From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D9D2C6FA82 for ; Fri, 9 Sep 2022 14:22:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230423AbiIIOWu (ORCPT ); Fri, 9 Sep 2022 10:22:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229607AbiIIOWo (ORCPT ); Fri, 9 Sep 2022 10:22:44 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8446C1316C9 for ; Fri, 9 Sep 2022 07:22:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662733362; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kl2ork6m1zrEpHk0BOexy0xVS0f6pUe1ZNwGgpO6tHw=; b=YSNN7tplQrbWaGJLZ5dD8lBfFX2G6k5qzxdgOzCNfOpjRrylvWFnZfMVRpxtfQB6/AmLno GLOgZzYD+TzH3R1d3O2IFngFLzID98RLjhLwYm0F8aL/dVMPpm9ndBzBqWnNbfznz8piOp l0K05OCtYLadBcNv6YoKPjuN/MB6Tq0= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-201-pOYcU8l_PayXSCoeduBV9A-1; Fri, 09 Sep 2022 10:22:39 -0400 X-MC-Unique: pOYcU8l_PayXSCoeduBV9A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A66AC1C05AFE; Fri, 9 Sep 2022 14:22:38 +0000 (UTC) Received: from x2.localnet (unknown [10.22.9.245]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C02942026D4C; Fri, 9 Sep 2022 14:22:37 +0000 (UTC) From: Steve Grubb To: Jan Kara Cc: Richard Guy Briggs , Paul Moore , Jan Kara , Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Amir Goldstein Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response Date: Fri, 09 Sep 2022 10:22:37 -0400 Message-ID: <4748798.GXAFRqVoOG@x2> Organization: Red Hat In-Reply-To: <20220909110944.yfnuqhsiyw3ekkcn@quack3> References: <2254543.ElGaqSPkdT@x2> <20220909110944.yfnuqhsiyw3ekkcn@quack3> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Friday, September 9, 2022 7:09:44 AM EDT Jan Kara wrote: > Hello Steve! > > On Fri 09-09-22 00:03:53, Steve Grubb wrote: > > On Thursday, September 8, 2022 10:41:44 PM EDT Richard Guy Briggs wrote: > > > > I'm trying to abide by what was suggested by the fs-devel folks. I > > > > can > > > > live with it. But if you want to make something non-generic for all > > > > users of fanotify, call the new field "trusted". This would decern > > > > when > > > > a decision was made because the file was untrusted or access denied > > > > for > > > > another reason. > > > > > > So, "u32 trusted;" ? How would you like that formatted? > > > "fan_trust={0|1}" > > > > So how does this play out if there is another user? Do they want a num= > > and trust= if not, then the AUDIT_FANOTIFY record will have multiple > > formats which is not good. I'd rather suggest something generic that can > > be interpreted based on who's attached to fanotify. IOW we have a > > fan_type=0 and then followed by info0= info1= the interpretation of > > those solely depend on fan_type. If the fan_type does not need both, > > then any interpretation skips what it doesn't need. If fan_type=1, then > > it follows what arg0= and arg1= is for that format. But make this pivot > > on fan_type and not actual names. > So I think there is some misunderstanding so let me maybe spell out in > detail how I see things so that we can get on the same page: > > It was a requirement from me (and probably Amir) that there is a generic > way to attach additional info to a response to fanotify permission event. > This is achieved by defining: > > struct fanotify_response_info_header { > __u8 type; > __u8 pad; > __u16 len; > }; > > which is a generic header and kernel can based on 'len' field decide how > large the response structure is (to safely copy it from userspace) and > based on 'type' field it can decide who should be the recipient of this > extra information (or generally what to do with it). So any additional > info needs to start with this header. > > Then there is: > > struct fanotify_response_info_audit_rule { > struct fanotify_response_info_header hdr; > __u32 audit_rule; > }; > > which properly starts with the header and hdr.type is expected to be > FAN_RESPONSE_INFO_AUDIT_RULE. What happens after the header with type > FAN_RESPONSE_INFO_AUDIT_RULE until length hdr.len is fully within *audit* > subsystem's responsibility. Fanotify code will just pass this as an opaque > blob to the audit subsystem. > > So if you know audit subsystem will also need some other field together > with 'audit_rule' now is a good time to add it and it doesn't have to be > useful for anybody else besides audit. If someone else will need other > information passed along with the response, he will append structure with > another header with different 'type' field. In principle, there can be > multiple structures appended to fanotify response like > > ... > > and fanotify subsystem will just pass them to different receivers based > on the type in 'hdr' field. > > Also if audit needs to pass even more information along with the respose, > we can define a new 'type' for it. But the 'type' space is not infinite so > I'd prefer this does not happen too often... > > I hope this clears out things a bit. Yes. Thank you. Richard, add subj_trust and obj_trust. These can be 0|1|2 for no, yes, unknown. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E26BAECAAA1 for ; Fri, 9 Sep 2022 14:22:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662733365; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=krYiYc6D4yRlmaLdzVhyn9cB24Bfc6+TkRNpkdnpV+U=; b=LdyKdGXohEPRXjNIJR7TG59kYVH3scigSgEcMb1XSYxY+FlxowFK2P5CCIsYa3gjOMhDZq OxSdGCCMTeXV1ob6ls2rlIhock+lXSrsk0hi0Z4Wu7PF3PU/+d27/mmOsu87utRAZ3K7Dn o9lXs374gcGP1Ld+iO/W8jq775DNfn4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-590-wvOkKyTVNiun9565-hNfww-1; Fri, 09 Sep 2022 10:22:42 -0400 X-MC-Unique: wvOkKyTVNiun9565-hNfww-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8A0C8101A588; Fri, 9 Sep 2022 14:22:41 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 47ECCC15BC5; Fri, 9 Sep 2022 14:22:40 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0958F1946A42; Fri, 9 Sep 2022 14:22:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C27961946A41 for ; Fri, 9 Sep 2022 14:22:38 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A5D1F2026D64; Fri, 9 Sep 2022 14:22:38 +0000 (UTC) Received: from x2.localnet (unknown [10.22.9.245]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C02942026D4C; Fri, 9 Sep 2022 14:22:37 +0000 (UTC) From: Steve Grubb To: Jan Kara Subject: Re: [PATCH v4 3/4] fanotify, audit: Allow audit to use the full permission event response Date: Fri, 09 Sep 2022 10:22:37 -0400 Message-ID: <4748798.GXAFRqVoOG@x2> Organization: Red Hat In-Reply-To: <20220909110944.yfnuqhsiyw3ekkcn@quack3> References: <2254543.ElGaqSPkdT@x2> <20220909110944.yfnuqhsiyw3ekkcn@quack3> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kara , Richard Guy Briggs , Amir Goldstein , LKML , Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, Eric Paris Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Friday, September 9, 2022 7:09:44 AM EDT Jan Kara wrote: > Hello Steve! > > On Fri 09-09-22 00:03:53, Steve Grubb wrote: > > On Thursday, September 8, 2022 10:41:44 PM EDT Richard Guy Briggs wrote: > > > > I'm trying to abide by what was suggested by the fs-devel folks. I > > > > can > > > > live with it. But if you want to make something non-generic for all > > > > users of fanotify, call the new field "trusted". This would decern > > > > when > > > > a decision was made because the file was untrusted or access denied > > > > for > > > > another reason. > > > > > > So, "u32 trusted;" ? How would you like that formatted? > > > "fan_trust={0|1}" > > > > So how does this play out if there is another user? Do they want a num= > > and trust= if not, then the AUDIT_FANOTIFY record will have multiple > > formats which is not good. I'd rather suggest something generic that can > > be interpreted based on who's attached to fanotify. IOW we have a > > fan_type=0 and then followed by info0= info1= the interpretation of > > those solely depend on fan_type. If the fan_type does not need both, > > then any interpretation skips what it doesn't need. If fan_type=1, then > > it follows what arg0= and arg1= is for that format. But make this pivot > > on fan_type and not actual names. > So I think there is some misunderstanding so let me maybe spell out in > detail how I see things so that we can get on the same page: > > It was a requirement from me (and probably Amir) that there is a generic > way to attach additional info to a response to fanotify permission event. > This is achieved by defining: > > struct fanotify_response_info_header { > __u8 type; > __u8 pad; > __u16 len; > }; > > which is a generic header and kernel can based on 'len' field decide how > large the response structure is (to safely copy it from userspace) and > based on 'type' field it can decide who should be the recipient of this > extra information (or generally what to do with it). So any additional > info needs to start with this header. > > Then there is: > > struct fanotify_response_info_audit_rule { > struct fanotify_response_info_header hdr; > __u32 audit_rule; > }; > > which properly starts with the header and hdr.type is expected to be > FAN_RESPONSE_INFO_AUDIT_RULE. What happens after the header with type > FAN_RESPONSE_INFO_AUDIT_RULE until length hdr.len is fully within *audit* > subsystem's responsibility. Fanotify code will just pass this as an opaque > blob to the audit subsystem. > > So if you know audit subsystem will also need some other field together > with 'audit_rule' now is a good time to add it and it doesn't have to be > useful for anybody else besides audit. If someone else will need other > information passed along with the response, he will append structure with > another header with different 'type' field. In principle, there can be > multiple structures appended to fanotify response like > > ... > > and fanotify subsystem will just pass them to different receivers based > on the type in 'hdr' field. > > Also if audit needs to pass even more information along with the respose, > we can define a new 'type' for it. But the 'type' space is not infinite so > I'd prefer this does not happen too often... > > I hope this clears out things a bit. Yes. Thank you. Richard, add subj_trust and obj_trust. These can be 0|1|2 for no, yes, unknown. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit