timekeeping: Audit clock adjustments

Emit an audit record whenever the system clock is changed (i.e. shifted
by a non-zero offset) by a syscall from userspace. The syscalls than can
(at the time of writing) trigger such record are:
  - settimeofday(2), stime(2), clock_settime(2) -- via
    do_settimeofday64()
  - adjtimex(2), clock_adjtime(2) -- via do_adjtimex()

The new records have type AUDIT_TIME_INJOFFSET and contain the following
fields:
  - sec -- the 'seconds' part of the offset
  - nsec -- the 'nanoseconds' part of the offset

Example record (time was shifted backwards by ~15.875 seconds):

type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145

The records of this type will be associated with the corresponding
syscall records.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[PM: fixed a line width problem in __audit_tk_injoffset()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Ondrej Mosnacek 2019-04-10 11:14:19 +02:00 коммит произвёл Paul Moore
Родитель 699c1868a7
Коммит 2d87a0674b
4 изменённых файлов: 28 добавлений и 0 удалений

Просмотреть файл

@ -365,6 +365,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
extern void __audit_log_kern_module(char *name);
extern void __audit_fanotify(unsigned int response);
extern void __audit_tk_injoffset(struct timespec64 offset);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@ -467,6 +468,16 @@ static inline void audit_fanotify(unsigned int response)
__audit_fanotify(response);
}
static inline void audit_tk_injoffset(struct timespec64 offset)
{
/* ignore no-op events */
if (offset.tv_sec == 0 && offset.tv_nsec == 0)
return;
if (!audit_dummy_context())
__audit_tk_injoffset(offset);
}
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@ -580,6 +591,9 @@ static inline void audit_log_kern_module(char *name)
static inline void audit_fanotify(unsigned int response)
{ }
static inline void audit_tk_injoffset(struct timespec64 offset)
{ }
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0

Просмотреть файл

@ -114,6 +114,7 @@
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */

Просмотреть файл

@ -2512,6 +2512,13 @@ void __audit_fanotify(unsigned int response)
AUDIT_FANOTIFY, "resp=%u", response);
}
void __audit_tk_injoffset(struct timespec64 offset)
{
audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
"sec=%lli nsec=%li",
(long long)offset.tv_sec, offset.tv_nsec);
}
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;

Просмотреть файл

@ -21,6 +21,7 @@
#include <linux/stop_machine.h>
#include <linux/pvclock_gtod.h>
#include <linux/compiler.h>
#include <linux/audit.h>
#include "tick-internal.h"
#include "ntp_internal.h"
@ -1250,6 +1251,9 @@ out:
/* signal hrtimers about time change */
clock_was_set();
if (!ret)
audit_tk_injoffset(ts_delta);
return ret;
}
EXPORT_SYMBOL(do_settimeofday64);
@ -2322,6 +2326,8 @@ int do_adjtimex(struct __kernel_timex *txc)
ret = timekeeping_inject_offset(&delta);
if (ret)
return ret;
audit_tk_injoffset(delta);
}
ktime_get_real_ts64(&ts);