immediately after the local associated records are
produced.

Signed-off-by: Richard Guy Briggs <redacted>
---
 include/linux/audit.h |  8 ++++++++
 kernel/auditsc.c      | 25 +++++++++++++++++++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)

...

quoted

+       struct audit_context *context;
+
+       if (!audit_ever_enabled)
+               return NULL; /* Return if not auditing. */
+
+       context = audit_alloc_context(AUDIT_RECORD_CONTEXT);
+       if (!context)
+               return NULL;
+       context->serial = audit_serial();
+       context->ctime = current_kernel_time64();
+       context->in_syscall = 1;

Setting in_syscall is both interesting and a bit troubling, if for no
other reason than I expect most (all?) callers to be in an interrupt
context when audit_alloc_local() is called.  Setting in_syscall would
appear to be conceptually in this case.  Can you help explain why this
is the right thing to do, or necessary to ensure things are handled
correctly?

I'll admit this is cheating a bit, but seemed harmless.  It is needed so
that auditsc_get_stamp() from audit_get_stamp() from audit_log_start()
doesn't bail on me without giving me its already assigned time and
serial values rather than generating a new one.  I did look to see if
there were any other undesireable side effects and found none, so I'm
tmepted to rename the ->in_syscall to something a bit more helpful.  I
could add a new audit_context structure member to make
auditsc_get_stamp() co-operative, but this seems wasteful and
unnecessary.

That's what I suspected.

Let's look into renaming the "in_syscall" field, it borderline
confusing now, and hijacking it for something which is very obviously
not "in syscall" is A Very Bad Thing.

-- 
paul moore
www.paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help