* [PATCH v4 0/3] audit: add support for openat2 @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Changelog: v4: - change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association v3: - re-add commit descriptions that somehow got dropped - add new file to MAINTAINERS v2: - add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings: arch/x86/ia32/audit.c:3: ./include/linux/audit.h:12, ./include/linux/sched.h:22, ./include/linux/seccomp.h:21, ./arch/x86/include/asm/seccomp.h:5, ./arch/x86/include/asm/unistd.h:20, ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0 ... ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334 previous: arch/x86/ia32/audit.c:2: ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3 ... ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 10 ++++++---- arch/ia64/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/compat_audit.c | 11 ++++++---- arch/powerpc/kernel/audit.c | 12 ++++++----- arch/powerpc/kernel/compat_audit.c | 13 +++++++----- arch/s390/kernel/audit.c | 12 ++++++----- arch/s390/kernel/compat_audit.c | 13 +++++++----- arch/sparc/kernel/audit.c | 12 ++++++----- arch/sparc/kernel/compat_audit.c | 13 +++++++----- arch/x86/ia32/audit.c | 13 +++++++----- arch/x86/kernel/audit_64.c | 10 ++++++---- fs/open.c | 2 ++ include/linux/audit.h | 11 ++++++++++ include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 31 +++++++++++++++++++++++------ lib/audit.c | 14 ++++++++----- lib/compat_audit.c | 15 +++++++++----- 21 files changed, 169 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h -- 2.27.0 ^ permalink raw reply [flat|nested] 60+ messages in thread
* [PATCH v4 0/3] audit: add support for openat2 @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Changelog: v4: - change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association v3: - re-add commit descriptions that somehow got dropped - add new file to MAINTAINERS v2: - add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings: arch/x86/ia32/audit.c:3: ./include/linux/audit.h:12, ./include/linux/sched.h:22, ./include/linux/seccomp.h:21, ./arch/x86/include/asm/seccomp.h:5, ./arch/x86/include/asm/unistd.h:20, ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0 ... ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334 previous: arch/x86/ia32/audit.c:2: ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3 ... ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 10 ++++++---- arch/ia64/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/compat_audit.c | 11 ++++++---- arch/powerpc/kernel/audit.c | 12 ++++++----- arch/powerpc/kernel/compat_audit.c | 13 +++++++----- arch/s390/kernel/audit.c | 12 ++++++----- arch/s390/kernel/compat_audit.c | 13 +++++++----- arch/sparc/kernel/audit.c | 12 ++++++----- arch/sparc/kernel/compat_audit.c | 13 +++++++----- arch/x86/ia32/audit.c | 13 +++++++----- arch/x86/kernel/audit_64.c | 10 ++++++---- fs/open.c | 2 ++ include/linux/audit.h | 11 ++++++++++ include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 31 +++++++++++++++++++++++------ lib/audit.c | 14 ++++++++----- lib/compat_audit.c | 15 +++++++++----- 21 files changed, 169 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h -- 2.27.0 ^ permalink raw reply [flat|nested] 60+ messages in thread
* [PATCH v4 0/3] audit: add support for openat2 @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: linux-s390, linux-ia64, Paul Moore, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, Eric Paris, Aleksa Sarai, Alexander Viro, linux-alpha, sparclinux, Eric Paris, Steve Grubb, linuxppc-dev The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Changelog: v4: - change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association v3: - re-add commit descriptions that somehow got dropped - add new file to MAINTAINERS v2: - add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings: arch/x86/ia32/audit.c:3: ./include/linux/audit.h:12, ./include/linux/sched.h:22, ./include/linux/seccomp.h:21, ./arch/x86/include/asm/seccomp.h:5, ./arch/x86/include/asm/unistd.h:20, ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0 ... ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334 previous: arch/x86/ia32/audit.c:2: ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3 ... ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 10 ++++++---- arch/ia64/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/compat_audit.c | 11 ++++++---- arch/powerpc/kernel/audit.c | 12 ++++++----- arch/powerpc/kernel/compat_audit.c | 13 +++++++----- arch/s390/kernel/audit.c | 12 ++++++----- arch/s390/kernel/compat_audit.c | 13 +++++++----- arch/sparc/kernel/audit.c | 12 ++++++----- arch/sparc/kernel/compat_audit.c | 13 +++++++----- arch/x86/ia32/audit.c | 13 +++++++----- arch/x86/kernel/audit_64.c | 10 ++++++---- fs/open.c | 2 ++ include/linux/audit.h | 11 ++++++++++ include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 31 +++++++++++++++++++++++------ lib/audit.c | 14 ++++++++----- lib/compat_audit.c | 15 +++++++++----- 21 files changed, 169 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h -- 2.27.0 ^ permalink raw reply [flat|nested] 60+ messages in thread
* [PATCH v4 0/3] audit: add support for openat2 @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, Eric Paris, Aleksa Sarai, Alexander Viro, linux-alpha, sparclinux, Eric Paris, linuxppc-dev The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Changelog: v4: - change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association v3: - re-add commit descriptions that somehow got dropped - add new file to MAINTAINERS v2: - add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings: arch/x86/ia32/audit.c:3: ./include/linux/audit.h:12, ./include/linux/sched.h:22, ./include/linux/seccomp.h:21, ./arch/x86/include/asm/seccomp.h:5, ./arch/x86/include/asm/unistd.h:20, ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0 ... ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334 previous: arch/x86/ia32/audit.c:2: ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3 ... ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 10 ++++++---- arch/ia64/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/audit.c | 10 ++++++---- arch/parisc/kernel/compat_audit.c | 11 ++++++---- arch/powerpc/kernel/audit.c | 12 ++++++----- arch/powerpc/kernel/compat_audit.c | 13 +++++++----- arch/s390/kernel/audit.c | 12 ++++++----- arch/s390/kernel/compat_audit.c | 13 +++++++----- arch/sparc/kernel/audit.c | 12 ++++++----- arch/sparc/kernel/compat_audit.c | 13 +++++++----- arch/x86/ia32/audit.c | 13 +++++++----- arch/x86/kernel/audit_64.c | 10 ++++++---- fs/open.c | 2 ++ include/linux/audit.h | 11 ++++++++++ include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 31 +++++++++++++++++++++++------ lib/audit.c | 14 ++++++++----- lib/compat_audit.c | 15 +++++++++----- 21 files changed, 169 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h -- 2.27.0 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-05-19 20:00 ` Richard Guy Briggs (?) (?) @ 2021-05-19 20:00 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann Replace audit syscall class magic numbers with macros. This required putting the macros into new header file include/linux/auditsc_classmacros.h since the syscall macros were included for both 64 bit and 32 bit in any compat code, causing redefinition warnings. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com --- MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 8 ++++---- arch/ia64/kernel/audit.c | 8 ++++---- arch/parisc/kernel/audit.c | 8 ++++---- arch/parisc/kernel/compat_audit.c | 9 +++++---- arch/powerpc/kernel/audit.c | 10 +++++----- arch/powerpc/kernel/compat_audit.c | 11 ++++++----- arch/s390/kernel/audit.c | 10 +++++----- arch/s390/kernel/compat_audit.c | 11 ++++++----- arch/sparc/kernel/audit.c | 10 +++++----- arch/sparc/kernel/compat_audit.c | 11 ++++++----- arch/x86/ia32/audit.c | 11 ++++++----- arch/x86/kernel/audit_64.c | 8 ++++---- include/linux/audit.h | 1 + include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ kernel/auditsc.c | 12 ++++++------ lib/audit.c | 10 +++++----- lib/compat_audit.c | 11 ++++++----- 18 files changed, 102 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h diff --git a/MAINTAINERS b/MAINTAINERS index bd7aff0c120f..3348d12019f9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git F: include/asm-generic/audit_*.h F: include/linux/audit.h +F: include/linux/auditsc_classmacros.h F: include/uapi/linux/audit.h F: kernel/audit* F: lib/*audit.c diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..1d6347d37d92 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a2dddd7f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index 55c6ccda0a85..b1dc2d1c4bad 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __powerpc64__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned ppc32_dir_class[] = { @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index d395c6c9944c..7e331e1831d4 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index 444fb1f66944..fc3d1c7ad21c 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __s390x__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "audit.h" @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index a6e91bf34d48..50fab35bdaba 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 10eeb4f15b20..1c1b6d075421 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #define __32bit_syscall_numbers__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "kernel.h" @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index 6efe6cb3768a..eedc37a1ee13 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd_32.h> #include <asm/audit.h> @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 83d9cad4e68b..2a6cc9c9c881 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/include/linux/audit.h b/include/linux/audit.h index 82b7c1116a85..283bc91a6932 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -11,6 +11,7 @@ #include <linux/sched.h> #include <linux/ptrace.h> +#include <linux/auditsc_classmacros.h> /* syscall class macros */ #include <uapi/linux/audit.h> #include <uapi/linux/netfilter/nf_tables.h> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h new file mode 100644 index 000000000000..18757d270961 --- /dev/null +++ b/include/linux/auditsc_classmacros.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* auditsc_classmacros.h -- Auditing support syscall macros + * + * Copyright 2021 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * Author: Richard Guy Briggs <rgb@redhat.com> + */ +#ifndef _LINUX_AUDITSCM_H_ +#define _LINUX_AUDITSCM_H_ + +enum auditsc_class_t { + AUDITSC_NATIVE = 0, + AUDITSC_COMPAT, + AUDITSC_OPEN, + AUDITSC_OPENAT, + AUDITSC_SOCKETCALL, + AUDITSC_EXECVE, + + AUDITSC_NVALS /* count */ +}; + +#endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0a9a1569f1ea..d775ea16505b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) n = ctx->major; switch (audit_classify_syscall(ctx->arch, n)) { - case 0: /* native */ + case AUDITSC_NATIVE: if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE, n)) return 1; @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR, n)) return 1; return 0; - case 1: /* 32bit on biarch */ + case AUDITSC_COMPAT: /* 32bit on biarch */ if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE_32, n)) return 1; @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR_32, n)) return 1; return 0; - case 2: /* open */ + case AUDITSC_OPEN: return mask & ACC_MODE(ctx->argv[1]); - case 3: /* openat */ + case AUDITSC_OPENAT: return mask & ACC_MODE(ctx->argv[2]); - case 4: /* socketcall */ + case AUDITSC_SOCKETCALL: return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); - case 5: /* execve */ + case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; default: return 0; diff --git a/lib/audit.c b/lib/audit.c index 5004bff928a7..3ec1a94d8d64 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) switch(syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif #ifdef __NR_execveat case __NR_execveat: #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index 77eabad69b4a..a38b282d353f 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/init.h> #include <linux/types.h> +#include <linux/auditsc_classmacros.h> #include <asm/unistd32.h> unsigned compat_dir_class[] = { @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) switch (syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann Replace audit syscall class magic numbers with macros. This required putting the macros into new header file include/linux/auditsc_classmacros.h since the syscall macros were included for both 64 bit and 32 bit in any compat code, causing redefinition warnings. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com --- MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 8 ++++---- arch/ia64/kernel/audit.c | 8 ++++---- arch/parisc/kernel/audit.c | 8 ++++---- arch/parisc/kernel/compat_audit.c | 9 +++++---- arch/powerpc/kernel/audit.c | 10 +++++----- arch/powerpc/kernel/compat_audit.c | 11 ++++++----- arch/s390/kernel/audit.c | 10 +++++----- arch/s390/kernel/compat_audit.c | 11 ++++++----- arch/sparc/kernel/audit.c | 10 +++++----- arch/sparc/kernel/compat_audit.c | 11 ++++++----- arch/x86/ia32/audit.c | 11 ++++++----- arch/x86/kernel/audit_64.c | 8 ++++---- include/linux/audit.h | 1 + include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ kernel/auditsc.c | 12 ++++++------ lib/audit.c | 10 +++++----- lib/compat_audit.c | 11 ++++++----- 18 files changed, 102 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h diff --git a/MAINTAINERS b/MAINTAINERS index bd7aff0c120f..3348d12019f9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git F: include/asm-generic/audit_*.h F: include/linux/audit.h +F: include/linux/auditsc_classmacros.h F: include/uapi/linux/audit.h F: kernel/audit* F: lib/*audit.c diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..1d6347d37d92 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a2dddd7f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index 55c6ccda0a85..b1dc2d1c4bad 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __powerpc64__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned ppc32_dir_class[] = { @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index d395c6c9944c..7e331e1831d4 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index 444fb1f66944..fc3d1c7ad21c 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __s390x__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "audit.h" @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index a6e91bf34d48..50fab35bdaba 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 10eeb4f15b20..1c1b6d075421 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #define __32bit_syscall_numbers__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "kernel.h" @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index 6efe6cb3768a..eedc37a1ee13 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd_32.h> #include <asm/audit.h> @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 83d9cad4e68b..2a6cc9c9c881 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/include/linux/audit.h b/include/linux/audit.h index 82b7c1116a85..283bc91a6932 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -11,6 +11,7 @@ #include <linux/sched.h> #include <linux/ptrace.h> +#include <linux/auditsc_classmacros.h> /* syscall class macros */ #include <uapi/linux/audit.h> #include <uapi/linux/netfilter/nf_tables.h> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h new file mode 100644 index 000000000000..18757d270961 --- /dev/null +++ b/include/linux/auditsc_classmacros.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* auditsc_classmacros.h -- Auditing support syscall macros + * + * Copyright 2021 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * Author: Richard Guy Briggs <rgb@redhat.com> + */ +#ifndef _LINUX_AUDITSCM_H_ +#define _LINUX_AUDITSCM_H_ + +enum auditsc_class_t { + AUDITSC_NATIVE = 0, + AUDITSC_COMPAT, + AUDITSC_OPEN, + AUDITSC_OPENAT, + AUDITSC_SOCKETCALL, + AUDITSC_EXECVE, + + AUDITSC_NVALS /* count */ +}; + +#endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0a9a1569f1ea..d775ea16505b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) n = ctx->major; switch (audit_classify_syscall(ctx->arch, n)) { - case 0: /* native */ + case AUDITSC_NATIVE: if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE, n)) return 1; @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR, n)) return 1; return 0; - case 1: /* 32bit on biarch */ + case AUDITSC_COMPAT: /* 32bit on biarch */ if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE_32, n)) return 1; @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR_32, n)) return 1; return 0; - case 2: /* open */ + case AUDITSC_OPEN: return mask & ACC_MODE(ctx->argv[1]); - case 3: /* openat */ + case AUDITSC_OPENAT: return mask & ACC_MODE(ctx->argv[2]); - case 4: /* socketcall */ + case AUDITSC_SOCKETCALL: return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] = SYS_BIND); - case 5: /* execve */ + case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; default: return 0; diff --git a/lib/audit.c b/lib/audit.c index 5004bff928a7..3ec1a94d8d64 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) switch(syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif #ifdef __NR_execveat case __NR_execveat: #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index 77eabad69b4a..a38b282d353f 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/init.h> #include <linux/types.h> +#include <linux/auditsc_classmacros.h> #include <asm/unistd32.h> unsigned compat_dir_class[] = { @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) switch (syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: linux-s390, linux-ia64, Paul Moore, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, Eric Paris, Aleksa Sarai, Alexander Viro, linux-alpha, sparclinux, Eric Paris, Steve Grubb, linuxppc-dev Replace audit syscall class magic numbers with macros. This required putting the macros into new header file include/linux/auditsc_classmacros.h since the syscall macros were included for both 64 bit and 32 bit in any compat code, causing redefinition warnings. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com --- MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 8 ++++---- arch/ia64/kernel/audit.c | 8 ++++---- arch/parisc/kernel/audit.c | 8 ++++---- arch/parisc/kernel/compat_audit.c | 9 +++++---- arch/powerpc/kernel/audit.c | 10 +++++----- arch/powerpc/kernel/compat_audit.c | 11 ++++++----- arch/s390/kernel/audit.c | 10 +++++----- arch/s390/kernel/compat_audit.c | 11 ++++++----- arch/sparc/kernel/audit.c | 10 +++++----- arch/sparc/kernel/compat_audit.c | 11 ++++++----- arch/x86/ia32/audit.c | 11 ++++++----- arch/x86/kernel/audit_64.c | 8 ++++---- include/linux/audit.h | 1 + include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ kernel/auditsc.c | 12 ++++++------ lib/audit.c | 10 +++++----- lib/compat_audit.c | 11 ++++++----- 18 files changed, 102 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h diff --git a/MAINTAINERS b/MAINTAINERS index bd7aff0c120f..3348d12019f9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git F: include/asm-generic/audit_*.h F: include/linux/audit.h +F: include/linux/auditsc_classmacros.h F: include/uapi/linux/audit.h F: kernel/audit* F: lib/*audit.c diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..1d6347d37d92 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a2dddd7f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index 55c6ccda0a85..b1dc2d1c4bad 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __powerpc64__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned ppc32_dir_class[] = { @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index d395c6c9944c..7e331e1831d4 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index 444fb1f66944..fc3d1c7ad21c 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __s390x__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "audit.h" @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index a6e91bf34d48..50fab35bdaba 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 10eeb4f15b20..1c1b6d075421 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #define __32bit_syscall_numbers__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "kernel.h" @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index 6efe6cb3768a..eedc37a1ee13 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd_32.h> #include <asm/audit.h> @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 83d9cad4e68b..2a6cc9c9c881 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/include/linux/audit.h b/include/linux/audit.h index 82b7c1116a85..283bc91a6932 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -11,6 +11,7 @@ #include <linux/sched.h> #include <linux/ptrace.h> +#include <linux/auditsc_classmacros.h> /* syscall class macros */ #include <uapi/linux/audit.h> #include <uapi/linux/netfilter/nf_tables.h> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h new file mode 100644 index 000000000000..18757d270961 --- /dev/null +++ b/include/linux/auditsc_classmacros.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* auditsc_classmacros.h -- Auditing support syscall macros + * + * Copyright 2021 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * Author: Richard Guy Briggs <rgb@redhat.com> + */ +#ifndef _LINUX_AUDITSCM_H_ +#define _LINUX_AUDITSCM_H_ + +enum auditsc_class_t { + AUDITSC_NATIVE = 0, + AUDITSC_COMPAT, + AUDITSC_OPEN, + AUDITSC_OPENAT, + AUDITSC_SOCKETCALL, + AUDITSC_EXECVE, + + AUDITSC_NVALS /* count */ +}; + +#endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0a9a1569f1ea..d775ea16505b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) n = ctx->major; switch (audit_classify_syscall(ctx->arch, n)) { - case 0: /* native */ + case AUDITSC_NATIVE: if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE, n)) return 1; @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR, n)) return 1; return 0; - case 1: /* 32bit on biarch */ + case AUDITSC_COMPAT: /* 32bit on biarch */ if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE_32, n)) return 1; @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR_32, n)) return 1; return 0; - case 2: /* open */ + case AUDITSC_OPEN: return mask & ACC_MODE(ctx->argv[1]); - case 3: /* openat */ + case AUDITSC_OPENAT: return mask & ACC_MODE(ctx->argv[2]); - case 4: /* socketcall */ + case AUDITSC_SOCKETCALL: return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); - case 5: /* execve */ + case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; default: return 0; diff --git a/lib/audit.c b/lib/audit.c index 5004bff928a7..3ec1a94d8d64 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) switch(syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif #ifdef __NR_execveat case __NR_execveat: #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index 77eabad69b4a..a38b282d353f 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/init.h> #include <linux/types.h> +#include <linux/auditsc_classmacros.h> #include <asm/unistd32.h> unsigned compat_dir_class[] = { @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) switch (syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, Eric Paris, Aleksa Sarai, Alexander Viro, linux-alpha, sparclinux, Eric Paris, linuxppc-dev Replace audit syscall class magic numbers with macros. This required putting the macros into new header file include/linux/auditsc_classmacros.h since the syscall macros were included for both 64 bit and 32 bit in any compat code, causing redefinition warnings. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com --- MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 8 ++++---- arch/ia64/kernel/audit.c | 8 ++++---- arch/parisc/kernel/audit.c | 8 ++++---- arch/parisc/kernel/compat_audit.c | 9 +++++---- arch/powerpc/kernel/audit.c | 10 +++++----- arch/powerpc/kernel/compat_audit.c | 11 ++++++----- arch/s390/kernel/audit.c | 10 +++++----- arch/s390/kernel/compat_audit.c | 11 ++++++----- arch/sparc/kernel/audit.c | 10 +++++----- arch/sparc/kernel/compat_audit.c | 11 ++++++----- arch/x86/ia32/audit.c | 11 ++++++----- arch/x86/kernel/audit_64.c | 8 ++++---- include/linux/audit.h | 1 + include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ kernel/auditsc.c | 12 ++++++------ lib/audit.c | 10 +++++----- lib/compat_audit.c | 11 ++++++----- 18 files changed, 102 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h diff --git a/MAINTAINERS b/MAINTAINERS index bd7aff0c120f..3348d12019f9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git F: include/asm-generic/audit_*.h F: include/linux/audit.h +F: include/linux/auditsc_classmacros.h F: include/uapi/linux/audit.h F: kernel/audit* F: lib/*audit.c diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..1d6347d37d92 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a2dddd7f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index 55c6ccda0a85..b1dc2d1c4bad 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __powerpc64__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> unsigned ppc32_dir_class[] = { @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index d395c6c9944c..7e331e1831d4 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index 444fb1f66944..fc3d1c7ad21c 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __s390x__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "audit.h" @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index a6e91bf34d48..50fab35bdaba 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 10eeb4f15b20..1c1b6d075421 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #define __32bit_syscall_numbers__ +#include <linux/auditsc_classmacros.h> #include <asm/unistd.h> #include "kernel.h" @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index 6efe6cb3768a..eedc37a1ee13 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/auditsc_classmacros.h> #include <asm/unistd_32.h> #include <asm/audit.h> @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 83d9cad4e68b..2a6cc9c9c881 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: case __NR_execveat: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/include/linux/audit.h b/include/linux/audit.h index 82b7c1116a85..283bc91a6932 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -11,6 +11,7 @@ #include <linux/sched.h> #include <linux/ptrace.h> +#include <linux/auditsc_classmacros.h> /* syscall class macros */ #include <uapi/linux/audit.h> #include <uapi/linux/netfilter/nf_tables.h> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h new file mode 100644 index 000000000000..18757d270961 --- /dev/null +++ b/include/linux/auditsc_classmacros.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* auditsc_classmacros.h -- Auditing support syscall macros + * + * Copyright 2021 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * Author: Richard Guy Briggs <rgb@redhat.com> + */ +#ifndef _LINUX_AUDITSCM_H_ +#define _LINUX_AUDITSCM_H_ + +enum auditsc_class_t { + AUDITSC_NATIVE = 0, + AUDITSC_COMPAT, + AUDITSC_OPEN, + AUDITSC_OPENAT, + AUDITSC_SOCKETCALL, + AUDITSC_EXECVE, + + AUDITSC_NVALS /* count */ +}; + +#endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0a9a1569f1ea..d775ea16505b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) n = ctx->major; switch (audit_classify_syscall(ctx->arch, n)) { - case 0: /* native */ + case AUDITSC_NATIVE: if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE, n)) return 1; @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR, n)) return 1; return 0; - case 1: /* 32bit on biarch */ + case AUDITSC_COMPAT: /* 32bit on biarch */ if ((mask & AUDIT_PERM_WRITE) && audit_match_class(AUDIT_CLASS_WRITE_32, n)) return 1; @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) audit_match_class(AUDIT_CLASS_CHATTR_32, n)) return 1; return 0; - case 2: /* open */ + case AUDITSC_OPEN: return mask & ACC_MODE(ctx->argv[1]); - case 3: /* openat */ + case AUDITSC_OPENAT: return mask & ACC_MODE(ctx->argv[2]); - case 4: /* socketcall */ + case AUDITSC_SOCKETCALL: return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); - case 5: /* execve */ + case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; default: return 0; diff --git a/lib/audit.c b/lib/audit.c index 5004bff928a7..3ec1a94d8d64 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) switch(syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif #ifdef __NR_execveat case __NR_execveat: #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index 77eabad69b4a..a38b282d353f 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/init.h> #include <linux/types.h> +#include <linux/auditsc_classmacros.h> #include <asm/unistd32.h> unsigned compat_dir_class[] = { @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) switch (syscall) { #ifdef __NR_open case __NR_open: - return 2; + return AUDITSC_OPEN; #endif #ifdef __NR_openat case __NR_openat: - return 3; + return AUDITSC_OPENAT; #endif #ifdef __NR_socketcall case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; #endif case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } -- 2.27.0 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply related [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-05-19 20:00 ` Richard Guy Briggs (?) (?) @ 2021-05-20 7:50 ` Christian Brauner -1 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:50 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Paul Moore, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Wed, May 19, 2021 at 04:00:20PM -0400, Richard Guy Briggs wrote: > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com Looks good. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Fwiw, I would explicitly number all enum values in auditsc_class_t not just the first one. > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h > > diff --git a/MAINTAINERS b/MAINTAINERS > index bd7aff0c120f..3348d12019f9 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit > T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > F: include/asm-generic/audit_*.h > F: include/linux/audit.h > +F: include/linux/auditsc_classmacros.h > F: include/uapi/linux/audit.h > F: kernel/audit* > F: lib/*audit.c > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 96a9d18ff4c4..81cbd804e375 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index 5192ca899fe6..dba6a74c9ab3 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 9eb47b2225d2..14244e83db75 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 20c39c9d86a9..1d6347d37d92 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned int parisc32_dir_class[] = { > @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index a2dddd7f3d09..6eb18ef77dff 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index 55c6ccda0a85..b1dc2d1c4bad 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __powerpc64__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned ppc32_dir_class[] = { > @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index d395c6c9944c..7e331e1831d4 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index 444fb1f66944..fc3d1c7ad21c 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __s390x__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "audit.h" > > @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index a6e91bf34d48..50fab35bdaba 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 10eeb4f15b20..1c1b6d075421 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #define __32bit_syscall_numbers__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "kernel.h" > > @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index 6efe6cb3768a..eedc37a1ee13 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd_32.h> > #include <asm/audit.h> > > @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 83d9cad4e68b..2a6cc9c9c881 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 82b7c1116a85..283bc91a6932 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -11,6 +11,7 @@ > > #include <linux/sched.h> > #include <linux/ptrace.h> > +#include <linux/auditsc_classmacros.h> /* syscall class macros */ > #include <uapi/linux/audit.h> > #include <uapi/linux/netfilter/nf_tables.h> > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 0a9a1569f1ea..d775ea16505b 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > n = ctx->major; > > switch (audit_classify_syscall(ctx->arch, n)) { > - case 0: /* native */ > + case AUDITSC_NATIVE: > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE, n)) > return 1; > @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR, n)) > return 1; > return 0; > - case 1: /* 32bit on biarch */ > + case AUDITSC_COMPAT: /* 32bit on biarch */ > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE_32, n)) > return 1; > @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR_32, n)) > return 1; > return 0; > - case 2: /* open */ > + case AUDITSC_OPEN: > return mask & ACC_MODE(ctx->argv[1]); > - case 3: /* openat */ > + case AUDITSC_OPENAT: > return mask & ACC_MODE(ctx->argv[2]); > - case 4: /* socketcall */ > + case AUDITSC_SOCKETCALL: > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > - case 5: /* execve */ > + case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > default: > return 0; > diff --git a/lib/audit.c b/lib/audit.c > index 5004bff928a7..3ec1a94d8d64 100644 > --- a/lib/audit.c > +++ b/lib/audit.c > @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) > switch(syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > #ifdef __NR_execveat > case __NR_execveat: > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/lib/compat_audit.c b/lib/compat_audit.c > index 77eabad69b4a..a38b282d353f 100644 > --- a/lib/compat_audit.c > +++ b/lib/compat_audit.c > @@ -1,6 +1,7 @@ > // SPDX-License-Identifier: GPL-2.0 > #include <linux/init.h> > #include <linux/types.h> > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd32.h> > > unsigned compat_dir_class[] = { > @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) > switch (syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > -- > 2.27.0 > ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-05-20 7:50 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:50 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Paul Moore, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Wed, May 19, 2021 at 04:00:20PM -0400, Richard Guy Briggs wrote: > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com Looks good. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Fwiw, I would explicitly number all enum values in auditsc_class_t not just the first one. > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h > > diff --git a/MAINTAINERS b/MAINTAINERS > index bd7aff0c120f..3348d12019f9 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit > T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > F: include/asm-generic/audit_*.h > F: include/linux/audit.h > +F: include/linux/auditsc_classmacros.h > F: include/uapi/linux/audit.h > F: kernel/audit* > F: lib/*audit.c > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 96a9d18ff4c4..81cbd804e375 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index 5192ca899fe6..dba6a74c9ab3 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 9eb47b2225d2..14244e83db75 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 20c39c9d86a9..1d6347d37d92 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned int parisc32_dir_class[] = { > @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index a2dddd7f3d09..6eb18ef77dff 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index 55c6ccda0a85..b1dc2d1c4bad 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __powerpc64__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned ppc32_dir_class[] = { > @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index d395c6c9944c..7e331e1831d4 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index 444fb1f66944..fc3d1c7ad21c 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __s390x__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "audit.h" > > @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index a6e91bf34d48..50fab35bdaba 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 10eeb4f15b20..1c1b6d075421 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #define __32bit_syscall_numbers__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "kernel.h" > > @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index 6efe6cb3768a..eedc37a1ee13 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd_32.h> > #include <asm/audit.h> > > @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 83d9cad4e68b..2a6cc9c9c881 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 82b7c1116a85..283bc91a6932 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -11,6 +11,7 @@ > > #include <linux/sched.h> > #include <linux/ptrace.h> > +#include <linux/auditsc_classmacros.h> /* syscall class macros */ > #include <uapi/linux/audit.h> > #include <uapi/linux/netfilter/nf_tables.h> > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 0a9a1569f1ea..d775ea16505b 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > n = ctx->major; > > switch (audit_classify_syscall(ctx->arch, n)) { > - case 0: /* native */ > + case AUDITSC_NATIVE: > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE, n)) > return 1; > @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR, n)) > return 1; > return 0; > - case 1: /* 32bit on biarch */ > + case AUDITSC_COMPAT: /* 32bit on biarch */ > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE_32, n)) > return 1; > @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR_32, n)) > return 1; > return 0; > - case 2: /* open */ > + case AUDITSC_OPEN: > return mask & ACC_MODE(ctx->argv[1]); > - case 3: /* openat */ > + case AUDITSC_OPENAT: > return mask & ACC_MODE(ctx->argv[2]); > - case 4: /* socketcall */ > + case AUDITSC_SOCKETCALL: > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] = SYS_BIND); > - case 5: /* execve */ > + case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > default: > return 0; > diff --git a/lib/audit.c b/lib/audit.c > index 5004bff928a7..3ec1a94d8d64 100644 > --- a/lib/audit.c > +++ b/lib/audit.c > @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) > switch(syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > #ifdef __NR_execveat > case __NR_execveat: > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/lib/compat_audit.c b/lib/compat_audit.c > index 77eabad69b4a..a38b282d353f 100644 > --- a/lib/compat_audit.c > +++ b/lib/compat_audit.c > @@ -1,6 +1,7 @@ > // SPDX-License-Identifier: GPL-2.0 > #include <linux/init.h> > #include <linux/types.h> > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd32.h> > > unsigned compat_dir_class[] = { > @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) > switch (syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > -- > 2.27.0 > ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-05-20 7:50 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:50 UTC (permalink / raw) To: Richard Guy Briggs Cc: linux-s390, linux-ia64, Paul Moore, linux-parisc, Arnd Bergmann, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, Steve Grubb, linuxppc-dev On Wed, May 19, 2021 at 04:00:20PM -0400, Richard Guy Briggs wrote: > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com Looks good. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Fwiw, I would explicitly number all enum values in auditsc_class_t not just the first one. > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h > > diff --git a/MAINTAINERS b/MAINTAINERS > index bd7aff0c120f..3348d12019f9 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit > T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > F: include/asm-generic/audit_*.h > F: include/linux/audit.h > +F: include/linux/auditsc_classmacros.h > F: include/uapi/linux/audit.h > F: kernel/audit* > F: lib/*audit.c > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 96a9d18ff4c4..81cbd804e375 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index 5192ca899fe6..dba6a74c9ab3 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 9eb47b2225d2..14244e83db75 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 20c39c9d86a9..1d6347d37d92 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned int parisc32_dir_class[] = { > @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index a2dddd7f3d09..6eb18ef77dff 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index 55c6ccda0a85..b1dc2d1c4bad 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __powerpc64__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned ppc32_dir_class[] = { > @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index d395c6c9944c..7e331e1831d4 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index 444fb1f66944..fc3d1c7ad21c 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __s390x__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "audit.h" > > @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index a6e91bf34d48..50fab35bdaba 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 10eeb4f15b20..1c1b6d075421 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #define __32bit_syscall_numbers__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "kernel.h" > > @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index 6efe6cb3768a..eedc37a1ee13 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd_32.h> > #include <asm/audit.h> > > @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 83d9cad4e68b..2a6cc9c9c881 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 82b7c1116a85..283bc91a6932 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -11,6 +11,7 @@ > > #include <linux/sched.h> > #include <linux/ptrace.h> > +#include <linux/auditsc_classmacros.h> /* syscall class macros */ > #include <uapi/linux/audit.h> > #include <uapi/linux/netfilter/nf_tables.h> > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 0a9a1569f1ea..d775ea16505b 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > n = ctx->major; > > switch (audit_classify_syscall(ctx->arch, n)) { > - case 0: /* native */ > + case AUDITSC_NATIVE: > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE, n)) > return 1; > @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR, n)) > return 1; > return 0; > - case 1: /* 32bit on biarch */ > + case AUDITSC_COMPAT: /* 32bit on biarch */ > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE_32, n)) > return 1; > @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR_32, n)) > return 1; > return 0; > - case 2: /* open */ > + case AUDITSC_OPEN: > return mask & ACC_MODE(ctx->argv[1]); > - case 3: /* openat */ > + case AUDITSC_OPENAT: > return mask & ACC_MODE(ctx->argv[2]); > - case 4: /* socketcall */ > + case AUDITSC_SOCKETCALL: > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > - case 5: /* execve */ > + case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > default: > return 0; > diff --git a/lib/audit.c b/lib/audit.c > index 5004bff928a7..3ec1a94d8d64 100644 > --- a/lib/audit.c > +++ b/lib/audit.c > @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) > switch(syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > #ifdef __NR_execveat > case __NR_execveat: > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/lib/compat_audit.c b/lib/compat_audit.c > index 77eabad69b4a..a38b282d353f 100644 > --- a/lib/compat_audit.c > +++ b/lib/compat_audit.c > @@ -1,6 +1,7 @@ > // SPDX-License-Identifier: GPL-2.0 > #include <linux/init.h> > #include <linux/types.h> > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd32.h> > > unsigned compat_dir_class[] = { > @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) > switch (syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > -- > 2.27.0 > ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-05-20 7:50 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:50 UTC (permalink / raw) To: Richard Guy Briggs Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, linuxppc-dev On Wed, May 19, 2021 at 04:00:20PM -0400, Richard Guy Briggs wrote: > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com Looks good. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Fwiw, I would explicitly number all enum values in auditsc_class_t not just the first one. > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h > > diff --git a/MAINTAINERS b/MAINTAINERS > index bd7aff0c120f..3348d12019f9 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -3036,6 +3036,7 @@ W: https://github.com/linux-audit > T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > F: include/asm-generic/audit_*.h > F: include/linux/audit.h > +F: include/linux/auditsc_classmacros.h > F: include/uapi/linux/audit.h > F: kernel/audit* > F: lib/*audit.c > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 96a9d18ff4c4..81cbd804e375 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index 5192ca899fe6..dba6a74c9ab3 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 9eb47b2225d2..14244e83db75 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 20c39c9d86a9..1d6347d37d92 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned int parisc32_dir_class[] = { > @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index a2dddd7f3d09..6eb18ef77dff 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index 55c6ccda0a85..b1dc2d1c4bad 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __powerpc64__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > > unsigned ppc32_dir_class[] = { > @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index d395c6c9944c..7e331e1831d4 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index 444fb1f66944..fc3d1c7ad21c 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #undef __s390x__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "audit.h" > > @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index a6e91bf34d48..50fab35bdaba 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 10eeb4f15b20..1c1b6d075421 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > #define __32bit_syscall_numbers__ > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd.h> > #include "kernel.h" > > @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall) > { > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index 6efe6cb3768a..eedc37a1ee13 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd_32.h> > #include <asm/audit.h> > > @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall) > { > switch (syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 83d9cad4e68b..2a6cc9c9c881 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall) > #endif > switch(syscall) { > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > case __NR_execve: > case __NR_execveat: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 82b7c1116a85..283bc91a6932 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -11,6 +11,7 @@ > > #include <linux/sched.h> > #include <linux/ptrace.h> > +#include <linux/auditsc_classmacros.h> /* syscall class macros */ > #include <uapi/linux/audit.h> > #include <uapi/linux/netfilter/nf_tables.h> > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 0a9a1569f1ea..d775ea16505b 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > n = ctx->major; > > switch (audit_classify_syscall(ctx->arch, n)) { > - case 0: /* native */ > + case AUDITSC_NATIVE: > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE, n)) > return 1; > @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR, n)) > return 1; > return 0; > - case 1: /* 32bit on biarch */ > + case AUDITSC_COMPAT: /* 32bit on biarch */ > if ((mask & AUDIT_PERM_WRITE) && > audit_match_class(AUDIT_CLASS_WRITE_32, n)) > return 1; > @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > audit_match_class(AUDIT_CLASS_CHATTR_32, n)) > return 1; > return 0; > - case 2: /* open */ > + case AUDITSC_OPEN: > return mask & ACC_MODE(ctx->argv[1]); > - case 3: /* openat */ > + case AUDITSC_OPENAT: > return mask & ACC_MODE(ctx->argv[2]); > - case 4: /* socketcall */ > + case AUDITSC_SOCKETCALL: > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > - case 5: /* execve */ > + case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > default: > return 0; > diff --git a/lib/audit.c b/lib/audit.c > index 5004bff928a7..3ec1a94d8d64 100644 > --- a/lib/audit.c > +++ b/lib/audit.c > @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall) > switch(syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > #ifdef __NR_execveat > case __NR_execveat: > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 0; > + return AUDITSC_NATIVE; > } > } > > diff --git a/lib/compat_audit.c b/lib/compat_audit.c > index 77eabad69b4a..a38b282d353f 100644 > --- a/lib/compat_audit.c > +++ b/lib/compat_audit.c > @@ -1,6 +1,7 @@ > // SPDX-License-Identifier: GPL-2.0 > #include <linux/init.h> > #include <linux/types.h> > +#include <linux/auditsc_classmacros.h> > #include <asm/unistd32.h> > > unsigned compat_dir_class[] = { > @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) > switch (syscall) { > #ifdef __NR_open > case __NR_open: > - return 2; > + return AUDITSC_OPEN; > #endif > #ifdef __NR_openat > case __NR_openat: > - return 3; > + return AUDITSC_OPENAT; > #endif > #ifdef __NR_socketcall > case __NR_socketcall: > - return 4; > + return AUDITSC_SOCKETCALL; > #endif > case __NR_execve: > - return 5; > + return AUDITSC_EXECVE; > default: > - return 1; > + return AUDITSC_COMPAT; > } > } > -- > 2.27.0 > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-05-19 20:00 ` Richard Guy Briggs (?) (?) @ 2021-08-05 22:01 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-08-05 22:01 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h ... > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif My apologies Richard, for some reason I had it in my mind that this series was waiting on you to answer a question and/or respin; however, now that I'm clearing my patch queues looking for any stragglers I see that isn't the case. Looking over the patchset I think it looks okay to me, my only concern is that "auditsc_classmacros.h" is an awfully specific header file name and could prove to be annoying if we want to add to it in the future. What do you think about something like "audit_arch.h" instead? If that change is okay with you I can go ahead and do the rename while I'm merging the patches, I'll consider it penance for letting this patchset sit for so long :/ -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-08-05 22:01 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-08-05 22:01 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h ... > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif My apologies Richard, for some reason I had it in my mind that this series was waiting on you to answer a question and/or respin; however, now that I'm clearing my patch queues looking for any stragglers I see that isn't the case. Looking over the patchset I think it looks okay to me, my only concern is that "auditsc_classmacros.h" is an awfully specific header file name and could prove to be annoying if we want to add to it in the future. What do you think about something like "audit_arch.h" instead? If that change is okay with you I can go ahead and do the rename while I'm merging the patches, I'll consider it penance for letting this patchset sit for so long :/ -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-08-05 22:01 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-08-05 22:01 UTC (permalink / raw) To: Richard Guy Briggs Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, Steve Grubb, linuxppc-dev On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h ... > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif My apologies Richard, for some reason I had it in my mind that this series was waiting on you to answer a question and/or respin; however, now that I'm clearing my patch queues looking for any stragglers I see that isn't the case. Looking over the patchset I think it looks okay to me, my only concern is that "auditsc_classmacros.h" is an awfully specific header file name and could prove to be annoying if we want to add to it in the future. What do you think about something like "audit_arch.h" instead? If that change is okay with you I can go ahead and do the rename while I'm merging the patches, I'll consider it penance for letting this patchset sit for so long :/ -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros @ 2021-08-05 22:01 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-08-05 22:01 UTC (permalink / raw) To: Richard Guy Briggs Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, linuxppc-dev On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Replace audit syscall class magic numbers with macros. > > This required putting the macros into new header file > include/linux/auditsc_classmacros.h since the syscall macros were > included for both 64 bit and 32 bit in any compat code, causing > redefinition warnings. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > --- > MAINTAINERS | 1 + > arch/alpha/kernel/audit.c | 8 ++++---- > arch/ia64/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/audit.c | 8 ++++---- > arch/parisc/kernel/compat_audit.c | 9 +++++---- > arch/powerpc/kernel/audit.c | 10 +++++----- > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > arch/s390/kernel/audit.c | 10 +++++----- > arch/s390/kernel/compat_audit.c | 11 ++++++----- > arch/sparc/kernel/audit.c | 10 +++++----- > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > arch/x86/ia32/audit.c | 11 ++++++----- > arch/x86/kernel/audit_64.c | 8 ++++---- > include/linux/audit.h | 1 + > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > kernel/auditsc.c | 12 ++++++------ > lib/audit.c | 10 +++++----- > lib/compat_audit.c | 11 ++++++----- > 18 files changed, 102 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditsc_classmacros.h ... > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > new file mode 100644 > index 000000000000..18757d270961 > --- /dev/null > +++ b/include/linux/auditsc_classmacros.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* auditsc_classmacros.h -- Auditing support syscall macros > + * > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > + * All Rights Reserved. > + * > + * Author: Richard Guy Briggs <rgb@redhat.com> > + */ > +#ifndef _LINUX_AUDITSCM_H_ > +#define _LINUX_AUDITSCM_H_ > + > +enum auditsc_class_t { > + AUDITSC_NATIVE = 0, > + AUDITSC_COMPAT, > + AUDITSC_OPEN, > + AUDITSC_OPENAT, > + AUDITSC_SOCKETCALL, > + AUDITSC_EXECVE, > + > + AUDITSC_NVALS /* count */ > +}; > + > +#endif My apologies Richard, for some reason I had it in my mind that this series was waiting on you to answer a question and/or respin; however, now that I'm clearing my patch queues looking for any stragglers I see that isn't the case. Looking over the patchset I think it looks okay to me, my only concern is that "auditsc_classmacros.h" is an awfully specific header file name and could prove to be annoying if we want to add to it in the future. What do you think about something like "audit_arch.h" instead? If that change is okay with you I can go ahead and do the rename while I'm merging the patches, I'll consider it penance for letting this patchset sit for so long :/ -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-08-05 22:01 ` Paul Moore ` (2 preceding siblings ...) (?) @ 2021-09-30 20:38 ` Paul Moore 2021-10-01 19:53 ` Richard Guy Briggs -1 siblings, 1 reply; 60+ messages in thread From: Paul Moore @ 2021-09-30 20:38 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Thu, Aug 5, 2021 at 6:01 PM Paul Moore <paul@paul-moore.com> wrote: > > On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > > Replace audit syscall class magic numbers with macros. > > > > This required putting the macros into new header file > > include/linux/auditsc_classmacros.h since the syscall macros were > > included for both 64 bit and 32 bit in any compat code, causing > > redefinition warnings. > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > > --- > > MAINTAINERS | 1 + > > arch/alpha/kernel/audit.c | 8 ++++---- > > arch/ia64/kernel/audit.c | 8 ++++---- > > arch/parisc/kernel/audit.c | 8 ++++---- > > arch/parisc/kernel/compat_audit.c | 9 +++++---- > > arch/powerpc/kernel/audit.c | 10 +++++----- > > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > > arch/s390/kernel/audit.c | 10 +++++----- > > arch/s390/kernel/compat_audit.c | 11 ++++++----- > > arch/sparc/kernel/audit.c | 10 +++++----- > > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > > arch/x86/ia32/audit.c | 11 ++++++----- > > arch/x86/kernel/audit_64.c | 8 ++++---- > > include/linux/audit.h | 1 + > > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > > kernel/auditsc.c | 12 ++++++------ > > lib/audit.c | 10 +++++----- > > lib/compat_audit.c | 11 ++++++----- > > 18 files changed, 102 insertions(+), 71 deletions(-) > > create mode 100644 include/linux/auditsc_classmacros.h > > ... > > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > > new file mode 100644 > > index 000000000000..18757d270961 > > --- /dev/null > > +++ b/include/linux/auditsc_classmacros.h > > @@ -0,0 +1,23 @@ > > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > > +/* auditsc_classmacros.h -- Auditing support syscall macros > > + * > > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > > + * All Rights Reserved. > > + * > > + * Author: Richard Guy Briggs <rgb@redhat.com> > > + */ > > +#ifndef _LINUX_AUDITSCM_H_ > > +#define _LINUX_AUDITSCM_H_ > > + > > +enum auditsc_class_t { > > + AUDITSC_NATIVE = 0, > > + AUDITSC_COMPAT, > > + AUDITSC_OPEN, > > + AUDITSC_OPENAT, > > + AUDITSC_SOCKETCALL, > > + AUDITSC_EXECVE, > > + > > + AUDITSC_NVALS /* count */ > > +}; > > + > > +#endif > > My apologies Richard, for some reason I had it in my mind that this > series was waiting on you to answer a question and/or respin; however, > now that I'm clearing my patch queues looking for any stragglers I see > that isn't the case. Looking over the patchset I think it looks okay > to me, my only concern is that "auditsc_classmacros.h" is an awfully > specific header file name and could prove to be annoying if we want to > add to it in the future. What do you think about something like > "audit_arch.h" instead? > > If that change is okay with you I can go ahead and do the rename while > I'm merging the patches, I'll consider it penance for letting this > patchset sit for so long :/ [NOTE: trimmed the To/CC line as it is excessive for a ping like this] Going through the patch queue and I see this never got a response, or rather none that hit my inbox. Richard? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-09-30 20:38 ` Paul Moore @ 2021-10-01 19:53 ` Richard Guy Briggs 2021-10-01 20:34 ` Paul Moore 0 siblings, 1 reply; 60+ messages in thread From: Richard Guy Briggs @ 2021-10-01 19:53 UTC (permalink / raw) To: Paul Moore; +Cc: Linux-Audit Mailing List On 2021-09-30 16:38, Paul Moore wrote: > On Thu, Aug 5, 2021 at 6:01 PM Paul Moore <paul@paul-moore.com> wrote: > > On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > Replace audit syscall class magic numbers with macros. > > > > > > This required putting the macros into new header file > > > include/linux/auditsc_classmacros.h since the syscall macros were > > > included for both 64 bit and 32 bit in any compat code, causing > > > redefinition warnings. > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > > > --- > > > MAINTAINERS | 1 + > > > arch/alpha/kernel/audit.c | 8 ++++---- > > > arch/ia64/kernel/audit.c | 8 ++++---- > > > arch/parisc/kernel/audit.c | 8 ++++---- > > > arch/parisc/kernel/compat_audit.c | 9 +++++---- > > > arch/powerpc/kernel/audit.c | 10 +++++----- > > > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > > > arch/s390/kernel/audit.c | 10 +++++----- > > > arch/s390/kernel/compat_audit.c | 11 ++++++----- > > > arch/sparc/kernel/audit.c | 10 +++++----- > > > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > > > arch/x86/ia32/audit.c | 11 ++++++----- > > > arch/x86/kernel/audit_64.c | 8 ++++---- > > > include/linux/audit.h | 1 + > > > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > > > kernel/auditsc.c | 12 ++++++------ > > > lib/audit.c | 10 +++++----- > > > lib/compat_audit.c | 11 ++++++----- > > > 18 files changed, 102 insertions(+), 71 deletions(-) > > > create mode 100644 include/linux/auditsc_classmacros.h > > > > ... > > > > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > > > new file mode 100644 > > > index 000000000000..18757d270961 > > > --- /dev/null > > > +++ b/include/linux/auditsc_classmacros.h > > > @@ -0,0 +1,23 @@ > > > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > > > +/* auditsc_classmacros.h -- Auditing support syscall macros > > > + * > > > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > > > + * All Rights Reserved. > > > + * > > > + * Author: Richard Guy Briggs <rgb@redhat.com> > > > + */ > > > +#ifndef _LINUX_AUDITSCM_H_ > > > +#define _LINUX_AUDITSCM_H_ > > > + > > > +enum auditsc_class_t { > > > + AUDITSC_NATIVE = 0, > > > + AUDITSC_COMPAT, > > > + AUDITSC_OPEN, > > > + AUDITSC_OPENAT, > > > + AUDITSC_SOCKETCALL, > > > + AUDITSC_EXECVE, > > > + > > > + AUDITSC_NVALS /* count */ > > > +}; > > > + > > > +#endif > > > > My apologies Richard, for some reason I had it in my mind that this > > series was waiting on you to answer a question and/or respin; however, > > now that I'm clearing my patch queues looking for any stragglers I see > > that isn't the case. Looking over the patchset I think it looks okay > > to me, my only concern is that "auditsc_classmacros.h" is an awfully > > specific header file name and could prove to be annoying if we want to > > add to it in the future. What do you think about something like > > "audit_arch.h" instead? > > > > If that change is okay with you I can go ahead and do the rename while > > I'm merging the patches, I'll consider it penance for letting this > > patchset sit for so long :/ > > [NOTE: trimmed the To/CC line as it is excessive for a ping like this] > > Going through the patch queue and I see this never got a response, or > rather none that hit my inbox. Richard? Hmmm, sorry about that, delay my fault this time. I don't have a strong opinion about it, but prefer the original, or auditsc_arch.h at least. > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-10-01 19:53 ` Richard Guy Briggs @ 2021-10-01 20:34 ` Paul Moore 2021-10-04 15:34 ` Paul Moore 0 siblings, 1 reply; 60+ messages in thread From: Paul Moore @ 2021-10-01 20:34 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Fri, Oct 1, 2021 at 3:53 PM Richard Guy Briggs <rgb@redhat.com> wrote: > On 2021-09-30 16:38, Paul Moore wrote: > > On Thu, Aug 5, 2021 at 6:01 PM Paul Moore <paul@paul-moore.com> wrote: > > > On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > > Replace audit syscall class magic numbers with macros. > > > > > > > > This required putting the macros into new header file > > > > include/linux/auditsc_classmacros.h since the syscall macros were > > > > included for both 64 bit and 32 bit in any compat code, causing > > > > redefinition warnings. > > > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com > > > > --- > > > > MAINTAINERS | 1 + > > > > arch/alpha/kernel/audit.c | 8 ++++---- > > > > arch/ia64/kernel/audit.c | 8 ++++---- > > > > arch/parisc/kernel/audit.c | 8 ++++---- > > > > arch/parisc/kernel/compat_audit.c | 9 +++++---- > > > > arch/powerpc/kernel/audit.c | 10 +++++----- > > > > arch/powerpc/kernel/compat_audit.c | 11 ++++++----- > > > > arch/s390/kernel/audit.c | 10 +++++----- > > > > arch/s390/kernel/compat_audit.c | 11 ++++++----- > > > > arch/sparc/kernel/audit.c | 10 +++++----- > > > > arch/sparc/kernel/compat_audit.c | 11 ++++++----- > > > > arch/x86/ia32/audit.c | 11 ++++++----- > > > > arch/x86/kernel/audit_64.c | 8 ++++---- > > > > include/linux/audit.h | 1 + > > > > include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++ > > > > kernel/auditsc.c | 12 ++++++------ > > > > lib/audit.c | 10 +++++----- > > > > lib/compat_audit.c | 11 ++++++----- > > > > 18 files changed, 102 insertions(+), 71 deletions(-) > > > > create mode 100644 include/linux/auditsc_classmacros.h > > > > > > ... > > > > > > > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > > > > new file mode 100644 > > > > index 000000000000..18757d270961 > > > > --- /dev/null > > > > +++ b/include/linux/auditsc_classmacros.h > > > > @@ -0,0 +1,23 @@ > > > > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > > > > +/* auditsc_classmacros.h -- Auditing support syscall macros > > > > + * > > > > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > > > > + * All Rights Reserved. > > > > + * > > > > + * Author: Richard Guy Briggs <rgb@redhat.com> > > > > + */ > > > > +#ifndef _LINUX_AUDITSCM_H_ > > > > +#define _LINUX_AUDITSCM_H_ > > > > + > > > > +enum auditsc_class_t { > > > > + AUDITSC_NATIVE = 0, > > > > + AUDITSC_COMPAT, > > > > + AUDITSC_OPEN, > > > > + AUDITSC_OPENAT, > > > > + AUDITSC_SOCKETCALL, > > > > + AUDITSC_EXECVE, > > > > + > > > > + AUDITSC_NVALS /* count */ > > > > +}; > > > > + > > > > +#endif > > > > > > My apologies Richard, for some reason I had it in my mind that this > > > series was waiting on you to answer a question and/or respin; however, > > > now that I'm clearing my patch queues looking for any stragglers I see > > > that isn't the case. Looking over the patchset I think it looks okay > > > to me, my only concern is that "auditsc_classmacros.h" is an awfully > > > specific header file name and could prove to be annoying if we want to > > > add to it in the future. What do you think about something like > > > "audit_arch.h" instead? > > > > > > If that change is okay with you I can go ahead and do the rename while > > > I'm merging the patches, I'll consider it penance for letting this > > > patchset sit for so long :/ > > > > [NOTE: trimmed the To/CC line as it is excessive for a ping like this] > > > > Going through the patch queue and I see this never got a response, or > > rather none that hit my inbox. Richard? > > Hmmm, sorry about that, delay my fault this time. I don't have a strong > opinion about it, but prefer the original, or auditsc_arch.h at least. Okay, so long as you are okay with the header rename I'll go ahead and take care of that, although probably not today as merging cross-subsystem changes late on a Friday seems like a problem waiting to happen. I'll send another note when it is in audit/next. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros 2021-10-01 20:34 ` Paul Moore @ 2021-10-04 15:34 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-10-04 15:34 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Fri, Oct 1, 2021 at 4:34 PM Paul Moore <paul@paul-moore.com> wrote: > Okay, so long as you are okay with the header rename I'll go ahead and > take care of that, although probably not today as merging > cross-subsystem changes late on a Friday seems like a problem waiting > to happen. > > I'll send another note when it is in audit/next. I just merged the patchset into audit/next, thanks everyone! -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* [PATCH v4 2/3] audit: add support for the openat2 syscall 2021-05-19 20:00 ` Richard Guy Briggs (?) (?) @ 2021-05-19 20:00 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. Link: https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c | 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c | 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditsc_classmacros.h | 1 + kernel/auditsc.c | 3 +++ lib/audit.c | 4 ++++ lib/compat_audit.c | 4 ++++ 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 1d6347d37d92..3ec490c28656 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index b1dc2d1c4bad..251abf79d536 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index fc3d1c7ad21c..4b3d463e7d97 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index 50fab35bdaba..b092274eca79 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 1c1b6d075421..2a3f71206fc5 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index eedc37a1ee13..efc7d832fefb 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 2a6cc9c9c881..44c3601cfdc4 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h index 18757d270961..dc8e72536dbd 100644 --- a/include/linux/auditsc_classmacros.h +++ b/include/linux/auditsc_classmacros.h @@ -16,6 +16,7 @@ enum auditsc_class_t { AUDITSC_OPENAT, AUDITSC_SOCKETCALL, AUDITSC_EXECVE, + AUDITSC_OPENAT2, AUDITSC_NVALS /* count */ }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d775ea16505b..3f59ab209dfd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,6 +76,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> +#include <uapi/linux/openat2.h> #include "audit.h" @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; + case AUDITSC_OPENAT2: + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); default: return 0; } diff --git a/lib/audit.c b/lib/audit.c index 3ec1a94d8d64..738bda22dd39 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -60,6 +60,10 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_NATIVE; } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index a38b282d353f..e2a0f914d8b6 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -46,6 +46,10 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_COMPAT; } -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. Link: https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c | 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c | 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditsc_classmacros.h | 1 + kernel/auditsc.c | 3 +++ lib/audit.c | 4 ++++ lib/compat_audit.c | 4 ++++ 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 1d6347d37d92..3ec490c28656 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index b1dc2d1c4bad..251abf79d536 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index fc3d1c7ad21c..4b3d463e7d97 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index 50fab35bdaba..b092274eca79 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 1c1b6d075421..2a3f71206fc5 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index eedc37a1ee13..efc7d832fefb 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 2a6cc9c9c881..44c3601cfdc4 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h index 18757d270961..dc8e72536dbd 100644 --- a/include/linux/auditsc_classmacros.h +++ b/include/linux/auditsc_classmacros.h @@ -16,6 +16,7 @@ enum auditsc_class_t { AUDITSC_OPENAT, AUDITSC_SOCKETCALL, AUDITSC_EXECVE, + AUDITSC_OPENAT2, AUDITSC_NVALS /* count */ }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d775ea16505b..3f59ab209dfd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,6 +76,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> +#include <uapi/linux/openat2.h> #include "audit.h" @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] = SYS_BIND); case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; + case AUDITSC_OPENAT2: + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); default: return 0; } diff --git a/lib/audit.c b/lib/audit.c index 3ec1a94d8d64..738bda22dd39 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -60,6 +60,10 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_NATIVE; } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index a38b282d353f..e2a0f914d8b6 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -46,6 +46,10 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_COMPAT; } -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: linux-s390, linux-ia64, Paul Moore, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, Eric Paris, Aleksa Sarai, Alexander Viro, linux-alpha, sparclinux, Eric Paris, Steve Grubb, linuxppc-dev The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. Link: https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c | 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c | 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditsc_classmacros.h | 1 + kernel/auditsc.c | 3 +++ lib/audit.c | 4 ++++ lib/compat_audit.c | 4 ++++ 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 1d6347d37d92..3ec490c28656 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index b1dc2d1c4bad..251abf79d536 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index fc3d1c7ad21c..4b3d463e7d97 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index 50fab35bdaba..b092274eca79 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 1c1b6d075421..2a3f71206fc5 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index eedc37a1ee13..efc7d832fefb 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 2a6cc9c9c881..44c3601cfdc4 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h index 18757d270961..dc8e72536dbd 100644 --- a/include/linux/auditsc_classmacros.h +++ b/include/linux/auditsc_classmacros.h @@ -16,6 +16,7 @@ enum auditsc_class_t { AUDITSC_OPENAT, AUDITSC_SOCKETCALL, AUDITSC_EXECVE, + AUDITSC_OPENAT2, AUDITSC_NVALS /* count */ }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d775ea16505b..3f59ab209dfd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,6 +76,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> +#include <uapi/linux/openat2.h> #include "audit.h" @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; + case AUDITSC_OPENAT2: + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); default: return 0; } diff --git a/lib/audit.c b/lib/audit.c index 3ec1a94d8d64..738bda22dd39 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -60,6 +60,10 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_NATIVE; } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index a38b282d353f..e2a0f914d8b6 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -46,6 +46,10 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_COMPAT; } -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML, linux-fsdevel Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, Eric Paris, Aleksa Sarai, Alexander Viro, linux-alpha, sparclinux, Eric Paris, linuxppc-dev The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. Link: https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c | 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c | 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditsc_classmacros.h | 1 + kernel/auditsc.c | 3 +++ lib/audit.c | 4 ++++ lib/compat_audit.c | 4 ++++ 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 1d6347d37d92..3ec490c28656 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index b1dc2d1c4bad..251abf79d536 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index fc3d1c7ad21c..4b3d463e7d97 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index 50fab35bdaba..b092274eca79 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 1c1b6d075421..2a3f71206fc5 100644 --- a/arch/sparc/kernel/compat_audit.c +++ b/arch/sparc/kernel/compat_audit.c @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c index eedc37a1ee13..efc7d832fefb 100644 --- a/arch/x86/ia32/audit.c +++ b/arch/x86/ia32/audit.c @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c index 2a6cc9c9c881..44c3601cfdc4 100644 --- a/arch/x86/kernel/audit_64.c +++ b/arch/x86/kernel/audit_64.c @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) case __NR_execve: case __NR_execveat: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h index 18757d270961..dc8e72536dbd 100644 --- a/include/linux/auditsc_classmacros.h +++ b/include/linux/auditsc_classmacros.h @@ -16,6 +16,7 @@ enum auditsc_class_t { AUDITSC_OPENAT, AUDITSC_SOCKETCALL, AUDITSC_EXECVE, + AUDITSC_OPENAT2, AUDITSC_NVALS /* count */ }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d775ea16505b..3f59ab209dfd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,6 +76,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> +#include <uapi/linux/openat2.h> #include "audit.h" @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; + case AUDITSC_OPENAT2: + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); default: return 0; } diff --git a/lib/audit.c b/lib/audit.c index 3ec1a94d8d64..738bda22dd39 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -60,6 +60,10 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_NATIVE; } diff --git a/lib/compat_audit.c b/lib/compat_audit.c index a38b282d353f..e2a0f914d8b6 100644 --- a/lib/compat_audit.c +++ b/lib/compat_audit.c @@ -46,6 +46,10 @@ int audit_classify_compat_syscall(int abi, unsigned syscall) #endif case __NR_execve: return AUDITSC_EXECVE; +#ifdef __NR_openat2 + case __NR_openat2: + return AUDITSC_OPENAT2; +#endif default: return AUDITSC_COMPAT; } -- 2.27.0 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply related [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2021-05-19 20:00 ` Richard Guy Briggs (?) (?) @ 2021-05-20 7:58 ` Christian Brauner -1 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:58 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Paul Moore, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- > arch/alpha/kernel/audit.c | 2 ++ > arch/ia64/kernel/audit.c | 2 ++ > arch/parisc/kernel/audit.c | 2 ++ > arch/parisc/kernel/compat_audit.c | 2 ++ > arch/powerpc/kernel/audit.c | 2 ++ > arch/powerpc/kernel/compat_audit.c | 2 ++ > arch/s390/kernel/audit.c | 2 ++ > arch/s390/kernel/compat_audit.c | 2 ++ > arch/sparc/kernel/audit.c | 2 ++ > arch/sparc/kernel/compat_audit.c | 2 ++ > arch/x86/ia32/audit.c | 2 ++ > arch/x86/kernel/audit_64.c | 2 ++ > include/linux/auditsc_classmacros.h | 1 + > kernel/auditsc.c | 3 +++ > lib/audit.c | 4 ++++ > lib/compat_audit.c | 4 ++++ > 16 files changed, 36 insertions(+) > > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 81cbd804e375..3ab04709784a 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index dba6a74c9ab3..ec61f20ca61f 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 14244e83db75..f420b5552140 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 1d6347d37d92..3ec490c28656 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index 6eb18ef77dff..1bcfca5fdf67 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index b1dc2d1c4bad..251abf79d536 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index 7e331e1831d4..02051a596b87 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index fc3d1c7ad21c..4b3d463e7d97 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index 50fab35bdaba..b092274eca79 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 1c1b6d075421..2a3f71206fc5 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index eedc37a1ee13..efc7d832fefb 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 2a6cc9c9c881..44c3601cfdc4 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > index 18757d270961..dc8e72536dbd 100644 > --- a/include/linux/auditsc_classmacros.h > +++ b/include/linux/auditsc_classmacros.h > @@ -16,6 +16,7 @@ enum auditsc_class_t { > AUDITSC_OPENAT, > AUDITSC_SOCKETCALL, > AUDITSC_EXECVE, > + AUDITSC_OPENAT2, > > AUDITSC_NVALS /* count */ > }; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > +#include <uapi/linux/openat2.h> > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); That's a lot of dereferncing, casting and masking all at once. Maybe a small static inline helper would be good for the sake of legibility? Sm like: static inline u32 audit_openat2_acc(struct open_how *how, int mask) { u32 flags = how->flags; return mask & ACC_MODE(flags); } but not sure. Just seems more legible to me. Otherwise. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-20 7:58 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:58 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Paul Moore, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- > arch/alpha/kernel/audit.c | 2 ++ > arch/ia64/kernel/audit.c | 2 ++ > arch/parisc/kernel/audit.c | 2 ++ > arch/parisc/kernel/compat_audit.c | 2 ++ > arch/powerpc/kernel/audit.c | 2 ++ > arch/powerpc/kernel/compat_audit.c | 2 ++ > arch/s390/kernel/audit.c | 2 ++ > arch/s390/kernel/compat_audit.c | 2 ++ > arch/sparc/kernel/audit.c | 2 ++ > arch/sparc/kernel/compat_audit.c | 2 ++ > arch/x86/ia32/audit.c | 2 ++ > arch/x86/kernel/audit_64.c | 2 ++ > include/linux/auditsc_classmacros.h | 1 + > kernel/auditsc.c | 3 +++ > lib/audit.c | 4 ++++ > lib/compat_audit.c | 4 ++++ > 16 files changed, 36 insertions(+) > > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 81cbd804e375..3ab04709784a 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index dba6a74c9ab3..ec61f20ca61f 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 14244e83db75..f420b5552140 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 1d6347d37d92..3ec490c28656 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index 6eb18ef77dff..1bcfca5fdf67 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index b1dc2d1c4bad..251abf79d536 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index 7e331e1831d4..02051a596b87 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index fc3d1c7ad21c..4b3d463e7d97 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index 50fab35bdaba..b092274eca79 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 1c1b6d075421..2a3f71206fc5 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index eedc37a1ee13..efc7d832fefb 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 2a6cc9c9c881..44c3601cfdc4 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > index 18757d270961..dc8e72536dbd 100644 > --- a/include/linux/auditsc_classmacros.h > +++ b/include/linux/auditsc_classmacros.h > @@ -16,6 +16,7 @@ enum auditsc_class_t { > AUDITSC_OPENAT, > AUDITSC_SOCKETCALL, > AUDITSC_EXECVE, > + AUDITSC_OPENAT2, > > AUDITSC_NVALS /* count */ > }; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > +#include <uapi/linux/openat2.h> > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] = SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); That's a lot of dereferncing, casting and masking all at once. Maybe a small static inline helper would be good for the sake of legibility? Sm like: static inline u32 audit_openat2_acc(struct open_how *how, int mask) { u32 flags = how->flags; return mask & ACC_MODE(flags); } but not sure. Just seems more legible to me. Otherwise. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-20 7:58 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:58 UTC (permalink / raw) To: Richard Guy Briggs Cc: linux-s390, linux-ia64, Paul Moore, linux-parisc, Arnd Bergmann, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, Steve Grubb, linuxppc-dev On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- > arch/alpha/kernel/audit.c | 2 ++ > arch/ia64/kernel/audit.c | 2 ++ > arch/parisc/kernel/audit.c | 2 ++ > arch/parisc/kernel/compat_audit.c | 2 ++ > arch/powerpc/kernel/audit.c | 2 ++ > arch/powerpc/kernel/compat_audit.c | 2 ++ > arch/s390/kernel/audit.c | 2 ++ > arch/s390/kernel/compat_audit.c | 2 ++ > arch/sparc/kernel/audit.c | 2 ++ > arch/sparc/kernel/compat_audit.c | 2 ++ > arch/x86/ia32/audit.c | 2 ++ > arch/x86/kernel/audit_64.c | 2 ++ > include/linux/auditsc_classmacros.h | 1 + > kernel/auditsc.c | 3 +++ > lib/audit.c | 4 ++++ > lib/compat_audit.c | 4 ++++ > 16 files changed, 36 insertions(+) > > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 81cbd804e375..3ab04709784a 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index dba6a74c9ab3..ec61f20ca61f 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 14244e83db75..f420b5552140 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 1d6347d37d92..3ec490c28656 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index 6eb18ef77dff..1bcfca5fdf67 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index b1dc2d1c4bad..251abf79d536 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index 7e331e1831d4..02051a596b87 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index fc3d1c7ad21c..4b3d463e7d97 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index 50fab35bdaba..b092274eca79 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 1c1b6d075421..2a3f71206fc5 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index eedc37a1ee13..efc7d832fefb 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 2a6cc9c9c881..44c3601cfdc4 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > index 18757d270961..dc8e72536dbd 100644 > --- a/include/linux/auditsc_classmacros.h > +++ b/include/linux/auditsc_classmacros.h > @@ -16,6 +16,7 @@ enum auditsc_class_t { > AUDITSC_OPENAT, > AUDITSC_SOCKETCALL, > AUDITSC_EXECVE, > + AUDITSC_OPENAT2, > > AUDITSC_NVALS /* count */ > }; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > +#include <uapi/linux/openat2.h> > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); That's a lot of dereferncing, casting and masking all at once. Maybe a small static inline helper would be good for the sake of legibility? Sm like: static inline u32 audit_openat2_acc(struct open_how *how, int mask) { u32 flags = how->flags; return mask & ACC_MODE(flags); } but not sure. Just seems more legible to me. Otherwise. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-20 7:58 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 7:58 UTC (permalink / raw) To: Richard Guy Briggs Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, linuxppc-dev On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- > arch/alpha/kernel/audit.c | 2 ++ > arch/ia64/kernel/audit.c | 2 ++ > arch/parisc/kernel/audit.c | 2 ++ > arch/parisc/kernel/compat_audit.c | 2 ++ > arch/powerpc/kernel/audit.c | 2 ++ > arch/powerpc/kernel/compat_audit.c | 2 ++ > arch/s390/kernel/audit.c | 2 ++ > arch/s390/kernel/compat_audit.c | 2 ++ > arch/sparc/kernel/audit.c | 2 ++ > arch/sparc/kernel/compat_audit.c | 2 ++ > arch/x86/ia32/audit.c | 2 ++ > arch/x86/kernel/audit_64.c | 2 ++ > include/linux/auditsc_classmacros.h | 1 + > kernel/auditsc.c | 3 +++ > lib/audit.c | 4 ++++ > lib/compat_audit.c | 4 ++++ > 16 files changed, 36 insertions(+) > > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > index 81cbd804e375..3ab04709784a 100644 > --- a/arch/alpha/kernel/audit.c > +++ b/arch/alpha/kernel/audit.c > @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > index dba6a74c9ab3..ec61f20ca61f 100644 > --- a/arch/ia64/kernel/audit.c > +++ b/arch/ia64/kernel/audit.c > @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > index 14244e83db75..f420b5552140 100644 > --- a/arch/parisc/kernel/audit.c > +++ b/arch/parisc/kernel/audit.c > @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c > index 1d6347d37d92..3ec490c28656 100644 > --- a/arch/parisc/kernel/compat_audit.c > +++ b/arch/parisc/kernel/compat_audit.c > @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) > return AUDITSC_OPENAT; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > index 6eb18ef77dff..1bcfca5fdf67 100644 > --- a/arch/powerpc/kernel/audit.c > +++ b/arch/powerpc/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c > index b1dc2d1c4bad..251abf79d536 100644 > --- a/arch/powerpc/kernel/compat_audit.c > +++ b/arch/powerpc/kernel/compat_audit.c > @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > index 7e331e1831d4..02051a596b87 100644 > --- a/arch/s390/kernel/audit.c > +++ b/arch/s390/kernel/audit.c > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c > index fc3d1c7ad21c..4b3d463e7d97 100644 > --- a/arch/s390/kernel/compat_audit.c > +++ b/arch/s390/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c > index 50fab35bdaba..b092274eca79 100644 > --- a/arch/sparc/kernel/audit.c > +++ b/arch/sparc/kernel/audit.c > @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c > index 1c1b6d075421..2a3f71206fc5 100644 > --- a/arch/sparc/kernel/compat_audit.c > +++ b/arch/sparc/kernel/compat_audit.c > @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall) > return AUDITSC_SOCKETCALL; > case __NR_execve: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c > index eedc37a1ee13..efc7d832fefb 100644 > --- a/arch/x86/ia32/audit.c > +++ b/arch/x86/ia32/audit.c > @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_COMPAT; > } > diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c > index 2a6cc9c9c881..44c3601cfdc4 100644 > --- a/arch/x86/kernel/audit_64.c > +++ b/arch/x86/kernel/audit_64.c > @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > case __NR_execve: > case __NR_execveat: > return AUDITSC_EXECVE; > + case __NR_openat2: > + return AUDITSC_OPENAT2; > default: > return AUDITSC_NATIVE; > } > diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h > index 18757d270961..dc8e72536dbd 100644 > --- a/include/linux/auditsc_classmacros.h > +++ b/include/linux/auditsc_classmacros.h > @@ -16,6 +16,7 @@ enum auditsc_class_t { > AUDITSC_OPENAT, > AUDITSC_SOCKETCALL, > AUDITSC_EXECVE, > + AUDITSC_OPENAT2, > > AUDITSC_NVALS /* count */ > }; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > +#include <uapi/linux/openat2.h> > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); That's a lot of dereferncing, casting and masking all at once. Maybe a small static inline helper would be good for the sake of legibility? Sm like: static inline u32 audit_openat2_acc(struct open_how *how, int mask) { u32 flags = how->flags; return mask & ACC_MODE(flags); } but not sure. Just seems more legible to me. Otherwise. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2021-05-20 7:58 ` Christian Brauner (?) (?) @ 2021-05-24 23:04 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-05-24 23:04 UTC (permalink / raw) To: Christian Brauner Cc: Richard Guy Briggs, Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Thu, May 20, 2021 at 3:58 AM Christian Brauner <christian.brauner@ubuntu.com> wrote: > On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > arch/alpha/kernel/audit.c | 2 ++ > > arch/ia64/kernel/audit.c | 2 ++ > > arch/parisc/kernel/audit.c | 2 ++ > > arch/parisc/kernel/compat_audit.c | 2 ++ > > arch/powerpc/kernel/audit.c | 2 ++ > > arch/powerpc/kernel/compat_audit.c | 2 ++ > > arch/s390/kernel/audit.c | 2 ++ > > arch/s390/kernel/compat_audit.c | 2 ++ > > arch/sparc/kernel/audit.c | 2 ++ > > arch/sparc/kernel/compat_audit.c | 2 ++ > > arch/x86/ia32/audit.c | 2 ++ > > arch/x86/kernel/audit_64.c | 2 ++ > > include/linux/auditsc_classmacros.h | 1 + > > kernel/auditsc.c | 3 +++ > > lib/audit.c | 4 ++++ > > lib/compat_audit.c | 4 ++++ > > 16 files changed, 36 insertions(+) ... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > +#include <uapi/linux/openat2.h> > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > That's a lot of dereferncing, casting and masking all at once. Maybe a > small static inline helper would be good for the sake of legibility? Sm > like: > > static inline u32 audit_openat2_acc(struct open_how *how, int mask) > { > u32 flags = how->flags; > return mask & ACC_MODE(flags); > } > > but not sure. Just seems more legible to me. > Otherwise. I'm on the fence about this. I understand Christian's concern, but I have a bit of hatred towards single caller functions like this. Since this function isn't really high-touch, and I don't expect that to change in the near future, let's leave the casting mess as-is. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-24 23:04 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-05-24 23:04 UTC (permalink / raw) To: Christian Brauner Cc: Richard Guy Briggs, Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, x86, linux-alpha, linux-ia64, linux-parisc, linuxppc-dev, linux-s390, sparclinux, Aleksa Sarai, Arnd Bergmann On Thu, May 20, 2021 at 3:58 AM Christian Brauner <christian.brauner@ubuntu.com> wrote: > On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > arch/alpha/kernel/audit.c | 2 ++ > > arch/ia64/kernel/audit.c | 2 ++ > > arch/parisc/kernel/audit.c | 2 ++ > > arch/parisc/kernel/compat_audit.c | 2 ++ > > arch/powerpc/kernel/audit.c | 2 ++ > > arch/powerpc/kernel/compat_audit.c | 2 ++ > > arch/s390/kernel/audit.c | 2 ++ > > arch/s390/kernel/compat_audit.c | 2 ++ > > arch/sparc/kernel/audit.c | 2 ++ > > arch/sparc/kernel/compat_audit.c | 2 ++ > > arch/x86/ia32/audit.c | 2 ++ > > arch/x86/kernel/audit_64.c | 2 ++ > > include/linux/auditsc_classmacros.h | 1 + > > kernel/auditsc.c | 3 +++ > > lib/audit.c | 4 ++++ > > lib/compat_audit.c | 4 ++++ > > 16 files changed, 36 insertions(+) ... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > +#include <uapi/linux/openat2.h> > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] = SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > That's a lot of dereferncing, casting and masking all at once. Maybe a > small static inline helper would be good for the sake of legibility? Sm > like: > > static inline u32 audit_openat2_acc(struct open_how *how, int mask) > { > u32 flags = how->flags; > return mask & ACC_MODE(flags); > } > > but not sure. Just seems more legible to me. > Otherwise. I'm on the fence about this. I understand Christian's concern, but I have a bit of hatred towards single caller functions like this. Since this function isn't really high-touch, and I don't expect that to change in the near future, let's leave the casting mess as-is. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-24 23:04 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-05-24 23:04 UTC (permalink / raw) To: Christian Brauner Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, Steve Grubb, linuxppc-dev On Thu, May 20, 2021 at 3:58 AM Christian Brauner <christian.brauner@ubuntu.com> wrote: > On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > arch/alpha/kernel/audit.c | 2 ++ > > arch/ia64/kernel/audit.c | 2 ++ > > arch/parisc/kernel/audit.c | 2 ++ > > arch/parisc/kernel/compat_audit.c | 2 ++ > > arch/powerpc/kernel/audit.c | 2 ++ > > arch/powerpc/kernel/compat_audit.c | 2 ++ > > arch/s390/kernel/audit.c | 2 ++ > > arch/s390/kernel/compat_audit.c | 2 ++ > > arch/sparc/kernel/audit.c | 2 ++ > > arch/sparc/kernel/compat_audit.c | 2 ++ > > arch/x86/ia32/audit.c | 2 ++ > > arch/x86/kernel/audit_64.c | 2 ++ > > include/linux/auditsc_classmacros.h | 1 + > > kernel/auditsc.c | 3 +++ > > lib/audit.c | 4 ++++ > > lib/compat_audit.c | 4 ++++ > > 16 files changed, 36 insertions(+) ... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > +#include <uapi/linux/openat2.h> > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > That's a lot of dereferncing, casting and masking all at once. Maybe a > small static inline helper would be good for the sake of legibility? Sm > like: > > static inline u32 audit_openat2_acc(struct open_how *how, int mask) > { > u32 flags = how->flags; > return mask & ACC_MODE(flags); > } > > but not sure. Just seems more legible to me. > Otherwise. I'm on the fence about this. I understand Christian's concern, but I have a bit of hatred towards single caller functions like this. Since this function isn't really high-touch, and I don't expect that to change in the near future, let's leave the casting mess as-is. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2021-05-24 23:04 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-05-24 23:04 UTC (permalink / raw) To: Christian Brauner Cc: linux-s390, linux-ia64, linux-parisc, Arnd Bergmann, Richard Guy Briggs, x86, LKML, Eric Paris, sparclinux, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-alpha, linux-fsdevel, Eric Paris, linuxppc-dev On Thu, May 20, 2021 at 3:58 AM Christian Brauner <christian.brauner@ubuntu.com> wrote: > On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > arch/alpha/kernel/audit.c | 2 ++ > > arch/ia64/kernel/audit.c | 2 ++ > > arch/parisc/kernel/audit.c | 2 ++ > > arch/parisc/kernel/compat_audit.c | 2 ++ > > arch/powerpc/kernel/audit.c | 2 ++ > > arch/powerpc/kernel/compat_audit.c | 2 ++ > > arch/s390/kernel/audit.c | 2 ++ > > arch/s390/kernel/compat_audit.c | 2 ++ > > arch/sparc/kernel/audit.c | 2 ++ > > arch/sparc/kernel/compat_audit.c | 2 ++ > > arch/x86/ia32/audit.c | 2 ++ > > arch/x86/kernel/audit_64.c | 2 ++ > > include/linux/auditsc_classmacros.h | 1 + > > kernel/auditsc.c | 3 +++ > > lib/audit.c | 4 ++++ > > lib/compat_audit.c | 4 ++++ > > 16 files changed, 36 insertions(+) ... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > +#include <uapi/linux/openat2.h> > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > That's a lot of dereferncing, casting and masking all at once. Maybe a > small static inline helper would be good for the sake of legibility? Sm > like: > > static inline u32 audit_openat2_acc(struct open_how *how, int mask) > { > u32 flags = how->flags; > return mask & ACC_MODE(flags); > } > > but not sure. Just seems more legible to me. > Otherwise. I'm on the fence about this. I understand Christian's concern, but I have a bit of hatred towards single caller functions like this. Since this function isn't really high-touch, and I don't expect that to change in the near future, let's leave the casting mess as-is. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2021-05-19 20:00 ` Richard Guy Briggs @ 2022-02-09 3:44 ` Jeff Mahoney -1 siblings, 0 replies; 60+ messages in thread From: Jeff Mahoney @ 2022-02-09 3:44 UTC (permalink / raw) To: Richard Guy Briggs, Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Paul Moore, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones Hi Richard - On 5/19/21 16:00, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- [...] > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > +#include <uapi/linux/openat2.h> > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > default: > return 0; > } ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. I'm getting oopses, like so: BUG: unable to handle page fault for address: 00007fff961bbe70 #PF: supervisor read access in kernel mode #PF: error_code(0x0001) - permissions violation PGD 8000000132291067 P4D 8000000132291067 PUD 132174067 PMD 132bb1067 PTE 800000013be02867 Oops: 0001 [#1] PREEMPT SMP PTI CPU: 1 PID: 4525 Comm: a.out Kdump: loaded Not tainted 5.16.4-1-default #1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220 Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05 0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00 83 e0 03 0f be 80 c5 5e 45 86 41 21 c5 eb c7 4d 85 e4 0f RSP: 0018:ffffb096403cbe08 EFLAGS: 00010246 RAX: 00007fff961bbe70 RBX: 0000000000000001 RCX: 000000000000001f RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e RBP: ffff9cb784a85020 R08: ffff9cb78775c380 R09: ffff9cb790ad9eb8 R10: 0000000040000020 R11: ffff9cb783f7b410 R12: ffff9cb78486dc00 R13: 000000000000000f R14: 00000000000001b5 R15: ffff9cb78775c380 FS: 00007ff21fca9740(0000) GS:ffff9cb7ffd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff961bbe70 CR3: 0000000121264002 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> audit_filter_syscall+0xb0/0x100 ? do_sys_openat2+0x81/0x160 __audit_syscall_exit+0x69/0xf0 syscall_exit_to_user_mode_prepare+0x14d/0x180 syscall_exit_to_user_mode+0x9/0x40 do_syscall_64+0x69/0x80 ? syscall_exit_to_user_mode+0x18/0x40 ? do_syscall_64+0x69/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff21fdd195d Where the faulting address matches the open_how address printed with the following test using a "-w /var/tmp/testfile -k openat2-oops" audit rule. #include <fcntl.h> #include <linux/openat2.h> #include <sys/syscall.h> #include <unistd.h> #include <stdio.h> long openat2(int dirfd, const char *pathname, struct open_how *how, size_t size) { return syscall(SYS_openat2, dirfd, pathname, how, size); } int main(void) { struct open_how how = { .flags = O_RDONLY|O_DIRECTORY, }; int fd; fprintf(stderr, "&how = %p\n", &how); fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct open_how)); perror("openat2"); } $ mkdir /var/tmp/testfile $ ./a.out &how = 0x7fff961bbe70 <crash> -Jeff -- Jeff Mahoney Director, SUSE Labs Data & Performance ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 3:44 ` Jeff Mahoney 0 siblings, 0 replies; 60+ messages in thread From: Jeff Mahoney @ 2022-02-09 3:44 UTC (permalink / raw) To: Richard Guy Briggs, Linux-Audit Mailing List, LKML, linux-fsdevel Cc: Tony Jones, Eric Paris, Alexander Viro, Eric Paris Hi Richard - On 5/19/21 16:00, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- [...] > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > +#include <uapi/linux/openat2.h> > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > default: > return 0; > } ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. I'm getting oopses, like so: BUG: unable to handle page fault for address: 00007fff961bbe70 #PF: supervisor read access in kernel mode #PF: error_code(0x0001) - permissions violation PGD 8000000132291067 P4D 8000000132291067 PUD 132174067 PMD 132bb1067 PTE 800000013be02867 Oops: 0001 [#1] PREEMPT SMP PTI CPU: 1 PID: 4525 Comm: a.out Kdump: loaded Not tainted 5.16.4-1-default #1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220 Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05 0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00 83 e0 03 0f be 80 c5 5e 45 86 41 21 c5 eb c7 4d 85 e4 0f RSP: 0018:ffffb096403cbe08 EFLAGS: 00010246 RAX: 00007fff961bbe70 RBX: 0000000000000001 RCX: 000000000000001f RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e RBP: ffff9cb784a85020 R08: ffff9cb78775c380 R09: ffff9cb790ad9eb8 R10: 0000000040000020 R11: ffff9cb783f7b410 R12: ffff9cb78486dc00 R13: 000000000000000f R14: 00000000000001b5 R15: ffff9cb78775c380 FS: 00007ff21fca9740(0000) GS:ffff9cb7ffd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff961bbe70 CR3: 0000000121264002 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> audit_filter_syscall+0xb0/0x100 ? do_sys_openat2+0x81/0x160 __audit_syscall_exit+0x69/0xf0 syscall_exit_to_user_mode_prepare+0x14d/0x180 syscall_exit_to_user_mode+0x9/0x40 do_syscall_64+0x69/0x80 ? syscall_exit_to_user_mode+0x18/0x40 ? do_syscall_64+0x69/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff21fdd195d Where the faulting address matches the open_how address printed with the following test using a "-w /var/tmp/testfile -k openat2-oops" audit rule. #include <fcntl.h> #include <linux/openat2.h> #include <sys/syscall.h> #include <unistd.h> #include <stdio.h> long openat2(int dirfd, const char *pathname, struct open_how *how, size_t size) { return syscall(SYS_openat2, dirfd, pathname, how, size); } int main(void) { struct open_how how = { .flags = O_RDONLY|O_DIRECTORY, }; int fd; fprintf(stderr, "&how = %p\n", &how); fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct open_how)); perror("openat2"); } $ mkdir /var/tmp/testfile $ ./a.out &how = 0x7fff961bbe70 <crash> -Jeff -- Jeff Mahoney Director, SUSE Labs Data & Performance -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2022-02-09 3:44 ` Jeff Mahoney @ 2022-02-09 15:57 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 15:57 UTC (permalink / raw) To: Jeff Mahoney, Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > Hi Richard - > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > [...] > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > +#include <uapi/linux/openat2.h> > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > default: > > return 0; > > } > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > I'm getting oopses, like so: > BUG: unable to handle page fault for address: 00007fff961bbe70 Thanks Jeff. Yes, this is obviously the wrong thing to being doing; I remember checking to make sure we placed the audit_openat2_how() hook after the open_how was copied from userspace, but I missed the argv dereference in the syscall exit path when reviewing the code. Richard, as we are already copying the open_how info into audit_context::openat2 safely, the obvious fix is to convert audit_match_perm() to use the previously copied value instead of argv. If you can't submit a patch for this today please let me know. -- paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 15:57 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 15:57 UTC (permalink / raw) To: Jeff Mahoney, Richard Guy Briggs Cc: Tony Jones, LKML, Eric Paris, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > Hi Richard - > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > [...] > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > +#include <uapi/linux/openat2.h> > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > default: > > return 0; > > } > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > I'm getting oopses, like so: > BUG: unable to handle page fault for address: 00007fff961bbe70 Thanks Jeff. Yes, this is obviously the wrong thing to being doing; I remember checking to make sure we placed the audit_openat2_how() hook after the open_how was copied from userspace, but I missed the argv dereference in the syscall exit path when reviewing the code. Richard, as we are already copying the open_how info into audit_context::openat2 safely, the obvious fix is to convert audit_match_perm() to use the previously copied value instead of argv. If you can't submit a patch for this today please let me know. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2022-02-09 15:57 ` Paul Moore @ 2022-02-09 21:18 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 21:18 UTC (permalink / raw) To: Jeff Mahoney, Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones On Wed, Feb 9, 2022 at 10:57 AM Paul Moore <paul@paul-moore.com> wrote: > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > Hi Richard - > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > ("open: introduce openat2(2) syscall") > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > --- > > > > [...] > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index d775ea16505b..3f59ab209dfd 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,6 +76,7 @@ > > > #include <linux/fsnotify_backend.h> > > > #include <uapi/linux/limits.h> > > > #include <uapi/linux/netfilter/nf_tables.h> > > > +#include <uapi/linux/openat2.h> > > > > > > #include "audit.h" > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > case AUDITSC_EXECVE: > > > return mask & AUDIT_PERM_EXEC; > > > + case AUDITSC_OPENAT2: > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > default: > > > return 0; > > > } > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > I'm getting oopses, like so: > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > Thanks Jeff. > > Yes, this is obviously the wrong thing to being doing; I remember > checking to make sure we placed the audit_openat2_how() hook after the > open_how was copied from userspace, but I missed the argv dereference > in the syscall exit path when reviewing the code. > > Richard, as we are already copying the open_how info into > audit_context::openat2 safely, the obvious fix is to convert > audit_match_perm() to use the previously copied value instead of argv. > If you can't submit a patch for this today please let me know. I haven't heard anything from Richard so I put together a patch which should fix the problem (link below). It's currently untested, but I've got a kernel building now with the patch ... https://lore.kernel.org/linux-audit/164444111699.153511.15656610495968926251.stgit@olly/T/#u -- paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 21:18 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 21:18 UTC (permalink / raw) To: Jeff Mahoney, Richard Guy Briggs Cc: Tony Jones, LKML, Eric Paris, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Wed, Feb 9, 2022 at 10:57 AM Paul Moore <paul@paul-moore.com> wrote: > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > Hi Richard - > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > ("open: introduce openat2(2) syscall") > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > --- > > > > [...] > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index d775ea16505b..3f59ab209dfd 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,6 +76,7 @@ > > > #include <linux/fsnotify_backend.h> > > > #include <uapi/linux/limits.h> > > > #include <uapi/linux/netfilter/nf_tables.h> > > > +#include <uapi/linux/openat2.h> > > > > > > #include "audit.h" > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > case AUDITSC_EXECVE: > > > return mask & AUDIT_PERM_EXEC; > > > + case AUDITSC_OPENAT2: > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > default: > > > return 0; > > > } > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > I'm getting oopses, like so: > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > Thanks Jeff. > > Yes, this is obviously the wrong thing to being doing; I remember > checking to make sure we placed the audit_openat2_how() hook after the > open_how was copied from userspace, but I missed the argv dereference > in the syscall exit path when reviewing the code. > > Richard, as we are already copying the open_how info into > audit_context::openat2 safely, the obvious fix is to convert > audit_match_perm() to use the previously copied value instead of argv. > If you can't submit a patch for this today please let me know. I haven't heard anything from Richard so I put together a patch which should fix the problem (link below). It's currently untested, but I've got a kernel building now with the patch ... https://lore.kernel.org/linux-audit/164444111699.153511.15656610495968926251.stgit@olly/T/#u -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2022-02-09 21:18 ` Paul Moore @ 2022-02-09 22:13 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2022-02-09 22:13 UTC (permalink / raw) To: Paul Moore Cc: Jeff Mahoney, Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones On 2022-02-09 16:18, Paul Moore wrote: > On Wed, Feb 9, 2022 at 10:57 AM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > > > Hi Richard - > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > > ("open: introduce openat2(2) syscall") > > > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > > --- > > > > > > [...] > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index d775ea16505b..3f59ab209dfd 100644 > > > > --- a/kernel/auditsc.c > > > > +++ b/kernel/auditsc.c > > > > @@ -76,6 +76,7 @@ > > > > #include <linux/fsnotify_backend.h> > > > > #include <uapi/linux/limits.h> > > > > #include <uapi/linux/netfilter/nf_tables.h> > > > > +#include <uapi/linux/openat2.h> > > > > > > > > #include "audit.h" > > > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > > case AUDITSC_EXECVE: > > > > return mask & AUDIT_PERM_EXEC; > > > > + case AUDITSC_OPENAT2: > > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > > default: > > > > return 0; > > > > } > > > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > > > I'm getting oopses, like so: > > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > > > Thanks Jeff. > > > > Yes, this is obviously the wrong thing to being doing; I remember > > checking to make sure we placed the audit_openat2_how() hook after the > > open_how was copied from userspace, but I missed the argv dereference > > in the syscall exit path when reviewing the code. > > > > Richard, as we are already copying the open_how info into > > audit_context::openat2 safely, the obvious fix is to convert > > audit_match_perm() to use the previously copied value instead of argv. > > If you can't submit a patch for this today please let me know. > > I haven't heard anything from Richard so I put together a patch which > should fix the problem (link below). It's currently untested, but > I've got a kernel building now with the patch ... Well, the day wasn't over yet... I've compiled and tested it. > https://lore.kernel.org/linux-audit/164444111699.153511.15656610495968926251.stgit@olly/T/#u > > -- > paul-moore.com > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 22:13 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2022-02-09 22:13 UTC (permalink / raw) To: Paul Moore Cc: Tony Jones, Jeff Mahoney, LKML, Eric Paris, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On 2022-02-09 16:18, Paul Moore wrote: > On Wed, Feb 9, 2022 at 10:57 AM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > > > Hi Richard - > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > > ("open: introduce openat2(2) syscall") > > > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > > --- > > > > > > [...] > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index d775ea16505b..3f59ab209dfd 100644 > > > > --- a/kernel/auditsc.c > > > > +++ b/kernel/auditsc.c > > > > @@ -76,6 +76,7 @@ > > > > #include <linux/fsnotify_backend.h> > > > > #include <uapi/linux/limits.h> > > > > #include <uapi/linux/netfilter/nf_tables.h> > > > > +#include <uapi/linux/openat2.h> > > > > > > > > #include "audit.h" > > > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > > case AUDITSC_EXECVE: > > > > return mask & AUDIT_PERM_EXEC; > > > > + case AUDITSC_OPENAT2: > > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > > default: > > > > return 0; > > > > } > > > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > > > I'm getting oopses, like so: > > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > > > Thanks Jeff. > > > > Yes, this is obviously the wrong thing to being doing; I remember > > checking to make sure we placed the audit_openat2_how() hook after the > > open_how was copied from userspace, but I missed the argv dereference > > in the syscall exit path when reviewing the code. > > > > Richard, as we are already copying the open_how info into > > audit_context::openat2 safely, the obvious fix is to convert > > audit_match_perm() to use the previously copied value instead of argv. > > If you can't submit a patch for this today please let me know. > > I haven't heard anything from Richard so I put together a patch which > should fix the problem (link below). It's currently untested, but > I've got a kernel building now with the patch ... Well, the day wasn't over yet... I've compiled and tested it. > https://lore.kernel.org/linux-audit/164444111699.153511.15656610495968926251.stgit@olly/T/#u > > -- > paul-moore.com > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2022-02-09 22:13 ` Richard Guy Briggs @ 2022-02-09 22:31 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 22:31 UTC (permalink / raw) To: Richard Guy Briggs Cc: Jeff Mahoney, Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones On Wed, Feb 9, 2022 at 5:14 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > On 2022-02-09 16:18, Paul Moore wrote: > > On Wed, Feb 9, 2022 at 10:57 AM Paul Moore <paul@paul-moore.com> wrote: > > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > > > > > Hi Richard - > > > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > > > ("open: introduce openat2(2) syscall") > > > > > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > > > --- > > > > > > > > [...] > > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > index d775ea16505b..3f59ab209dfd 100644 > > > > > --- a/kernel/auditsc.c > > > > > +++ b/kernel/auditsc.c > > > > > @@ -76,6 +76,7 @@ > > > > > #include <linux/fsnotify_backend.h> > > > > > #include <uapi/linux/limits.h> > > > > > #include <uapi/linux/netfilter/nf_tables.h> > > > > > +#include <uapi/linux/openat2.h> > > > > > > > > > > #include "audit.h" > > > > > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > > > case AUDITSC_EXECVE: > > > > > return mask & AUDIT_PERM_EXEC; > > > > > + case AUDITSC_OPENAT2: > > > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > > > default: > > > > > return 0; > > > > > } > > > > > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > > > > > I'm getting oopses, like so: > > > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > > > > > Thanks Jeff. > > > > > > Yes, this is obviously the wrong thing to being doing; I remember > > > checking to make sure we placed the audit_openat2_how() hook after the > > > open_how was copied from userspace, but I missed the argv dereference > > > in the syscall exit path when reviewing the code. > > > > > > Richard, as we are already copying the open_how info into > > > audit_context::openat2 safely, the obvious fix is to convert > > > audit_match_perm() to use the previously copied value instead of argv. > > > If you can't submit a patch for this today please let me know. > > > > I haven't heard anything from Richard so I put together a patch which > > should fix the problem (link below). It's currently untested, but > > I've got a kernel building now with the patch ... > > Well, the day wasn't over yet... I've compiled and tested it. Yes, I tested my patch too and everything looks good on my end. For future reference, while I didn't explicitly ask you to acknowledge this thread and that you were working on a patch (I probably should have), it would have been nice if you could have sent a quick note to the list. -- paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 22:31 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 22:31 UTC (permalink / raw) To: Richard Guy Briggs Cc: Tony Jones, Jeff Mahoney, LKML, Eric Paris, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Wed, Feb 9, 2022 at 5:14 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > On 2022-02-09 16:18, Paul Moore wrote: > > On Wed, Feb 9, 2022 at 10:57 AM Paul Moore <paul@paul-moore.com> wrote: > > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > > > > > Hi Richard - > > > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > > > ("open: introduce openat2(2) syscall") > > > > > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > > > --- > > > > > > > > [...] > > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > index d775ea16505b..3f59ab209dfd 100644 > > > > > --- a/kernel/auditsc.c > > > > > +++ b/kernel/auditsc.c > > > > > @@ -76,6 +76,7 @@ > > > > > #include <linux/fsnotify_backend.h> > > > > > #include <uapi/linux/limits.h> > > > > > #include <uapi/linux/netfilter/nf_tables.h> > > > > > +#include <uapi/linux/openat2.h> > > > > > > > > > > #include "audit.h" > > > > > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > > > case AUDITSC_EXECVE: > > > > > return mask & AUDIT_PERM_EXEC; > > > > > + case AUDITSC_OPENAT2: > > > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > > > default: > > > > > return 0; > > > > > } > > > > > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > > > > > I'm getting oopses, like so: > > > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > > > > > Thanks Jeff. > > > > > > Yes, this is obviously the wrong thing to being doing; I remember > > > checking to make sure we placed the audit_openat2_how() hook after the > > > open_how was copied from userspace, but I missed the argv dereference > > > in the syscall exit path when reviewing the code. > > > > > > Richard, as we are already copying the open_how info into > > > audit_context::openat2 safely, the obvious fix is to convert > > > audit_match_perm() to use the previously copied value instead of argv. > > > If you can't submit a patch for this today please let me know. > > > > I haven't heard anything from Richard so I put together a patch which > > should fix the problem (link below). It's currently untested, but > > I've got a kernel building now with the patch ... > > Well, the day wasn't over yet... I've compiled and tested it. Yes, I tested my patch too and everything looks good on my end. For future reference, while I didn't explicitly ask you to acknowledge this thread and that you were working on a patch (I probably should have), it would have been nice if you could have sent a quick note to the list. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2022-02-09 15:57 ` Paul Moore @ 2022-02-09 21:40 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2022-02-09 21:40 UTC (permalink / raw) To: Paul Moore Cc: Jeff Mahoney, Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones On 2022-02-09 10:57, Paul Moore wrote: > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > Hi Richard - > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > ("open: introduce openat2(2) syscall") > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > --- > > > > [...] > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index d775ea16505b..3f59ab209dfd 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,6 +76,7 @@ > > > #include <linux/fsnotify_backend.h> > > > #include <uapi/linux/limits.h> > > > #include <uapi/linux/netfilter/nf_tables.h> > > > +#include <uapi/linux/openat2.h> > > > > > > #include "audit.h" > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > case AUDITSC_EXECVE: > > > return mask & AUDIT_PERM_EXEC; > > > + case AUDITSC_OPENAT2: > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > default: > > > return 0; > > > } > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > I'm getting oopses, like so: > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > Thanks Jeff. > > Yes, this is obviously the wrong thing to being doing; I remember > checking to make sure we placed the audit_openat2_how() hook after the > open_how was copied from userspace, but I missed the argv dereference > in the syscall exit path when reviewing the code. > > Richard, as we are already copying the open_how info into > audit_context::openat2 safely, the obvious fix is to convert > audit_match_perm() to use the previously copied value instead of argv. > If you can't submit a patch for this today please let me know. Agreed. It would have been more awkward with the original order of the patches. The syscalls_file test in the audit-testsuite should have caught this. https://github.com/rgbriggs/audit-testsuite/commit/1c99021ae27ea23eccce2bb1861df4c9c665cd5b The test provided does essentially the same thing. I should have a tested patch posted today. > paul-moore.com - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 21:40 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2022-02-09 21:40 UTC (permalink / raw) To: Paul Moore Cc: Tony Jones, Jeff Mahoney, LKML, Eric Paris, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On 2022-02-09 10:57, Paul Moore wrote: > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > Hi Richard - > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > ("open: introduce openat2(2) syscall") > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > --- > > > > [...] > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index d775ea16505b..3f59ab209dfd 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,6 +76,7 @@ > > > #include <linux/fsnotify_backend.h> > > > #include <uapi/linux/limits.h> > > > #include <uapi/linux/netfilter/nf_tables.h> > > > +#include <uapi/linux/openat2.h> > > > > > > #include "audit.h" > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > case AUDITSC_EXECVE: > > > return mask & AUDIT_PERM_EXEC; > > > + case AUDITSC_OPENAT2: > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > default: > > > return 0; > > > } > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > I'm getting oopses, like so: > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > Thanks Jeff. > > Yes, this is obviously the wrong thing to being doing; I remember > checking to make sure we placed the audit_openat2_how() hook after the > open_how was copied from userspace, but I missed the argv dereference > in the syscall exit path when reviewing the code. > > Richard, as we are already copying the open_how info into > audit_context::openat2 safely, the obvious fix is to convert > audit_match_perm() to use the previously copied value instead of argv. > If you can't submit a patch for this today please let me know. Agreed. It would have been more awkward with the original order of the patches. The syscalls_file test in the audit-testsuite should have caught this. https://github.com/rgbriggs/audit-testsuite/commit/1c99021ae27ea23eccce2bb1861df4c9c665cd5b The test provided does essentially the same thing. I should have a tested patch posted today. > paul-moore.com - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall 2022-02-09 21:40 ` Richard Guy Briggs @ 2022-02-09 22:29 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 22:29 UTC (permalink / raw) To: Richard Guy Briggs Cc: Tony Jones, Jeff Mahoney, LKML, Eric Paris, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Wed, Feb 9, 2022 at 4:41 PM Richard Guy Briggs <rgb@redhat.com> wrote: > On 2022-02-09 10:57, Paul Moore wrote: > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > > > Hi Richard - > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > > ("open: introduce openat2(2) syscall") > > > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > > --- > > > > > > [...] > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index d775ea16505b..3f59ab209dfd 100644 > > > > --- a/kernel/auditsc.c > > > > +++ b/kernel/auditsc.c > > > > @@ -76,6 +76,7 @@ > > > > #include <linux/fsnotify_backend.h> > > > > #include <uapi/linux/limits.h> > > > > #include <uapi/linux/netfilter/nf_tables.h> > > > > +#include <uapi/linux/openat2.h> > > > > > > > > #include "audit.h" > > > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > > case AUDITSC_EXECVE: > > > > return mask & AUDIT_PERM_EXEC; > > > > + case AUDITSC_OPENAT2: > > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > > default: > > > > return 0; > > > > } > > > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > > > I'm getting oopses, like so: > > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > > > Thanks Jeff. > > > > Yes, this is obviously the wrong thing to being doing; I remember > > checking to make sure we placed the audit_openat2_how() hook after the > > open_how was copied from userspace, but I missed the argv dereference > > in the syscall exit path when reviewing the code. > > > > Richard, as we are already copying the open_how info into > > audit_context::openat2 safely, the obvious fix is to convert > > audit_match_perm() to use the previously copied value instead of argv. > > If you can't submit a patch for this today please let me know. > > Agreed. It would have been more awkward with the original order of the > patches. > > The syscalls_file test in the audit-testsuite should have caught this. > https://github.com/rgbriggs/audit-testsuite/commit/1c99021ae27ea23eccce2bb1861df4c9c665cd5b > The test provided does essentially the same thing. I would have thought so, but I've now run this multiple times on both affected and patched kernels but I don't see the page fault on my test system. Anyway, that test has now been merged with the audit-testsuite as well as some cleanup on top to test for the new OPENAT2 record when applicable. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 2/3] audit: add support for the openat2 syscall @ 2022-02-09 22:29 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2022-02-09 22:29 UTC (permalink / raw) To: Richard Guy Briggs Cc: Jeff Mahoney, Linux-Audit Mailing List, LKML, linux-fsdevel, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, Tony Jones On Wed, Feb 9, 2022 at 4:41 PM Richard Guy Briggs <rgb@redhat.com> wrote: > On 2022-02-09 10:57, Paul Moore wrote: > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney <jeffm@suse.com> wrote: > > > > > > Hi Richard - > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > > ("open: introduce openat2(2) syscall") > > > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > > > --- > > > > > > [...] > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index d775ea16505b..3f59ab209dfd 100644 > > > > --- a/kernel/auditsc.c > > > > +++ b/kernel/auditsc.c > > > > @@ -76,6 +76,7 @@ > > > > #include <linux/fsnotify_backend.h> > > > > #include <uapi/linux/limits.h> > > > > #include <uapi/linux/netfilter/nf_tables.h> > > > > +#include <uapi/linux/openat2.h> > > > > > > > > #include "audit.h" > > > > > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > > > case AUDITSC_EXECVE: > > > > return mask & AUDIT_PERM_EXEC; > > > > + case AUDITSC_OPENAT2: > > > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > > > default: > > > > return 0; > > > > } > > > > > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > > > > > I'm getting oopses, like so: > > > BUG: unable to handle page fault for address: 00007fff961bbe70 > > > > Thanks Jeff. > > > > Yes, this is obviously the wrong thing to being doing; I remember > > checking to make sure we placed the audit_openat2_how() hook after the > > open_how was copied from userspace, but I missed the argv dereference > > in the syscall exit path when reviewing the code. > > > > Richard, as we are already copying the open_how info into > > audit_context::openat2 safely, the obvious fix is to convert > > audit_match_perm() to use the previously copied value instead of argv. > > If you can't submit a patch for this today please let me know. > > Agreed. It would have been more awkward with the original order of the > patches. > > The syscalls_file test in the audit-testsuite should have caught this. > https://github.com/rgbriggs/audit-testsuite/commit/1c99021ae27ea23eccce2bb1861df4c9c665cd5b > The test provided does essentially the same thing. I would have thought so, but I've now run this multiple times on both affected and patched kernels but I don't see the page fault on my test system. Anyway, that test has now been merged with the audit-testsuite as well as some cleanup on top to test for the new OPENAT2 record when applicable. -- paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-05-19 20:00 ` Richard Guy Briggs @ 2021-05-19 20:00 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Alexander Viro, Eric Paris, linux-fsdevel, Aleksa Sarai Since the openat2(2) syscall uses a struct open_how pointer to communicate its parameters they are not usefully recorded by the audit SYSCALL record's four existing arguments. Add a new audit record type OPENAT2 that reports the parameters in its third argument, struct open_how with fields oflag, mode and resolve. The new record in the context of an event would look like: time->Wed Mar 17 16:28:53 2021 type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com --- fs/open.c | 2 ++ include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 18 +++++++++++++++++- 5 files changed, 32 insertions(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index e53af13b5835..2a15bec0cf6d 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, if (err) return err; + audit_openat2_how(&tmp); + /* O_LARGEFILE is only allowed for non-O_PATH. */ if (!(tmp.flags & O_PATH) && force_o_largefile()) tmp.flags |= O_LARGEFILE; diff --git a/include/linux/audit.h b/include/linux/audit.h index 283bc91a6932..580a52caf16f 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, const struct cred *old); extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); +extern void __audit_openat2_how(struct open_how *how); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); extern void __audit_tk_injoffset(struct timespec64 offset); @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) __audit_mmap_fd(fd, flags); } +static inline void audit_openat2_how(struct open_how *how) +{ + if (unlikely(!audit_dummy_context())) + __audit_openat2_how(how); +} + static inline void audit_log_kern_module(char *name) { if (!audit_dummy_context()) @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, static inline void audit_mmap_fd(int fd, int flags) { } +static inline void audit_openat2_how(struct open_how *how) +{ } + static inline void audit_log_kern_module(char *name) { } diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index cd2d8279a5e4..67aea2370c6d 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -118,6 +118,7 @@ #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_BPF 1334 /* BPF subsystem */ #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.h b/kernel/audit.h index 1522e100fd17..c5af17905976 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@ #include <linux/skbuff.h> #include <uapi/linux/mqueue.h> #include <linux/tty.h> +#include <uapi/linux/openat2.h> // struct open_how /* AUDIT_NAMES is the number of slots we reserve in the audit_context * for saving names from getname(). If we get more names we will allocate @@ -185,6 +186,7 @@ struct audit_context { int fd; int flags; } mmap; + struct open_how openat2; struct { int argc; } execve; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3f59ab209dfd..faf2485323a9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,7 +76,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> -#include <uapi/linux/openat2.h> +#include <uapi/linux/openat2.h> // struct open_how #include "audit.h" @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, context->mmap.flags); break; + case AUDIT_OPENAT2: + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", + context->openat2.flags, + context->openat2.mode, + context->openat2.resolve); + break; case AUDIT_EXECVE: audit_log_execve_info(context, &ab); break; @@ -2549,6 +2555,16 @@ void __audit_mmap_fd(int fd, int flags) context->type = AUDIT_MMAP; } +void __audit_openat2_how(struct open_how *how) +{ + struct audit_context *context = audit_context(); + + context->openat2.flags = how->flags; + context->openat2.mode = how->mode; + context->openat2.resolve = how->resolve; + context->type = AUDIT_OPENAT2; +} + void __audit_log_kern_module(char *name) { struct audit_context *context = audit_context(); -- 2.27.0 ^ permalink raw reply related [flat|nested] 60+ messages in thread
* [PATCH v4 3/3] audit: add OPENAT2 record to list how @ 2021-05-19 20:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-19 20:00 UTC (permalink / raw) To: Linux-Audit Mailing List, LKML Cc: Richard Guy Briggs, Eric Paris, Aleksa Sarai, Alexander Viro, linux-fsdevel, Eric Paris Since the openat2(2) syscall uses a struct open_how pointer to communicate its parameters they are not usefully recorded by the audit SYSCALL record's four existing arguments. Add a new audit record type OPENAT2 that reports the parameters in its third argument, struct open_how with fields oflag, mode and resolve. The new record in the context of an event would look like: time->Wed Mar 17 16:28:53 2021 type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com --- fs/open.c | 2 ++ include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 18 +++++++++++++++++- 5 files changed, 32 insertions(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index e53af13b5835..2a15bec0cf6d 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, if (err) return err; + audit_openat2_how(&tmp); + /* O_LARGEFILE is only allowed for non-O_PATH. */ if (!(tmp.flags & O_PATH) && force_o_largefile()) tmp.flags |= O_LARGEFILE; diff --git a/include/linux/audit.h b/include/linux/audit.h index 283bc91a6932..580a52caf16f 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, const struct cred *old); extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); +extern void __audit_openat2_how(struct open_how *how); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); extern void __audit_tk_injoffset(struct timespec64 offset); @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) __audit_mmap_fd(fd, flags); } +static inline void audit_openat2_how(struct open_how *how) +{ + if (unlikely(!audit_dummy_context())) + __audit_openat2_how(how); +} + static inline void audit_log_kern_module(char *name) { if (!audit_dummy_context()) @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, static inline void audit_mmap_fd(int fd, int flags) { } +static inline void audit_openat2_how(struct open_how *how) +{ } + static inline void audit_log_kern_module(char *name) { } diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index cd2d8279a5e4..67aea2370c6d 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -118,6 +118,7 @@ #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_BPF 1334 /* BPF subsystem */ #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.h b/kernel/audit.h index 1522e100fd17..c5af17905976 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@ #include <linux/skbuff.h> #include <uapi/linux/mqueue.h> #include <linux/tty.h> +#include <uapi/linux/openat2.h> // struct open_how /* AUDIT_NAMES is the number of slots we reserve in the audit_context * for saving names from getname(). If we get more names we will allocate @@ -185,6 +186,7 @@ struct audit_context { int fd; int flags; } mmap; + struct open_how openat2; struct { int argc; } execve; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3f59ab209dfd..faf2485323a9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,7 +76,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> -#include <uapi/linux/openat2.h> +#include <uapi/linux/openat2.h> // struct open_how #include "audit.h" @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, context->mmap.flags); break; + case AUDIT_OPENAT2: + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", + context->openat2.flags, + context->openat2.mode, + context->openat2.resolve); + break; case AUDIT_EXECVE: audit_log_execve_info(context, &ab); break; @@ -2549,6 +2555,16 @@ void __audit_mmap_fd(int fd, int flags) context->type = AUDIT_MMAP; } +void __audit_openat2_how(struct open_how *how) +{ + struct audit_context *context = audit_context(); + + context->openat2.flags = how->flags; + context->openat2.mode = how->mode; + context->openat2.resolve = how->resolve; + context->type = AUDIT_OPENAT2; +} + void __audit_log_kern_module(char *name) { struct audit_context *context = audit_context(); -- 2.27.0 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply related [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-05-19 20:00 ` Richard Guy Briggs @ 2021-05-20 8:03 ` Christian Brauner -1 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 8:03 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, Paul Moore, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, linux-fsdevel, Aleksa Sarai On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > Since the openat2(2) syscall uses a struct open_how pointer to communicate > its parameters they are not usefully recorded by the audit SYSCALL record's > four existing arguments. > > Add a new audit record type OPENAT2 that reports the parameters in its > third argument, struct open_how with fields oflag, mode and resolve. > > The new record in the context of an event would look like: > time->Wed Mar 17 16:28:53 2021 > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > --- > fs/open.c | 2 ++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 18 +++++++++++++++++- > 5 files changed, 32 insertions(+), 1 deletion(-) > > diff --git a/fs/open.c b/fs/open.c > index e53af13b5835..2a15bec0cf6d 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, > if (err) > return err; > > + audit_openat2_how(&tmp); > + > /* O_LARGEFILE is only allowed for non-O_PATH. */ > if (!(tmp.flags & O_PATH) && force_o_largefile()) > tmp.flags |= O_LARGEFILE; > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 283bc91a6932..580a52caf16f 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > const struct cred *old); > extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > +extern void __audit_openat2_how(struct open_how *how); > extern void __audit_log_kern_module(char *name); > extern void __audit_fanotify(unsigned int response); > extern void __audit_tk_injoffset(struct timespec64 offset); > @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) > __audit_mmap_fd(fd, flags); > } > > +static inline void audit_openat2_how(struct open_how *how) > +{ > + if (unlikely(!audit_dummy_context())) > + __audit_openat2_how(how); > +} > + > static inline void audit_log_kern_module(char *name) > { > if (!audit_dummy_context()) > @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, > static inline void audit_mmap_fd(int fd, int flags) > { } > > +static inline void audit_openat2_how(struct open_how *how) > +{ } > + > static inline void audit_log_kern_module(char *name) > { > } > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index cd2d8279a5e4..67aea2370c6d 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -118,6 +118,7 @@ > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > #define AUDIT_BPF 1334 /* BPF subsystem */ > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.h b/kernel/audit.h > index 1522e100fd17..c5af17905976 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -11,6 +11,7 @@ > #include <linux/skbuff.h> > #include <uapi/linux/mqueue.h> > #include <linux/tty.h> > +#include <uapi/linux/openat2.h> // struct open_how > > /* AUDIT_NAMES is the number of slots we reserve in the audit_context > * for saving names from getname(). If we get more names we will allocate > @@ -185,6 +186,7 @@ struct audit_context { > int fd; > int flags; > } mmap; > + struct open_how openat2; > struct { > int argc; > } execve; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 3f59ab209dfd..faf2485323a9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,7 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > -#include <uapi/linux/openat2.h> > +#include <uapi/linux/openat2.h> // struct open_how > > #include "audit.h" > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > context->mmap.flags); > break; > + case AUDIT_OPENAT2: > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", Hm, should we maybe follow the struct member names for all entries, i.e. replace s/oflag/flags? Otherwise Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > + context->openat2.flags, > + context->openat2.mode, > + context->openat2.resolve); > + break; > case AUDIT_EXECVE: > audit_log_execve_info(context, &ab); > break; > @@ -2549,6 +2555,16 @@ void __audit_mmap_fd(int fd, int flags) > context->type = AUDIT_MMAP; > } > > +void __audit_openat2_how(struct open_how *how) > +{ > + struct audit_context *context = audit_context(); > + > + context->openat2.flags = how->flags; > + context->openat2.mode = how->mode; > + context->openat2.resolve = how->resolve; > + context->type = AUDIT_OPENAT2; > +} > + > void __audit_log_kern_module(char *name) > { > struct audit_context *context = audit_context(); > -- > 2.27.0 > ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how @ 2021-05-20 8:03 ` Christian Brauner 0 siblings, 0 replies; 60+ messages in thread From: Christian Brauner @ 2021-05-20 8:03 UTC (permalink / raw) To: Richard Guy Briggs Cc: LKML, Eric Paris, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > Since the openat2(2) syscall uses a struct open_how pointer to communicate > its parameters they are not usefully recorded by the audit SYSCALL record's > four existing arguments. > > Add a new audit record type OPENAT2 that reports the parameters in its > third argument, struct open_how with fields oflag, mode and resolve. > > The new record in the context of an event would look like: > time->Wed Mar 17 16:28:53 2021 > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > --- > fs/open.c | 2 ++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 18 +++++++++++++++++- > 5 files changed, 32 insertions(+), 1 deletion(-) > > diff --git a/fs/open.c b/fs/open.c > index e53af13b5835..2a15bec0cf6d 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, > if (err) > return err; > > + audit_openat2_how(&tmp); > + > /* O_LARGEFILE is only allowed for non-O_PATH. */ > if (!(tmp.flags & O_PATH) && force_o_largefile()) > tmp.flags |= O_LARGEFILE; > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 283bc91a6932..580a52caf16f 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > const struct cred *old); > extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > +extern void __audit_openat2_how(struct open_how *how); > extern void __audit_log_kern_module(char *name); > extern void __audit_fanotify(unsigned int response); > extern void __audit_tk_injoffset(struct timespec64 offset); > @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) > __audit_mmap_fd(fd, flags); > } > > +static inline void audit_openat2_how(struct open_how *how) > +{ > + if (unlikely(!audit_dummy_context())) > + __audit_openat2_how(how); > +} > + > static inline void audit_log_kern_module(char *name) > { > if (!audit_dummy_context()) > @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, > static inline void audit_mmap_fd(int fd, int flags) > { } > > +static inline void audit_openat2_how(struct open_how *how) > +{ } > + > static inline void audit_log_kern_module(char *name) > { > } > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index cd2d8279a5e4..67aea2370c6d 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -118,6 +118,7 @@ > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > #define AUDIT_BPF 1334 /* BPF subsystem */ > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.h b/kernel/audit.h > index 1522e100fd17..c5af17905976 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -11,6 +11,7 @@ > #include <linux/skbuff.h> > #include <uapi/linux/mqueue.h> > #include <linux/tty.h> > +#include <uapi/linux/openat2.h> // struct open_how > > /* AUDIT_NAMES is the number of slots we reserve in the audit_context > * for saving names from getname(). If we get more names we will allocate > @@ -185,6 +186,7 @@ struct audit_context { > int fd; > int flags; > } mmap; > + struct open_how openat2; > struct { > int argc; > } execve; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 3f59ab209dfd..faf2485323a9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,7 +76,7 @@ > #include <linux/fsnotify_backend.h> > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > -#include <uapi/linux/openat2.h> > +#include <uapi/linux/openat2.h> // struct open_how > > #include "audit.h" > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > context->mmap.flags); > break; > + case AUDIT_OPENAT2: > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", Hm, should we maybe follow the struct member names for all entries, i.e. replace s/oflag/flags? Otherwise Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > + context->openat2.flags, > + context->openat2.mode, > + context->openat2.resolve); > + break; > case AUDIT_EXECVE: > audit_log_execve_info(context, &ab); > break; > @@ -2549,6 +2555,16 @@ void __audit_mmap_fd(int fd, int flags) > context->type = AUDIT_MMAP; > } > > +void __audit_openat2_how(struct open_how *how) > +{ > + struct audit_context *context = audit_context(); > + > + context->openat2.flags = how->flags; > + context->openat2.mode = how->mode; > + context->openat2.resolve = how->resolve; > + context->type = AUDIT_OPENAT2; > +} > + > void __audit_log_kern_module(char *name) > { > struct audit_context *context = audit_context(); > -- > 2.27.0 > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-05-20 8:03 ` Christian Brauner @ 2021-05-24 23:08 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-05-24 23:08 UTC (permalink / raw) To: Christian Brauner Cc: Richard Guy Briggs, Linux-Audit Mailing List, LKML, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, linux-fsdevel, Aleksa Sarai On Thu, May 20, 2021 at 4:03 AM Christian Brauner <christian.brauner@ubuntu.com> wrote: > On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > its parameters they are not usefully recorded by the audit SYSCALL record's > > four existing arguments. > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > third argument, struct open_how with fields oflag, mode and resolve. > > > > The new record in the context of an event would look like: > > time->Wed Mar 17 16:28:53 2021 > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > --- > > fs/open.c | 2 ++ > > include/linux/audit.h | 10 ++++++++++ > > include/uapi/linux/audit.h | 1 + > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 18 +++++++++++++++++- > > 5 files changed, 32 insertions(+), 1 deletion(-) ... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 3f59ab209dfd..faf2485323a9 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,7 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > -#include <uapi/linux/openat2.h> > > +#include <uapi/linux/openat2.h> // struct open_how > > > > #include "audit.h" > > > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > > context->mmap.flags); > > break; > > + case AUDIT_OPENAT2: > > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", > > Hm, should we maybe follow the struct member names for all entries, i.e. > replace s/oflag/flags? There is some precedence for using "oflags" to refer to "open" flags, my guess is Richard is trying to be consistent here. I agree it's a little odd, but it looks like the right thing to me from an audit perspective; the audit perspective is a little odd after all :) -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how @ 2021-05-24 23:08 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-05-24 23:08 UTC (permalink / raw) To: Christian Brauner Cc: Richard Guy Briggs, LKML, Eric Paris, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Thu, May 20, 2021 at 4:03 AM Christian Brauner <christian.brauner@ubuntu.com> wrote: > On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > its parameters they are not usefully recorded by the audit SYSCALL record's > > four existing arguments. > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > third argument, struct open_how with fields oflag, mode and resolve. > > > > The new record in the context of an event would look like: > > time->Wed Mar 17 16:28:53 2021 > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > --- > > fs/open.c | 2 ++ > > include/linux/audit.h | 10 ++++++++++ > > include/uapi/linux/audit.h | 1 + > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 18 +++++++++++++++++- > > 5 files changed, 32 insertions(+), 1 deletion(-) ... > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 3f59ab209dfd..faf2485323a9 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,7 +76,7 @@ > > #include <linux/fsnotify_backend.h> > > #include <uapi/linux/limits.h> > > #include <uapi/linux/netfilter/nf_tables.h> > > -#include <uapi/linux/openat2.h> > > +#include <uapi/linux/openat2.h> // struct open_how > > > > #include "audit.h" > > > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > > context->mmap.flags); > > break; > > + case AUDIT_OPENAT2: > > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", > > Hm, should we maybe follow the struct member names for all entries, i.e. > replace s/oflag/flags? There is some precedence for using "oflags" to refer to "open" flags, my guess is Richard is trying to be consistent here. I agree it's a little odd, but it looks like the right thing to me from an audit perspective; the audit perspective is a little odd after all :) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-05-24 23:08 ` Paul Moore @ 2021-05-25 15:00 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-25 15:00 UTC (permalink / raw) To: Paul Moore Cc: Christian Brauner, Linux-Audit Mailing List, LKML, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, linux-fsdevel, Aleksa Sarai On 2021-05-24 19:08, Paul Moore wrote: > On Thu, May 20, 2021 at 4:03 AM Christian Brauner > <christian.brauner@ubuntu.com> wrote: > > On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > > its parameters they are not usefully recorded by the audit SYSCALL record's > > > four existing arguments. > > > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > > third argument, struct open_how with fields oflag, mode and resolve. > > > > > > The new record in the context of an event would look like: > > > time->Wed Mar 17 16:28:53 2021 > > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > > --- > > > fs/open.c | 2 ++ > > > include/linux/audit.h | 10 ++++++++++ > > > include/uapi/linux/audit.h | 1 + > > > kernel/audit.h | 2 ++ > > > kernel/auditsc.c | 18 +++++++++++++++++- > > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index 3f59ab209dfd..faf2485323a9 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,7 +76,7 @@ > > > #include <linux/fsnotify_backend.h> > > > #include <uapi/linux/limits.h> > > > #include <uapi/linux/netfilter/nf_tables.h> > > > -#include <uapi/linux/openat2.h> > > > +#include <uapi/linux/openat2.h> // struct open_how > > > > > > #include "audit.h" > > > > > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > > > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > > > context->mmap.flags); > > > break; > > > + case AUDIT_OPENAT2: > > > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", > > > > Hm, should we maybe follow the struct member names for all entries, i.e. > > replace s/oflag/flags? > > There is some precedence for using "oflags" to refer to "open" flags, > my guess is Richard is trying to be consistent here. I agree it's a > little odd, but it looks like the right thing to me from an audit > perspective; the audit perspective is a little odd after all :) Thanks Paul. I could have sworn I had a conversation with someone about this but I can't find any of that evidence otherwise I'd paste it here. With the help of our audit field dictionary we have some guidance of what these new field names should be: https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv The "flags" field is used for the mmap record (coincidentally in the context diff), so should not be used here because it will cause issues in the userspace parser. The open syscall flags are listed with "oflag". Other flag fields are named after their domain. The value field has a precedence of "val" that is not associated with any particular domain and is alphanumeric. Other value fields take the name of their domain, so that was a possibility. "resolve" would be a new field for which I have a note to add it to this document if the patch is accepted. > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how @ 2021-05-25 15:00 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-05-25 15:00 UTC (permalink / raw) To: Paul Moore Cc: LKML, Eric Paris, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris, Christian Brauner On 2021-05-24 19:08, Paul Moore wrote: > On Thu, May 20, 2021 at 4:03 AM Christian Brauner > <christian.brauner@ubuntu.com> wrote: > > On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > > its parameters they are not usefully recorded by the audit SYSCALL record's > > > four existing arguments. > > > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > > third argument, struct open_how with fields oflag, mode and resolve. > > > > > > The new record in the context of an event would look like: > > > time->Wed Mar 17 16:28:53 2021 > > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > > --- > > > fs/open.c | 2 ++ > > > include/linux/audit.h | 10 ++++++++++ > > > include/uapi/linux/audit.h | 1 + > > > kernel/audit.h | 2 ++ > > > kernel/auditsc.c | 18 +++++++++++++++++- > > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index 3f59ab209dfd..faf2485323a9 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,7 +76,7 @@ > > > #include <linux/fsnotify_backend.h> > > > #include <uapi/linux/limits.h> > > > #include <uapi/linux/netfilter/nf_tables.h> > > > -#include <uapi/linux/openat2.h> > > > +#include <uapi/linux/openat2.h> // struct open_how > > > > > > #include "audit.h" > > > > > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > > > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > > > context->mmap.flags); > > > break; > > > + case AUDIT_OPENAT2: > > > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", > > > > Hm, should we maybe follow the struct member names for all entries, i.e. > > replace s/oflag/flags? > > There is some precedence for using "oflags" to refer to "open" flags, > my guess is Richard is trying to be consistent here. I agree it's a > little odd, but it looks like the right thing to me from an audit > perspective; the audit perspective is a little odd after all :) Thanks Paul. I could have sworn I had a conversation with someone about this but I can't find any of that evidence otherwise I'd paste it here. With the help of our audit field dictionary we have some guidance of what these new field names should be: https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv The "flags" field is used for the mmap record (coincidentally in the context diff), so should not be used here because it will cause issues in the userspace parser. The open syscall flags are listed with "oflag". Other flag fields are named after their domain. The value field has a precedence of "val" that is not associated with any particular domain and is alphanumeric. Other value fields take the name of their domain, so that was a possibility. "resolve" would be a new field for which I have a note to add it to this document if the patch is accepted. > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-05-19 20:00 ` Richard Guy Briggs @ 2021-10-04 16:08 ` Paul Moore -1 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-10-04 16:08 UTC (permalink / raw) To: Richard Guy Briggs Cc: Linux-Audit Mailing List, LKML, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, linux-fsdevel, Aleksa Sarai On Wed, May 19, 2021 at 4:02 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > its parameters they are not usefully recorded by the audit SYSCALL record's > four existing arguments. > > Add a new audit record type OPENAT2 that reports the parameters in its > third argument, struct open_how with fields oflag, mode and resolve. > > The new record in the context of an event would look like: > time->Wed Mar 17 16:28:53 2021 > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > --- > fs/open.c | 2 ++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 18 +++++++++++++++++- > 5 files changed, 32 insertions(+), 1 deletion(-) ... > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index cd2d8279a5e4..67aea2370c6d 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -118,6 +118,7 @@ > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > #define AUDIT_BPF 1334 /* BPF subsystem */ > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the 1336 value is already in use by AUDIT_URINGOP. It wasn't caught during my initial build test as the LSM/audit io_uring patches are in selinux/next and not audit/next, it wasn't until the kernel-secnext build was merging everything for its test run that the collision occurred. I'll be updating the audit/next tree with the new value shortly. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how @ 2021-10-04 16:08 ` Paul Moore 0 siblings, 0 replies; 60+ messages in thread From: Paul Moore @ 2021-10-04 16:08 UTC (permalink / raw) To: Richard Guy Briggs Cc: LKML, Eric Paris, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On Wed, May 19, 2021 at 4:02 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > its parameters they are not usefully recorded by the audit SYSCALL record's > four existing arguments. > > Add a new audit record type OPENAT2 that reports the parameters in its > third argument, struct open_how with fields oflag, mode and resolve. > > The new record in the context of an event would look like: > time->Wed Mar 17 16:28:53 2021 > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > --- > fs/open.c | 2 ++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 18 +++++++++++++++++- > 5 files changed, 32 insertions(+), 1 deletion(-) ... > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index cd2d8279a5e4..67aea2370c6d 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -118,6 +118,7 @@ > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > #define AUDIT_BPF 1334 /* BPF subsystem */ > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the 1336 value is already in use by AUDIT_URINGOP. It wasn't caught during my initial build test as the LSM/audit io_uring patches are in selinux/next and not audit/next, it wasn't until the kernel-secnext build was merging everything for its test run that the collision occurred. I'll be updating the audit/next tree with the new value shortly. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-10-04 16:08 ` Paul Moore @ 2021-10-04 18:27 ` Richard Guy Briggs -1 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-10-04 18:27 UTC (permalink / raw) To: Paul Moore Cc: Linux-Audit Mailing List, LKML, Eric Paris, Steve Grubb, Alexander Viro, Eric Paris, linux-fsdevel, Aleksa Sarai On 2021-10-04 12:08, Paul Moore wrote: > On Wed, May 19, 2021 at 4:02 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > its parameters they are not usefully recorded by the audit SYSCALL record's > > four existing arguments. > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > third argument, struct open_how with fields oflag, mode and resolve. > > > > The new record in the context of an event would look like: > > time->Wed Mar 17 16:28:53 2021 > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > --- > > fs/open.c | 2 ++ > > include/linux/audit.h | 10 ++++++++++ > > include/uapi/linux/audit.h | 1 + > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 18 +++++++++++++++++- > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index cd2d8279a5e4..67aea2370c6d 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -118,6 +118,7 @@ > > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > > #define AUDIT_BPF 1334 /* BPF subsystem */ > > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the > 1336 value is already in use by AUDIT_URINGOP. It wasn't caught > during my initial build test as the LSM/audit io_uring patches are in > selinux/next and not audit/next, it wasn't until the kernel-secnext > build was merging everything for its test run that the collision > occurred. I'll be updating the audit/next tree with the new value > shortly. I was expecting a conflict, so thanks for the heads up, Paul. Steve: This affects the audit userspace support for this patchset previously published 2021-05-19 as: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 The update is here: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2.v2 And a PR has been created: https://github.com/linux-audit/audit-userspace/pull/219 > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how @ 2021-10-04 18:27 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-10-04 18:27 UTC (permalink / raw) To: Paul Moore Cc: LKML, Eric Paris, Aleksa Sarai, Linux-Audit Mailing List, Alexander Viro, linux-fsdevel, Eric Paris On 2021-10-04 12:08, Paul Moore wrote: > On Wed, May 19, 2021 at 4:02 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > its parameters they are not usefully recorded by the audit SYSCALL record's > > four existing arguments. > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > third argument, struct open_how with fields oflag, mode and resolve. > > > > The new record in the context of an event would look like: > > time->Wed Mar 17 16:28:53 2021 > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > --- > > fs/open.c | 2 ++ > > include/linux/audit.h | 10 ++++++++++ > > include/uapi/linux/audit.h | 1 + > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 18 +++++++++++++++++- > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index cd2d8279a5e4..67aea2370c6d 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -118,6 +118,7 @@ > > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > > #define AUDIT_BPF 1334 /* BPF subsystem */ > > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the > 1336 value is already in use by AUDIT_URINGOP. It wasn't caught > during my initial build test as the LSM/audit io_uring patches are in > selinux/next and not audit/next, it wasn't until the kernel-secnext > build was merging everything for its test run that the collision > occurred. I'll be updating the audit/next tree with the new value > shortly. I was expecting a conflict, so thanks for the heads up, Paul. Steve: This affects the audit userspace support for this patchset previously published 2021-05-19 as: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 The update is here: https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2.v2 And a PR has been created: https://github.com/linux-audit/audit-userspace/pull/219 > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-10-04 18:27 ` Richard Guy Briggs (?) @ 2021-10-21 19:00 ` Steve Grubb 2021-10-21 19:44 ` Richard Guy Briggs -1 siblings, 1 reply; 60+ messages in thread From: Steve Grubb @ 2021-10-21 19:00 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Monday, October 4, 2021 2:27:18 PM EDT Richard Guy Briggs wrote: > > As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the > > 1336 value is already in use by AUDIT_URINGOP. It wasn't caught > > during my initial build test as the LSM/audit io_uring patches are in > > selinux/next and not audit/next, it wasn't until the kernel-secnext > > build was merging everything for its test run that the collision > > occurred. I'll be updating the audit/next tree with the new value > > shortly. > > I was expecting a conflict, so thanks for the heads up, Paul. > > Steve: This affects the audit userspace support for this patchset > previously published 2021-05-19 as: > https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 > > The update is here: > https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2.v2 > > And a PR has been created: > https://github.com/linux-audit/audit-userspace/pull/219 The user space piece is now merged. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
* Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how 2021-10-21 19:00 ` Steve Grubb @ 2021-10-21 19:44 ` Richard Guy Briggs 0 siblings, 0 replies; 60+ messages in thread From: Richard Guy Briggs @ 2021-10-21 19:44 UTC (permalink / raw) To: Steve Grubb; +Cc: Linux-Audit Mailing List On 2021-10-21 15:00, Steve Grubb wrote: > On Monday, October 4, 2021 2:27:18 PM EDT Richard Guy Briggs wrote: > > > As a heads-up, I had to change the AUDIT_OPENAT2 value to 1337 as the > > > 1336 value is already in use by AUDIT_URINGOP. It wasn't caught > > > during my initial build test as the LSM/audit io_uring patches are in > > > selinux/next and not audit/next, it wasn't until the kernel-secnext > > > build was merging everything for its test run that the collision > > > occurred. I'll be updating the audit/next tree with the new value > > > shortly. > > > > I was expecting a conflict, so thanks for the heads up, Paul. > > > > Steve: This affects the audit userspace support for this patchset > > previously published 2021-05-19 as: > > https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 > > > > The update is here: > > https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2.v2 > > > > And a PR has been created: > > https://github.com/linux-audit/audit-userspace/pull/219 > > The user space piece is now merged. Thanks. Can you explain why you squashed the three into one commit? > -Steve - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 60+ messages in thread
end of thread, other threads:[~2022-02-09 22:32 UTC | newest] Thread overview: 60+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-05-19 20:00 [PATCH v4 0/3] audit: add support for openat2 Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-20 7:50 ` Christian Brauner 2021-05-20 7:50 ` Christian Brauner 2021-05-20 7:50 ` Christian Brauner 2021-05-20 7:50 ` Christian Brauner 2021-08-05 22:01 ` Paul Moore 2021-08-05 22:01 ` Paul Moore 2021-08-05 22:01 ` Paul Moore 2021-08-05 22:01 ` Paul Moore 2021-09-30 20:38 ` Paul Moore 2021-10-01 19:53 ` Richard Guy Briggs 2021-10-01 20:34 ` Paul Moore 2021-10-04 15:34 ` Paul Moore 2021-05-19 20:00 ` [PATCH v4 2/3] audit: add support for the openat2 syscall Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-20 7:58 ` Christian Brauner 2021-05-20 7:58 ` Christian Brauner 2021-05-20 7:58 ` Christian Brauner 2021-05-20 7:58 ` Christian Brauner 2021-05-24 23:04 ` Paul Moore 2021-05-24 23:04 ` Paul Moore 2021-05-24 23:04 ` Paul Moore 2021-05-24 23:04 ` Paul Moore 2022-02-09 3:44 ` Jeff Mahoney 2022-02-09 3:44 ` Jeff Mahoney 2022-02-09 15:57 ` Paul Moore 2022-02-09 15:57 ` Paul Moore 2022-02-09 21:18 ` Paul Moore 2022-02-09 21:18 ` Paul Moore 2022-02-09 22:13 ` Richard Guy Briggs 2022-02-09 22:13 ` Richard Guy Briggs 2022-02-09 22:31 ` Paul Moore 2022-02-09 22:31 ` Paul Moore 2022-02-09 21:40 ` Richard Guy Briggs 2022-02-09 21:40 ` Richard Guy Briggs 2022-02-09 22:29 ` Paul Moore 2022-02-09 22:29 ` Paul Moore 2021-05-19 20:00 ` [PATCH v4 3/3] audit: add OPENAT2 record to list how Richard Guy Briggs 2021-05-19 20:00 ` Richard Guy Briggs 2021-05-20 8:03 ` Christian Brauner 2021-05-20 8:03 ` Christian Brauner 2021-05-24 23:08 ` Paul Moore 2021-05-24 23:08 ` Paul Moore 2021-05-25 15:00 ` Richard Guy Briggs 2021-05-25 15:00 ` Richard Guy Briggs 2021-10-04 16:08 ` Paul Moore 2021-10-04 16:08 ` Paul Moore 2021-10-04 18:27 ` Richard Guy Briggs 2021-10-04 18:27 ` Richard Guy Briggs 2021-10-21 19:00 ` Steve Grubb 2021-10-21 19:44 ` Richard Guy Briggs
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.