From: Richard Guy Briggs <rgb@redhat.com>
To: CGEL <cgel.zte@gmail.com>
Cc: kbuild-all@lists.01.org, Zeal Robot <zealci@zte.com.cn>,
linux-kernel@vger.kernel.org, eparis@redhat.com,
dai.shixin@zte.com.cn, Yang Yang <yang.yang29@zte.com.cn>,
linux-audit@redhat.com, ink@jurassic.park.msu.ru,
huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn,
mattst88@gmail.com
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid
Date: Wed, 6 Apr 2022 12:49:54 -0400 [thread overview]
Message-ID: <Yk3Esn2Fu0lVX2SZ@madcap2.tricolour.ca> (raw)
In-Reply-To: <624cea8e.1c69fb81.422be.e03b@mx.google.com>
On 2022-04-06 01:19, CGEL wrote:
> On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote:
> > On 2022-04-02 08:06, CGEL wrote:
> > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > > > >
> > > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > > > better.
> > > > > > >
> > > > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > > > the syscall is valid or not.
> > > > > >
> > > > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > > > set rule with syscall number (>=0 && <2047) ...
> > > >
> > > > That is exactly why I wrote the warning below in my response ...
> > > >
> > > I think the question is more clear now.
> > >
> > > 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> > > Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> > > syscall with number 3000 are both invalid syscall. But 2000 can be set by
> > > auditctl, and 3000 cannot be set by auditctl.
> > > A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
> > >
> > > 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> > > See this patch.
> > >
> > > If we want audit invalid syscall as you said before. libaudit.c should not
> > > do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> > > So do you think we should fix libaudit.c?
> >
> > I'm having a bit of trouble understanding what you've said above.
> >
> > The kernel ultimately must protect itself from malice and mistakes, so
> > it must verify all data sent to it.
> >
> > Userspace can help by knowing what that kernel policy is so it can avoid
> > violating that policy or provide useful feedback if it can't. Userspace
> > can be used to make things more efficient, but the kernel is the last
> > step for security.
> >
> > If userspace and the kernel are mismatched or out of sync, then the
> > kernel enforces policy to protect itself.
>
> Much appreciate for your interpretation. Have you get any idea of how
> to solve the mismatched? From your viewpoint, I think it's better for
> kernel to not handle syscall of syscall number<0, because it's invaild
> of all arch, and has no value for attacker to probing for specific
> syscall numbers.
Going back to the very first quoted line above, if you can generate a
test case that shows that audit is missing an auditable event, that is a
bug that should be fixed.
> > > > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > > > current design/implementation, which may affect this to some extent.
> > > >
> > > > --
> > > > paul-moore.com
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com>
To: CGEL <cgel.zte@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>,
kbuild-all@lists.01.org, Zeal Robot <zealci@zte.com.cn>,
linux-kernel@vger.kernel.org, eparis@redhat.com,
dai.shixin@zte.com.cn, Yang Yang <yang.yang29@zte.com.cn>,
linux-audit@redhat.com, ink@jurassic.park.msu.ru,
huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn,
mattst88@gmail.com
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid
Date: Wed, 6 Apr 2022 12:49:54 -0400 [thread overview]
Message-ID: <Yk3Esn2Fu0lVX2SZ@madcap2.tricolour.ca> (raw)
In-Reply-To: <624cea8e.1c69fb81.422be.e03b@mx.google.com>
On 2022-04-06 01:19, CGEL wrote:
> On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote:
> > On 2022-04-02 08:06, CGEL wrote:
> > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > > > >
> > > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > > > better.
> > > > > > >
> > > > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > > > the syscall is valid or not.
> > > > > >
> > > > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > > > set rule with syscall number (>=0 && <2047) ...
> > > >
> > > > That is exactly why I wrote the warning below in my response ...
> > > >
> > > I think the question is more clear now.
> > >
> > > 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> > > Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> > > syscall with number 3000 are both invalid syscall. But 2000 can be set by
> > > auditctl, and 3000 cannot be set by auditctl.
> > > A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
> > >
> > > 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> > > See this patch.
> > >
> > > If we want audit invalid syscall as you said before. libaudit.c should not
> > > do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> > > So do you think we should fix libaudit.c?
> >
> > I'm having a bit of trouble understanding what you've said above.
> >
> > The kernel ultimately must protect itself from malice and mistakes, so
> > it must verify all data sent to it.
> >
> > Userspace can help by knowing what that kernel policy is so it can avoid
> > violating that policy or provide useful feedback if it can't. Userspace
> > can be used to make things more efficient, but the kernel is the last
> > step for security.
> >
> > If userspace and the kernel are mismatched or out of sync, then the
> > kernel enforces policy to protect itself.
>
> Much appreciate for your interpretation. Have you get any idea of how
> to solve the mismatched? From your viewpoint, I think it's better for
> kernel to not handle syscall of syscall number<0, because it's invaild
> of all arch, and has no value for attacker to probing for specific
> syscall numbers.
Going back to the very first quoted line above, if you can generate a
test case that shows that audit is missing an auditable event, that is a
bug that should be fixed.
> > > > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > > > current design/implementation, which may affect this to some extent.
> > > >
> > > > --
> > > > paul-moore.com
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid
Date: Wed, 06 Apr 2022 12:49:54 -0400 [thread overview]
Message-ID: <Yk3Esn2Fu0lVX2SZ@madcap2.tricolour.ca> (raw)
In-Reply-To: <624cea8e.1c69fb81.422be.e03b@mx.google.com>
[-- Attachment #1: Type: text/plain, Size: 3742 bytes --]
On 2022-04-06 01:19, CGEL wrote:
> On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote:
> > On 2022-04-02 08:06, CGEL wrote:
> > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > > > >
> > > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > > > better.
> > > > > > >
> > > > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > > > the syscall is valid or not.
> > > > > >
> > > > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > > > set rule with syscall number (>=0 && <2047) ...
> > > >
> > > > That is exactly why I wrote the warning below in my response ...
> > > >
> > > I think the question is more clear now.
> > >
> > > 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> > > Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> > > syscall with number 3000 are both invalid syscall. But 2000 can be set by
> > > auditctl, and 3000 cannot be set by auditctl.
> > > A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
> > >
> > > 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> > > See this patch.
> > >
> > > If we want audit invalid syscall as you said before. libaudit.c should not
> > > do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> > > So do you think we should fix libaudit.c?
> >
> > I'm having a bit of trouble understanding what you've said above.
> >
> > The kernel ultimately must protect itself from malice and mistakes, so
> > it must verify all data sent to it.
> >
> > Userspace can help by knowing what that kernel policy is so it can avoid
> > violating that policy or provide useful feedback if it can't. Userspace
> > can be used to make things more efficient, but the kernel is the last
> > step for security.
> >
> > If userspace and the kernel are mismatched or out of sync, then the
> > kernel enforces policy to protect itself.
>
> Much appreciate for your interpretation. Have you get any idea of how
> to solve the mismatched? From your viewpoint, I think it's better for
> kernel to not handle syscall of syscall number<0, because it's invaild
> of all arch, and has no value for attacker to probing for specific
> syscall numbers.
Going back to the very first quoted line above, if you can generate a
test case that shows that audit is missing an auditable event, that is a
bug that should be fixed.
> > > > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > > > current design/implementation, which may affect this to some extent.
> > > >
> > > > --
> > > > paul-moore.com
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2022-04-06 16:50 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-26 9:46 [PATCH] audit: do a quick exit when syscall number is invalid cgel.zte
2022-03-26 9:46 ` cgel.zte
2022-03-26 20:55 ` kernel test robot
2022-03-26 20:55 ` kernel test robot
2022-03-29 1:48 ` CGEL
2022-03-29 1:48 ` CGEL
2022-03-29 1:48 ` CGEL
2022-03-29 2:19 ` Enzo Matsumiya
2022-03-29 2:19 ` Enzo Matsumiya
2022-03-29 2:19 ` Enzo Matsumiya
2022-03-29 3:06 ` Paul Moore
2022-03-29 3:06 ` Paul Moore
2022-03-29 3:06 ` Paul Moore
2022-03-29 3:22 ` CGEL
2022-03-29 3:22 ` CGEL
2022-03-29 3:22 ` CGEL
2022-03-29 13:11 ` Paul Moore
2022-03-29 13:11 ` Paul Moore
2022-03-29 13:11 ` Paul Moore
2022-03-30 5:59 ` CGEL
2022-03-30 5:59 ` CGEL
2022-03-30 5:59 ` CGEL
2022-03-30 14:48 ` Paul Moore
2022-03-30 14:48 ` Paul Moore
2022-03-30 14:48 ` Paul Moore
2022-03-31 2:29 ` CGEL
2022-03-31 2:29 ` CGEL
2022-03-31 2:29 ` CGEL
2022-03-31 14:16 ` Paul Moore
2022-03-31 14:16 ` Paul Moore
2022-03-31 14:16 ` Paul Moore
2022-04-01 1:57 ` CGEL
2022-04-01 1:57 ` CGEL
2022-04-01 1:57 ` CGEL
2022-04-01 13:39 ` Steve Grubb
2022-04-01 13:39 ` Steve Grubb
2022-04-01 13:39 ` Steve Grubb
2022-04-01 14:16 ` Paul Moore
2022-04-01 14:16 ` Paul Moore
2022-04-01 14:16 ` Paul Moore
2022-04-02 8:06 ` CGEL
2022-04-02 8:06 ` CGEL
2022-04-02 8:06 ` CGEL
2022-04-02 15:07 ` Paul Moore
2022-04-02 15:07 ` Paul Moore
2022-04-02 15:07 ` Paul Moore
2022-04-04 15:58 ` Richard Guy Briggs
2022-04-04 15:58 ` Richard Guy Briggs
2022-04-04 15:58 ` Richard Guy Briggs
2022-04-06 1:19 ` CGEL
2022-04-06 1:19 ` CGEL
2022-04-06 1:19 ` CGEL
2022-04-06 16:49 ` Richard Guy Briggs [this message]
2022-04-06 16:49 ` Richard Guy Briggs
2022-04-06 16:49 ` Richard Guy Briggs
2022-04-07 2:36 ` CGEL
2022-04-07 2:36 ` CGEL
2022-04-07 2:36 ` CGEL
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yk3Esn2Fu0lVX2SZ@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=cgel.zte@gmail.com \
--cc=dai.shixin@zte.com.cn \
--cc=eparis@redhat.com \
--cc=guo.xiaofeng@zte.com.cn \
--cc=huang.junhua@zte.com.cn \
--cc=ink@jurassic.park.msu.ru \
--cc=kbuild-all@lists.01.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=yang.yang29@zte.com.cn \
--cc=zealci@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.