timekeeping: Audit clock adjustments
Emit an audit record whenever the system clock is changed (i.e. shifted by a non-zero offset) by a syscall from userspace. The syscalls than can (at the time of writing) trigger such record are: - settimeofday(2), stime(2), clock_settime(2) -- via do_settimeofday64() - adjtimex(2), clock_adjtime(2) -- via do_adjtimex() The new records have type AUDIT_TIME_INJOFFSET and contain the following fields: - sec -- the 'seconds' part of the offset - nsec -- the 'nanoseconds' part of the offset Example record (time was shifted backwards by ~15.875 seconds): type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145 The records of this type will be associated with the corresponding syscall records. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> [PM: fixed a line width problem in __audit_tk_injoffset()] Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Родитель
699c1868a7
Коммит
2d87a0674b
|
@ -365,6 +365,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
|
|||
extern void __audit_mmap_fd(int fd, int flags);
|
||||
extern void __audit_log_kern_module(char *name);
|
||||
extern void __audit_fanotify(unsigned int response);
|
||||
extern void __audit_tk_injoffset(struct timespec64 offset);
|
||||
|
||||
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
|
||||
{
|
||||
|
@ -467,6 +468,16 @@ static inline void audit_fanotify(unsigned int response)
|
|||
__audit_fanotify(response);
|
||||
}
|
||||
|
||||
static inline void audit_tk_injoffset(struct timespec64 offset)
|
||||
{
|
||||
/* ignore no-op events */
|
||||
if (offset.tv_sec == 0 && offset.tv_nsec == 0)
|
||||
return;
|
||||
|
||||
if (!audit_dummy_context())
|
||||
__audit_tk_injoffset(offset);
|
||||
}
|
||||
|
||||
extern int audit_n_rules;
|
||||
extern int audit_signals;
|
||||
#else /* CONFIG_AUDITSYSCALL */
|
||||
|
@ -580,6 +591,9 @@ static inline void audit_log_kern_module(char *name)
|
|||
static inline void audit_fanotify(unsigned int response)
|
||||
{ }
|
||||
|
||||
static inline void audit_tk_injoffset(struct timespec64 offset)
|
||||
{ }
|
||||
|
||||
static inline void audit_ptrace(struct task_struct *t)
|
||||
{ }
|
||||
#define audit_n_rules 0
|
||||
|
|
|
@ -114,6 +114,7 @@
|
|||
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
|
||||
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
|
||||
#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
|
||||
#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
|
||||
|
||||
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
|
||||
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
|
||||
|
|
|
@ -2512,6 +2512,13 @@ void __audit_fanotify(unsigned int response)
|
|||
AUDIT_FANOTIFY, "resp=%u", response);
|
||||
}
|
||||
|
||||
void __audit_tk_injoffset(struct timespec64 offset)
|
||||
{
|
||||
audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
|
||||
"sec=%lli nsec=%li",
|
||||
(long long)offset.tv_sec, offset.tv_nsec);
|
||||
}
|
||||
|
||||
static void audit_log_task(struct audit_buffer *ab)
|
||||
{
|
||||
kuid_t auid, uid;
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
#include <linux/stop_machine.h>
|
||||
#include <linux/pvclock_gtod.h>
|
||||
#include <linux/compiler.h>
|
||||
#include <linux/audit.h>
|
||||
|
||||
#include "tick-internal.h"
|
||||
#include "ntp_internal.h"
|
||||
|
@ -1250,6 +1251,9 @@ out:
|
|||
/* signal hrtimers about time change */
|
||||
clock_was_set();
|
||||
|
||||
if (!ret)
|
||||
audit_tk_injoffset(ts_delta);
|
||||
|
||||
return ret;
|
||||
}
|
||||
EXPORT_SYMBOL(do_settimeofday64);
|
||||
|
@ -2322,6 +2326,8 @@ int do_adjtimex(struct __kernel_timex *txc)
|
|||
ret = timekeeping_inject_offset(&delta);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
audit_tk_injoffset(delta);
|
||||
}
|
||||
|
||||
ktime_get_real_ts64(&ts);
|
||||
|
|
Загрузка…
Ссылка в новой задаче