From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 987BFC433F5 for ; Mon, 4 Oct 2021 18:27:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8070461381 for ; Mon, 4 Oct 2021 18:27:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238559AbhJDS30 (ORCPT ); Mon, 4 Oct 2021 14:29:26 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:45399 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238535AbhJDS3Z (ORCPT ); Mon, 4 Oct 2021 14:29:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1633372055; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BXPoHU6ns0CE8QSkfAtin/P5zZIxIbMWZfw6WB1a8eA=; b=Gd8nv1DiFvM8++3qUBRvqLxK6O9gpE69h8CzW8hFxCoI+8klHcV3oxdLdtEZ8G/m+iro39 WBCPGnzjn/ii3vI0iJlmjUwgNH5x8r5L5xGMYhYecjEBxk14YvUwXbKbVgJvEco+pHHQ16 AneTWBZpcBb3MM1/QQUriXdEj8lXb1E= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-147-MaYLzM-vOM-wZ2hso8tqSQ-1; Mon, 04 Oct 2021 14:27:34 -0400 X-MC-Unique: MaYLzM-vOM-wZ2hso8tqSQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 135B584A5E5; Mon, 4 Oct 2021 18:27:33 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.3.128.4]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 21D2319723; Mon, 4 Oct 2021 18:27:20 +0000 (UTC) Date: Mon, 4 Oct 2021 14:27:18 -0400 From: Richard Guy Briggs To: Paul Moore Cc: Linux-Audit Mailing List , LKML , Eric Paris , Steve Grubb , Alexander Viro , Eric Paris , linux-fsdevel@vger.kernel.org, Aleksa Sarai Subject: Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how Message-ID: <20211004182718.GE3977594@madcap2.tricolour.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-10-04 12:08, Paul Moore wrote: > On Wed, May 19, 2021 at 4:02 PM Richard Guy Briggs wrote: > > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > its parameters they are not usefully recorded by the audit SYSCALL record's > > four existing arguments. > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > third argument, struct open_how with fields oflag, mode and resolve. > > > > The new record in the context of an event would look like: > > time->Wed Mar 17 16:28:53 2021 > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > Signed-off-by: Richard Guy Briggs > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > --- > > fs/open.c | 2 ++ > > include/linux/audit.h | 10 ++++++++++ > > include/uapi/linux/audit.h | 1 + > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 18 +++++++++++++++++- > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index cd2d8279a5e4..67aea2370c6d 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -118,6 +118,7 @@ > > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > > #define AUDIT_BPF 1334 /* BPF subsystem */ > > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the > 1336 value is already in use by AUDIT_URINGOP. It wasn't caught > during my initial build test as the LSM/audit io_uring patches are in > selinux/next and not audit/next, it wasn't until the kernel-secnext > build was merging everything for its test run that the collision > occurred. I'll be updating the audit/next tree with the new value > shortly. I was expecting a conflict, so thanks for the heads up, Paul. Steve: This affects the audit userspace support for this patchset previously published 2021-05-19 as: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 The update is here: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2.v2 And a PR has been created: https://github.com/linux-audit/audit-userspace/pull/219 > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50193C433EF for ; Mon, 4 Oct 2021 18:28:21 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9765B61354 for ; Mon, 4 Oct 2021 18:28:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9765B61354 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1633372099; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ytyjKcCqzXSYc7H8s9P7kmm9NkG5VUb2yBLC5BdWGBo=; b=CmHPsAyzPjB+8i6+7SjxjrKB2LAI1xwzE8OrjUJdMQSfKj6mWT1FW1gh6KmoI8A9ncNmnY yohQVdkMDuHRkXfUGPd3hyD8gxP0k+QGpfifmjybQcRp8FciF4/esDgJG6PHDYtD96eDRf Dm1HvzG3GU5ha+iLCDz4czpyVNd6cVA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-582-C2PAK2uAMf-7WdUT-6VqQQ-1; Mon, 04 Oct 2021 14:28:18 -0400 X-MC-Unique: C2PAK2uAMf-7WdUT-6VqQQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EBA03802B9E; Mon, 4 Oct 2021 18:28:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08D8060843; Mon, 4 Oct 2021 18:28:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 60D034E58E; Mon, 4 Oct 2021 18:28:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 194IRXwE004369 for ; Mon, 4 Oct 2021 14:27:33 -0400 Received: by smtp.corp.redhat.com (Postfix) id 1056319724; Mon, 4 Oct 2021 18:27:33 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.3.128.4]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 21D2319723; Mon, 4 Oct 2021 18:27:20 +0000 (UTC) Date: Mon, 4 Oct 2021 14:27:18 -0400 From: Richard Guy Briggs To: Paul Moore Subject: Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how Message-ID: <20211004182718.GE3977594@madcap2.tricolour.ca> References: MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: linux-audit@redhat.com Cc: LKML , Eric Paris , Aleksa Sarai , Linux-Audit Mailing List , Alexander Viro , linux-fsdevel@vger.kernel.org, Eric Paris X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 2021-10-04 12:08, Paul Moore wrote: > On Wed, May 19, 2021 at 4:02 PM Richard Guy Briggs wrote: > > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > its parameters they are not usefully recorded by the audit SYSCALL record's > > four existing arguments. > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > third argument, struct open_how with fields oflag, mode and resolve. > > > > The new record in the context of an event would look like: > > time->Wed Mar 17 16:28:53 2021 > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > Signed-off-by: Richard Guy Briggs > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > --- > > fs/open.c | 2 ++ > > include/linux/audit.h | 10 ++++++++++ > > include/uapi/linux/audit.h | 1 + > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 18 +++++++++++++++++- > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index cd2d8279a5e4..67aea2370c6d 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -118,6 +118,7 @@ > > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > > #define AUDIT_BPF 1334 /* BPF subsystem */ > > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the > 1336 value is already in use by AUDIT_URINGOP. It wasn't caught > during my initial build test as the LSM/audit io_uring patches are in > selinux/next and not audit/next, it wasn't until the kernel-secnext > build was merging everything for its test run that the collision > occurred. I'll be updating the audit/next tree with the new value > shortly. I was expecting a conflict, so thanks for the heads up, Paul. Steve: This affects the audit userspace support for this patchset previously published 2021-05-19 as: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 The update is here: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2.v2 And a PR has been created: https://github.com/linux-audit/audit-userspace/pull/219 > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit