From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 03335ECAAD4
	for <linux-kernel@archiver.kernel.org>; Wed, 31 Aug 2022 21:07:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230266AbiHaVHh (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 31 Aug 2022 17:07:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56454 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229481AbiHaVHe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Aug 2022 17:07:34 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22AEAF3252
        for <linux-kernel@vger.kernel.org>; Wed, 31 Aug 2022 14:07:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1661980052;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=N5G7tx6XzS2Mm25xM7iRQx+nrJ0/jmqysbh8SULQiRc=;
        b=IZ6KdLm5jl3W/qXZnkD/F68ixRF3KW0tz4AoTV1Itw0ZGIyEozt0XvfoW8jlt8J90E9/xS
        GGTsCC25FNndlUz7F6nYg4sShsccTBK/YFZwmG2FvrGhn6EpMLqsf/hLXqBwLc2Lo1Cr1l
        ypTSnCoiXVVJcGxVZz1uT+g94bJr1sI=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-208-3iRI4zIvNiSrYMFsG6jm1w-1; Wed, 31 Aug 2022 17:07:30 -0400
X-MC-Unique: 3iRI4zIvNiSrYMFsG6jm1w-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A813B8039BC;
        Wed, 31 Aug 2022 21:07:28 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.22.48.5])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 383E31415138;
        Wed, 31 Aug 2022 21:07:27 +0000 (UTC)
Date:   Wed, 31 Aug 2022 17:07:25 -0400
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Steve Grubb <sgrubb@redhat.com>, Paul Moore <paul@paul-moore.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>,
        Jan Kara <jack@suse.cz>, Amir Goldstein <amir73il@gmail.com>
Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full
 permission event response
Message-ID: <Yw/NjYytoMUdbxuR@madcap2.tricolour.ca>
References: <cover.1659996830.git.rgb@redhat.com>
 <c4ae9b882c07ea9cac64094294da5edc0756bb50.1659996830.git.rgb@redhat.com>
 <CAHC9VhT0D=qtaYR-Ve1hRTtQXspuC09qQZyFdESj-tQstyvMFg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHC9VhT0D=qtaYR-Ve1hRTtQXspuC09qQZyFdESj-tQstyvMFg@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2022-08-15 20:22, Paul Moore wrote:
> On Tue, Aug 9, 2022 at 1:23 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> >
> > This patch passes the full value so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> > the AUDIT_FANOTIFY record. The following is an example of the new record
> > format:
> >
> > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_info=17
> >
> > Suggested-by: Steve Grubb <sgrubb@redhat.com>
> > Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  fs/notify/fanotify/fanotify.c |  3 ++-
> >  include/linux/audit.h         |  9 +++++----
> >  kernel/auditsc.c              | 31 ++++++++++++++++++++++++++++---
> >  3 files changed, 35 insertions(+), 8 deletions(-)
> 
> You've hopefully already seen the kernel test robot build warning, so
> I won't bring that up again, but a few comments below ...

Yes, dealt with...

...

> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 433418d73584..f000fec52360 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -64,6 +64,7 @@
> >  #include <uapi/linux/limits.h>
> >  #include <uapi/linux/netfilter/nf_tables.h>
> >  #include <uapi/linux/openat2.h> // struct open_how
> > +#include <uapi/linux/fanotify.h>
> >
> >  #include "audit.h"
> >
> > @@ -2899,10 +2900,34 @@ void __audit_log_kern_module(char *name)
> >         context->type = AUDIT_KERN_MODULE;
> >  }
> >
> > -void __audit_fanotify(u32 response)
> > +void __audit_fanotify(u32 response, size_t len, char *buf)
> >  {
> > -       audit_log(audit_context(), GFP_KERNEL,
> > -               AUDIT_FANOTIFY, "resp=%u", response);
> > +       struct fanotify_response_info_audit_rule *friar;
> > +       size_t c = len;
> > +       char *ib = buf;
> > +
> > +       if (!(len && buf)) {
> > +               audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > +                         "resp=%u fan_type=0 fan_info=?", response);
> > +               return;
> > +       }
> > +       while (c >= sizeof(struct fanotify_response_info_header)) {
> > +               friar = (struct fanotify_response_info_audit_rule *)buf;
> 
> Since the only use of this at the moment is the
> fanotify_response_info_rule, why not pass the
> fanotify_response_info_rule struct directly into this function?  We
> can always change it if we need to in the future without affecting
> userspace, and it would simplify the code.

Steve, would it make any sense for there to be more than one
FAN_RESPONSE_INFO_AUDIT_RULE header in a message?  Could there be more
than one rule that contributes to a notify reason?  If not, would it be
reasonable to return -EINVAL if there is more than one?

> > +               switch (friar->hdr.type) {
> > +               case FAN_RESPONSE_INFO_AUDIT_RULE:
> > +                       if (friar->hdr.len < sizeof(*friar)) {
> > +                               audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > +                                         "resp=%u fan_type=%u fan_info=(incomplete)",
> > +                                         response, friar->hdr.type);
> > +                               return;
> > +                       }
> > +                       audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > +                                 "resp=%u fan_type=%u fan_info=%u",
> > +                                 response, friar->hdr.type, friar->audit_rule);
> > +               }
> > +               c -= friar->hdr.len;
> > +               ib += friar->hdr.len;
> > +       }
> >  }
> >
> >  void __audit_tk_injoffset(struct timespec64 offset)
> 
> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-audit-bounces@redhat.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 12D25ECAAD4
	for <linux-audit@archiver.kernel.org>; Wed, 31 Aug 2022 22:22:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1661984574;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=oeTsjmDS/p7IjJf/si0WkB+IATNN/bHhFRP8xuTREd8=;
	b=cS/I+jI6gOSCVEr7jDhc3aHF4QOLSmhAJ68+RMp0Gh9pgkYMRrquGHRUKk1Uus0WvuzLzp
	Mjfv4cTEsMZHSMYs3JTas6nEAcPipmYbv+YNsB15jbhUX2ZH7szOTWOerwBKZU9u6q7FLY
	jYZHMegykKCHl8pxhxRB93Gc1bIFuq0=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-48-YC4NUnOQOhGobs3NtcXH2w-1; Wed, 31 Aug 2022 18:22:51 -0400
X-MC-Unique: YC4NUnOQOhGobs3NtcXH2w-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A26423C0D1A4;
	Wed, 31 Aug 2022 22:22:50 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 66E3F1121314;
	Wed, 31 Aug 2022 22:22:50 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 068E11946A4A;
	Wed, 31 Aug 2022 22:22:50 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
 [10.11.54.7])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id B654B1946A40 for <linux-audit@listman.corp.redhat.com>;
 Wed, 31 Aug 2022 21:07:28 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id A53411410F3C; Wed, 31 Aug 2022 21:07:28 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.22.48.5])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 383E31415138;
 Wed, 31 Aug 2022 21:07:27 +0000 (UTC)
Date: Wed, 31 Aug 2022 17:07:25 -0400
From: Richard Guy Briggs <rgb@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>, Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full
 permission event response
Message-ID: <Yw/NjYytoMUdbxuR@madcap2.tricolour.ca>
References: <cover.1659996830.git.rgb@redhat.com>
 <c4ae9b882c07ea9cac64094294da5edc0756bb50.1659996830.git.rgb@redhat.com>
 <CAHC9VhT0D=qtaYR-Ve1hRTtQXspuC09qQZyFdESj-tQstyvMFg@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAHC9VhT0D=qtaYR-Ve1hRTtQXspuC09qQZyFdESj-tQstyvMFg@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
 <mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/linux-audit/>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
 <mailto:linux-audit-request@redhat.com?subject=subscribe>
Cc: Jan Kara <jack@suse.cz>, Amir Goldstein <amir73il@gmail.com>,
 LKML <linux-kernel@vger.kernel.org>,
 Linux-Audit Mailing List <linux-audit@redhat.com>,
 linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>
Errors-To: linux-audit-bounces@redhat.com
Sender: "Linux-audit" <linux-audit-bounces@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On 2022-08-15 20:22, Paul Moore wrote:
> On Tue, Aug 9, 2022 at 1:23 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> >
> > This patch passes the full value so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> > the AUDIT_FANOTIFY record. The following is an example of the new record
> > format:
> >
> > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_info=17
> >
> > Suggested-by: Steve Grubb <sgrubb@redhat.com>
> > Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  fs/notify/fanotify/fanotify.c |  3 ++-
> >  include/linux/audit.h         |  9 +++++----
> >  kernel/auditsc.c              | 31 ++++++++++++++++++++++++++++---
> >  3 files changed, 35 insertions(+), 8 deletions(-)
> 
> You've hopefully already seen the kernel test robot build warning, so
> I won't bring that up again, but a few comments below ...

Yes, dealt with...

...

> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 433418d73584..f000fec52360 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -64,6 +64,7 @@
> >  #include <uapi/linux/limits.h>
> >  #include <uapi/linux/netfilter/nf_tables.h>
> >  #include <uapi/linux/openat2.h> // struct open_how
> > +#include <uapi/linux/fanotify.h>
> >
> >  #include "audit.h"
> >
> > @@ -2899,10 +2900,34 @@ void __audit_log_kern_module(char *name)
> >         context->type = AUDIT_KERN_MODULE;
> >  }
> >
> > -void __audit_fanotify(u32 response)
> > +void __audit_fanotify(u32 response, size_t len, char *buf)
> >  {
> > -       audit_log(audit_context(), GFP_KERNEL,
> > -               AUDIT_FANOTIFY, "resp=%u", response);
> > +       struct fanotify_response_info_audit_rule *friar;
> > +       size_t c = len;
> > +       char *ib = buf;
> > +
> > +       if (!(len && buf)) {
> > +               audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > +                         "resp=%u fan_type=0 fan_info=?", response);
> > +               return;
> > +       }
> > +       while (c >= sizeof(struct fanotify_response_info_header)) {
> > +               friar = (struct fanotify_response_info_audit_rule *)buf;
> 
> Since the only use of this at the moment is the
> fanotify_response_info_rule, why not pass the
> fanotify_response_info_rule struct directly into this function?  We
> can always change it if we need to in the future without affecting
> userspace, and it would simplify the code.

Steve, would it make any sense for there to be more than one
FAN_RESPONSE_INFO_AUDIT_RULE header in a message?  Could there be more
than one rule that contributes to a notify reason?  If not, would it be
reasonable to return -EINVAL if there is more than one?

> > +               switch (friar->hdr.type) {
> > +               case FAN_RESPONSE_INFO_AUDIT_RULE:
> > +                       if (friar->hdr.len < sizeof(*friar)) {
> > +                               audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > +                                         "resp=%u fan_type=%u fan_info=(incomplete)",
> > +                                         response, friar->hdr.type);
> > +                               return;
> > +                       }
> > +                       audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > +                                 "resp=%u fan_type=%u fan_info=%u",
> > +                                 response, friar->hdr.type, friar->audit_rule);
> > +               }
> > +               c -= friar->hdr.len;
> > +               ib += friar->hdr.len;
> > +       }
> >  }
> >
> >  void __audit_tk_injoffset(struct timespec64 offset)
> 
> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit