Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2d87a067 authored by Ondrej Mosnacek's avatar Ondrej Mosnacek Committed by Paul Moore
Browse files

timekeeping: Audit clock adjustments 



Emit an audit record whenever the system clock is changed (i.e. shifted
by a non-zero offset) by a syscall from userspace. The syscalls than can
(at the time of writing) trigger such record are:
  - settimeofday(2), stime(2), clock_settime(2) -- via
    do_settimeofday64()
  - adjtimex(2), clock_adjtime(2) -- via do_adjtimex()

The new records have type AUDIT_TIME_INJOFFSET and contain the following
fields:
  - sec -- the 'seconds' part of the offset
  - nsec -- the 'nanoseconds' part of the offset

Example record (time was shifted backwards by ~15.875 seconds):

type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145

The records of this type will be associated with the corresponding
syscall records.

Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
[PM: fixed a line width problem in __audit_tk_injoffset()]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 699c1868

include/linux/audit.h

+14 −0
Original line number Diff line number Diff line
@@ -365,6 +365,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); 
extern void __audit_mmap_fd(int fd, int flags);

extern void __audit_log_kern_module(char *name);

extern void __audit_fanotify(unsigned int response);

extern void __audit_tk_injoffset(struct timespec64 offset);



static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)

{
@@ -467,6 +468,16 @@ static inline void audit_fanotify(unsigned int response) 
		__audit_fanotify(response);

}



static inline void audit_tk_injoffset(struct timespec64 offset)

{

	/* ignore no-op events */

	if (offset.tv_sec == 0 && offset.tv_nsec == 0)

		return;



	if (!audit_dummy_context())

		__audit_tk_injoffset(offset);

}



extern int audit_n_rules;

extern int audit_signals;

#else /* CONFIG_AUDITSYSCALL */
@@ -580,6 +591,9 @@ static inline void audit_log_kern_module(char *name) 
static inline void audit_fanotify(unsigned int response)

{ }



static inline void audit_tk_injoffset(struct timespec64 offset)

{ }



static inline void audit_ptrace(struct task_struct *t)

{ }

#define audit_n_rules 0

include/uapi/linux/audit.h

+1 −0
Original line number Diff line number Diff line
@@ -114,6 +114,7 @@ 
#define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */

#define AUDIT_KERN_MODULE	1330	/* Kernel Module events */

#define AUDIT_FANOTIFY		1331	/* Fanotify access decision */

#define AUDIT_TIME_INJOFFSET	1332	/* Timekeeping offset injected */



#define AUDIT_AVC		1400	/* SE Linux avc denial or grant */

#define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */

kernel/auditsc.c

+7 −0
Original line number Diff line number Diff line
@@ -2512,6 +2512,13 @@ void __audit_fanotify(unsigned int response) 
		AUDIT_FANOTIFY,	"resp=%u", response);

}



void __audit_tk_injoffset(struct timespec64 offset)

{

	audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,

		  "sec=%lli nsec=%li",

		  (long long)offset.tv_sec, offset.tv_nsec);

}



static void audit_log_task(struct audit_buffer *ab)

{

	kuid_t auid, uid;

kernel/time/timekeeping.c

+6 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ 
#include <linux/stop_machine.h>

#include <linux/pvclock_gtod.h>

#include <linux/compiler.h>

#include <linux/audit.h>



#include "tick-internal.h"

#include "ntp_internal.h"
@@ -1250,6 +1251,9 @@ int do_settimeofday64(const struct timespec64 *ts) 
	/* signal hrtimers about time change */

	clock_was_set();



	if (!ret)

		audit_tk_injoffset(ts_delta);



	return ret;

}

EXPORT_SYMBOL(do_settimeofday64);
@@ -2322,6 +2326,8 @@ int do_adjtimex(struct __kernel_timex *txc) 
		ret = timekeeping_inject_offset(&delta);

		if (ret)

			return ret;



		audit_tk_injoffset(delta);

	}



	ktime_get_real_ts64(&ts);