Re: [RFC][PATCH] audit: add feature audit_lost reset

On Mon, Dec 5, 2016 at 3:02 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > Add a method to reset the audit_lost value. > > An AUDIT_GET message will get the current audit_lost value and reset the > counter to zero iff (if and only if) the AUDIT_FEATURE_LOST_RESET > feature is set. > > If the flag AUDIT_FEATURE_BITMAP_LOST_RESET is present in the audit > feature bitmap, the feature is settable by setting the > AUDIT_FEATURE_LOST_RESET flag in the audit feature list with an > AUDIT_SET_FEATURE call. This setting is lockable. > > See: https://github.com/linux-audit/audit-kernel/issues/3 > > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > --- > Note: The AUDIT_FEATURE_BITMAP_LOST_RESET check may not be necessary if > it is possible to read all the entries from audit_feature_names from > userspace. > --- > include/uapi/linux/audit.h | 7 +++++-- > kernel/audit.c | 9 ++++++--- > 2 files changed, 11 insertions(+), 5 deletions(-) Instead of resetting the lost counter on an AUDIT_GET if the reset feature is set, how about preserving the AUDIT_GET behavior, skipping the AUDIT_FEATURE_* addition, and simply reset the lost value by sending a AUDIT_SET message with AUDIT_STATUS_LOST (you obviously have to add this to the uapi header).

I'm mixed on adding this to the feature bitmap, it shouldn't be strictly necessary as old kernels will simply ignore the AUDIT_SET/AUDIT_STATUS_LOST bit, but I can understand if userspace might want it ... I just hate to burn a bit in the bitmap for something that has no ill effect on behavior.

> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 208df7b..5eb2dc2 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -330,10 +330,12 @@ enum { > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 > #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000010 > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \ > - AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) > + AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > + AUDIT_FEATURE_BITMAP_LOST_RESET) > > /* deprecated: AUDIT_VERSION_* */ > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > @@ -440,7 +442,8 @@ struct audit_features { > > #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0 > #define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1 > -#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE > +#define AUDIT_FEATURE_LOST_RESET 2 > +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOST_RESET > > #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) > #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ > diff --git a/kernel/audit.c b/kernel/audit.c > index f1ca116..6b52da6 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -122,7 +122,7 @@ > 3) suppressed due to audit_rate_limit > 4) suppressed due to audit_backlog_limit > */ > -static atomic_t audit_lost = ATOMIC_INIT(0); > +static atomic_t audit_lost = ATOMIC_INIT(0); > > /* The netlink socket. */ > static struct sock *audit_sock; > @@ -150,9 +150,10 @@ > .features = 0, > .lock = 0,}; > > -static char *audit_feature_names[2] = { > +static char *audit_feature_names[3] = { > "only_unset_loginuid", > "loginuid_immutable", > + "lost_reset", > }; > > > @@ -854,7 +855,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > s.pid = audit_pid; > s.rate_limit = audit_rate_limit; > s.backlog_limit = audit_backlog_limit; > - s.lost = atomic_read(&audit_lost); > + s.lost = is_audit_feature_set(AUDIT_FEATURE_LOST_RESET) ? > + atomic_xchg(&audit_lost, 0) : > + atomic_read(&audit_lost); > s.backlog = skb_queue_len(&audit_skb_queue); > s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL; > s.backlog_wait_time = audit_backlog_wait_time_master; > -- > 1.7.1 > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com