From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2757C433B4 for ; Thu, 20 May 2021 12:51:48 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3B268600D1 for ; Thu, 20 May 2021 12:51:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3B268600D1 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ubuntu.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-481-yFeeJyymPcW0sQ5ciDErYg-1; Thu, 20 May 2021 08:51:45 -0400 X-MC-Unique: yFeeJyymPcW0sQ5ciDErYg-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CF0CC6D581; Thu, 20 May 2021 12:51:41 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BB35A5D769; Thu, 20 May 2021 12:51:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9BCE755357; Thu, 20 May 2021 12:51:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14K83XmD002811 for ; Thu, 20 May 2021 04:03:33 -0400 Received: by smtp.corp.redhat.com (Postfix) id 869DC20A8ADE; Thu, 20 May 2021 08:03:33 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8278D209D019 for ; Thu, 20 May 2021 08:03:30 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 47842101A531 for ; Thu, 20 May 2021 08:03:30 +0000 (UTC) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-158-G0QrO7YMNziJ5hjHlGRWCQ-1; Thu, 20 May 2021 04:03:25 -0400 X-MC-Unique: G0QrO7YMNziJ5hjHlGRWCQ-1 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7FFEB61001; Thu, 20 May 2021 08:03:21 +0000 (UTC) Date: Thu, 20 May 2021 10:03:18 +0200 From: Christian Brauner To: Richard Guy Briggs Subject: Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how Message-ID: <20210520080318.owvsvvhh5qdhyzhk@wittgenstein> References: MIME-Version: 1.0 In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Thu, 20 May 2021 08:45:40 -0400 Cc: LKML , Eric Paris , Aleksa Sarai , Linux-Audit Mailing List , Alexander Viro , linux-fsdevel@vger.kernel.org, Eric Paris X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > Since the openat2(2) syscall uses a struct open_how pointer to communicate > its parameters they are not usefully recorded by the audit SYSCALL record's > four existing arguments. > > Add a new audit record type OPENAT2 that reports the parameters in its > third argument, struct open_how with fields oflag, mode and resolve. > > The new record in the context of an event would look like: > time->Wed Mar 17 16:28:53 2021 > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > Signed-off-by: Richard Guy Briggs > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > --- > fs/open.c | 2 ++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 18 +++++++++++++++++- > 5 files changed, 32 insertions(+), 1 deletion(-) > > diff --git a/fs/open.c b/fs/open.c > index e53af13b5835..2a15bec0cf6d 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, > if (err) > return err; > > + audit_openat2_how(&tmp); > + > /* O_LARGEFILE is only allowed for non-O_PATH. */ > if (!(tmp.flags & O_PATH) && force_o_largefile()) > tmp.flags |= O_LARGEFILE; > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 283bc91a6932..580a52caf16f 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > const struct cred *old); > extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > +extern void __audit_openat2_how(struct open_how *how); > extern void __audit_log_kern_module(char *name); > extern void __audit_fanotify(unsigned int response); > extern void __audit_tk_injoffset(struct timespec64 offset); > @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) > __audit_mmap_fd(fd, flags); > } > > +static inline void audit_openat2_how(struct open_how *how) > +{ > + if (unlikely(!audit_dummy_context())) > + __audit_openat2_how(how); > +} > + > static inline void audit_log_kern_module(char *name) > { > if (!audit_dummy_context()) > @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, > static inline void audit_mmap_fd(int fd, int flags) > { } > > +static inline void audit_openat2_how(struct open_how *how) > +{ } > + > static inline void audit_log_kern_module(char *name) > { > } > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index cd2d8279a5e4..67aea2370c6d 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -118,6 +118,7 @@ > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > #define AUDIT_BPF 1334 /* BPF subsystem */ > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.h b/kernel/audit.h > index 1522e100fd17..c5af17905976 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -11,6 +11,7 @@ > #include > #include > #include > +#include // struct open_how > > /* AUDIT_NAMES is the number of slots we reserve in the audit_context > * for saving names from getname(). If we get more names we will allocate > @@ -185,6 +186,7 @@ struct audit_context { > int fd; > int flags; > } mmap; > + struct open_how openat2; > struct { > int argc; > } execve; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 3f59ab209dfd..faf2485323a9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,7 +76,7 @@ > #include > #include > #include > -#include > +#include // struct open_how > > #include "audit.h" > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > context->mmap.flags); > break; > + case AUDIT_OPENAT2: > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", Hm, should we maybe follow the struct member names for all entries, i.e. replace s/oflag/flags? Otherwise Acked-by: Christian Brauner > + context->openat2.flags, > + context->openat2.mode, > + context->openat2.resolve); > + break; > case AUDIT_EXECVE: > audit_log_execve_info(context, &ab); > break; > @@ -2549,6 +2555,16 @@ void __audit_mmap_fd(int fd, int flags) > context->type = AUDIT_MMAP; > } > > +void __audit_openat2_how(struct open_how *how) > +{ > + struct audit_context *context = audit_context(); > + > + context->openat2.flags = how->flags; > + context->openat2.mode = how->mode; > + context->openat2.resolve = how->resolve; > + context->type = AUDIT_OPENAT2; > +} > + > void __audit_log_kern_module(char *name) > { > struct audit_context *context = audit_context(); > -- > 2.27.0 > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit