From: Jeff Mahoney <jeffm@suse.com>
To: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>,
Steve Grubb <sgrubb@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Eric Paris <eparis@redhat.com>, Tony Jones <tonyj@suse.de>
Subject: Re: [PATCH v4 2/3] audit: add support for the openat2 syscall
Date: Tue, 8 Feb 2022 22:44:12 -0500 [thread overview]
Message-ID: <c96031b4-b76d-d82c-e232-1cccbbf71946@suse.com> (raw)
In-Reply-To: <f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com>
Hi Richard -
On 5/19/21 16:00, Richard Guy Briggs wrote:
> The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> ("open: introduce openat2(2) syscall")
>
> Add the openat2(2) syscall to the audit syscall classifier.
>
> Link: https://github.com/linux-audit/audit-kernel/issues/67
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com
> ---
[...]
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index d775ea16505b..3f59ab209dfd 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -76,6 +76,7 @@
> #include <linux/fsnotify_backend.h>
> #include <uapi/linux/limits.h>
> #include <uapi/linux/netfilter/nf_tables.h>
> +#include <uapi/linux/openat2.h>
>
> #include "audit.h"
>
> @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
> return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
> case AUDITSC_EXECVE:
> return mask & AUDIT_PERM_EXEC;
> + case AUDITSC_OPENAT2:
> + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
> default:
> return 0;
> }
ctx->argv[2] holds a userspace pointer and can't be dereferenced like this.
I'm getting oopses, like so:
BUG: unable to handle page fault for address: 00007fff961bbe70
#PF: supervisor read access in kernel mode
#PF: error_code(0x0001) - permissions violation
PGD 8000000132291067 P4D 8000000132291067 PUD 132174067 PMD 132bb1067
PTE 800000013be02867
Oops: 0001 [#1] PREEMPT SMP PTI
CPU: 1 PID: 4525 Comm: a.out Kdump: loaded Not tainted 5.16.4-1-default
#1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220
Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05
0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00
83 e0 03 0f be 80 c5 5e 45 86 41 21 c5 eb c7 4d 85 e4 0f
RSP: 0018:ffffb096403cbe08 EFLAGS: 00010246
RAX: 00007fff961bbe70 RBX: 0000000000000001 RCX: 000000000000001f
RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e
RBP: ffff9cb784a85020 R08: ffff9cb78775c380 R09: ffff9cb790ad9eb8
R10: 0000000040000020 R11: ffff9cb783f7b410 R12: ffff9cb78486dc00
R13: 000000000000000f R14: 00000000000001b5 R15: ffff9cb78775c380
FS: 00007ff21fca9740(0000) GS:ffff9cb7ffd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff961bbe70 CR3: 0000000121264002 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
audit_filter_syscall+0xb0/0x100
? do_sys_openat2+0x81/0x160
__audit_syscall_exit+0x69/0xf0
syscall_exit_to_user_mode_prepare+0x14d/0x180
syscall_exit_to_user_mode+0x9/0x40
do_syscall_64+0x69/0x80
? syscall_exit_to_user_mode+0x18/0x40
? do_syscall_64+0x69/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff21fdd195d
Where the faulting address matches the open_how address printed with the
following test using a "-w /var/tmp/testfile -k openat2-oops" audit rule.
#include <fcntl.h>
#include <linux/openat2.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <stdio.h>
long openat2(int dirfd, const char *pathname, struct open_how *how,
size_t size)
{
return syscall(SYS_openat2, dirfd, pathname, how, size);
}
int
main(void)
{
struct open_how how = {
.flags = O_RDONLY|O_DIRECTORY,
};
int fd;
fprintf(stderr, "&how = %p\n", &how);
fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct
open_how));
perror("openat2");
}
$ mkdir /var/tmp/testfile
$ ./a.out
&how = 0x7fff961bbe70
<crash>
-Jeff
--
Jeff Mahoney
Director, SUSE Labs Data & Performance
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Mahoney <jeffm@suse.com>
To: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Cc: Tony Jones <tonyj@suse.de>, Eric Paris <eparis@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Eric Paris <eparis@parisplace.org>
Subject: Re: [PATCH v4 2/3] audit: add support for the openat2 syscall
Date: Tue, 8 Feb 2022 22:44:12 -0500 [thread overview]
Message-ID: <c96031b4-b76d-d82c-e232-1cccbbf71946@suse.com> (raw)
In-Reply-To: <f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com>
Hi Richard -
On 5/19/21 16:00, Richard Guy Briggs wrote:
> The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> ("open: introduce openat2(2) syscall")
>
> Add the openat2(2) syscall to the audit syscall classifier.
>
> Link: https://github.com/linux-audit/audit-kernel/issues/67
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com
> ---
[...]
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index d775ea16505b..3f59ab209dfd 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -76,6 +76,7 @@
> #include <linux/fsnotify_backend.h>
> #include <uapi/linux/limits.h>
> #include <uapi/linux/netfilter/nf_tables.h>
> +#include <uapi/linux/openat2.h>
>
> #include "audit.h"
>
> @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
> return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
> case AUDITSC_EXECVE:
> return mask & AUDIT_PERM_EXEC;
> + case AUDITSC_OPENAT2:
> + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
> default:
> return 0;
> }
ctx->argv[2] holds a userspace pointer and can't be dereferenced like this.
I'm getting oopses, like so:
BUG: unable to handle page fault for address: 00007fff961bbe70
#PF: supervisor read access in kernel mode
#PF: error_code(0x0001) - permissions violation
PGD 8000000132291067 P4D 8000000132291067 PUD 132174067 PMD 132bb1067
PTE 800000013be02867
Oops: 0001 [#1] PREEMPT SMP PTI
CPU: 1 PID: 4525 Comm: a.out Kdump: loaded Not tainted 5.16.4-1-default
#1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220
Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05
0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00
83 e0 03 0f be 80 c5 5e 45 86 41 21 c5 eb c7 4d 85 e4 0f
RSP: 0018:ffffb096403cbe08 EFLAGS: 00010246
RAX: 00007fff961bbe70 RBX: 0000000000000001 RCX: 000000000000001f
RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e
RBP: ffff9cb784a85020 R08: ffff9cb78775c380 R09: ffff9cb790ad9eb8
R10: 0000000040000020 R11: ffff9cb783f7b410 R12: ffff9cb78486dc00
R13: 000000000000000f R14: 00000000000001b5 R15: ffff9cb78775c380
FS: 00007ff21fca9740(0000) GS:ffff9cb7ffd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff961bbe70 CR3: 0000000121264002 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
audit_filter_syscall+0xb0/0x100
? do_sys_openat2+0x81/0x160
__audit_syscall_exit+0x69/0xf0
syscall_exit_to_user_mode_prepare+0x14d/0x180
syscall_exit_to_user_mode+0x9/0x40
do_syscall_64+0x69/0x80
? syscall_exit_to_user_mode+0x18/0x40
? do_syscall_64+0x69/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff21fdd195d
Where the faulting address matches the open_how address printed with the
following test using a "-w /var/tmp/testfile -k openat2-oops" audit rule.
#include <fcntl.h>
#include <linux/openat2.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <stdio.h>
long openat2(int dirfd, const char *pathname, struct open_how *how,
size_t size)
{
return syscall(SYS_openat2, dirfd, pathname, how, size);
}
int
main(void)
{
struct open_how how = {
.flags = O_RDONLY|O_DIRECTORY,
};
int fd;
fprintf(stderr, "&how = %p\n", &how);
fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct
open_how));
perror("openat2");
}
$ mkdir /var/tmp/testfile
$ ./a.out
&how = 0x7fff961bbe70
<crash>
-Jeff
--
Jeff Mahoney
Director, SUSE Labs Data & Performance
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-02-09 4:09 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-19 20:00 [PATCH v4 0/3] audit: add support for openat2 Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-20 7:50 ` Christian Brauner
2021-05-20 7:50 ` Christian Brauner
2021-05-20 7:50 ` Christian Brauner
2021-05-20 7:50 ` Christian Brauner
2021-08-05 22:01 ` Paul Moore
2021-08-05 22:01 ` Paul Moore
2021-08-05 22:01 ` Paul Moore
2021-08-05 22:01 ` Paul Moore
2021-09-30 20:38 ` Paul Moore
2021-10-01 19:53 ` Richard Guy Briggs
2021-10-01 20:34 ` Paul Moore
2021-10-04 15:34 ` Paul Moore
2021-05-19 20:00 ` [PATCH v4 2/3] audit: add support for the openat2 syscall Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-20 7:58 ` Christian Brauner
2021-05-20 7:58 ` Christian Brauner
2021-05-20 7:58 ` Christian Brauner
2021-05-20 7:58 ` Christian Brauner
2021-05-24 23:04 ` Paul Moore
2021-05-24 23:04 ` Paul Moore
2021-05-24 23:04 ` Paul Moore
2021-05-24 23:04 ` Paul Moore
2022-02-09 3:44 ` Jeff Mahoney [this message]
2022-02-09 3:44 ` Jeff Mahoney
2022-02-09 15:57 ` Paul Moore
2022-02-09 15:57 ` Paul Moore
2022-02-09 21:18 ` Paul Moore
2022-02-09 21:18 ` Paul Moore
2022-02-09 22:13 ` Richard Guy Briggs
2022-02-09 22:13 ` Richard Guy Briggs
2022-02-09 22:31 ` Paul Moore
2022-02-09 22:31 ` Paul Moore
2022-02-09 21:40 ` Richard Guy Briggs
2022-02-09 21:40 ` Richard Guy Briggs
2022-02-09 22:29 ` Paul Moore
2022-02-09 22:29 ` Paul Moore
2021-05-19 20:00 ` [PATCH v4 3/3] audit: add OPENAT2 record to list how Richard Guy Briggs
2021-05-19 20:00 ` Richard Guy Briggs
2021-05-20 8:03 ` Christian Brauner
2021-05-20 8:03 ` Christian Brauner
2021-05-24 23:08 ` Paul Moore
2021-05-24 23:08 ` Paul Moore
2021-05-25 15:00 ` Richard Guy Briggs
2021-05-25 15:00 ` Richard Guy Briggs
2021-10-04 16:08 ` Paul Moore
2021-10-04 16:08 ` Paul Moore
2021-10-04 18:27 ` Richard Guy Briggs
2021-10-04 18:27 ` Richard Guy Briggs
2021-10-21 19:00 ` Steve Grubb
2021-10-21 19:44 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c96031b4-b76d-d82c-e232-1cccbbf71946@suse.com \
--to=jeffm@suse.com \
--cc=eparis@parisplace.org \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
--cc=tonyj@suse.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.