aleph/lkl_linux
1
0
Fork 0
mirror of https://github.com/lkl/linux.git synced 2025-12-19 16:13:19 +09:00
Code Issues Packages Projects Releases Wiki Activity

timekeeping: Audit clock adjustments

Browse Source 
Emit an audit record whenever the system clock is changed (i.e. shifted
by a non-zero offset) by a syscall from userspace. The syscalls than can
(at the time of writing) trigger such record are:
  - settimeofday(2), stime(2), clock_settime(2) -- via
    do_settimeofday64()
  - adjtimex(2), clock_adjtime(2) -- via do_adjtimex()

The new records have type AUDIT_TIME_INJOFFSET and contain the following
fields:
  - sec -- the 'seconds' part of the offset
  - nsec -- the 'nanoseconds' part of the offset

Example record (time was shifted backwards by ~15.875 seconds):

type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145

The records of this type will be associated with the corresponding
syscall records.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[PM: fixed a line width problem in __audit_tk_injoffset()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Ondrej Mosnacek
2019-04-10 11:14:19 +02:00
committed by Paul Moore
parent 699c1868a7
commit 2d87a0674b
4 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
include/linux/audit.h
View File

@@ -365,6 +365,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
extern void __audit_log_kern_module(char *name);
extern void __audit_fanotify(unsigned int response);
extern void __audit_tk_injoffset(struct timespec64 offset);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -467,6 +468,16 @@ static inline void audit_fanotify(unsigned int response)
__audit_fanotify(response);
}
static inline void audit_tk_injoffset(struct timespec64 offset)
{
/* ignore no-op events */
if (offset.tv_sec == 0 && offset.tv_nsec == 0)
return;
if (!audit_dummy_context())
__audit_tk_injoffset(offset);
}
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -580,6 +591,9 @@ static inline void audit_log_kern_module(char *name)
static inline void audit_fanotify(unsigned int response)
{ }
static inline void audit_tk_injoffset(struct timespec64 offset)
{ }
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0