From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-22.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A50FC47085 for ; Tue, 25 May 2021 15:01:05 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D29076128B for ; Tue, 25 May 2021 15:01:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D29076128B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1621954863; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=fPEQTtNJCX3iQBPjz2QiucZy1EWjV7+qwlC8ZlbtuKc=; b=HpqngkCX6qFfwb/qiYFJGvDkJDcp8EA8B2+SpgZ6DZndxEUDVwvowURG74UiVF4JZiWt1Z x0IYAVDaykm9FFL3lbMoBQr5WfF14yW6wis/nmbK4QBlvr7h+bjK/o50VLYu0dmKvBGrAD cb2ot+crDv+3Kiz7yzCJqNFj+p2MZ9s= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-447-uN30w1LIP66GpN_VgCA2Hg-1; Tue, 25 May 2021 11:01:00 -0400 X-MC-Unique: uN30w1LIP66GpN_VgCA2Hg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 981E5800FF0; Tue, 25 May 2021 15:00:56 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 74B6D17C5F; Tue, 25 May 2021 15:00:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B6E0855342; Tue, 25 May 2021 15:00:55 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14PF0s6C029766 for ; Tue, 25 May 2021 11:00:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id 14A391B5C1; Tue, 25 May 2021 15:00:54 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.3.128.13]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5CB2E60CEB; Tue, 25 May 2021 15:00:41 +0000 (UTC) Date: Tue, 25 May 2021 11:00:38 -0400 From: Richard Guy Briggs To: Paul Moore Subject: Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how Message-ID: <20210525150038.GF2268484@madcap2.tricolour.ca> References: <20210520080318.owvsvvhh5qdhyzhk@wittgenstein> MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: linux-audit@redhat.com Cc: LKML , Eric Paris , Aleksa Sarai , Linux-Audit Mailing List , Alexander Viro , linux-fsdevel@vger.kernel.org, Eric Paris , Christian Brauner X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 2021-05-24 19:08, Paul Moore wrote: > On Thu, May 20, 2021 at 4:03 AM Christian Brauner > wrote: > > On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > > > Since the openat2(2) syscall uses a struct open_how pointer to communicate > > > its parameters they are not usefully recorded by the audit SYSCALL record's > > > four existing arguments. > > > > > > Add a new audit record type OPENAT2 that reports the parameters in its > > > third argument, struct open_how with fields oflag, mode and resolve. > > > > > > The new record in the context of an event would look like: > > > time->Wed Mar 17 16:28:53 2021 > > > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > > > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > > > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > > > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > > > > > Signed-off-by: Richard Guy Briggs > > > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > > > --- > > > fs/open.c | 2 ++ > > > include/linux/audit.h | 10 ++++++++++ > > > include/uapi/linux/audit.h | 1 + > > > kernel/audit.h | 2 ++ > > > kernel/auditsc.c | 18 +++++++++++++++++- > > > 5 files changed, 32 insertions(+), 1 deletion(-) > > ... > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index 3f59ab209dfd..faf2485323a9 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -76,7 +76,7 @@ > > > #include > > > #include > > > #include > > > -#include > > > +#include // struct open_how > > > > > > #include "audit.h" > > > > > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > > > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > > > context->mmap.flags); > > > break; > > > + case AUDIT_OPENAT2: > > > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", > > > > Hm, should we maybe follow the struct member names for all entries, i.e. > > replace s/oflag/flags? > > There is some precedence for using "oflags" to refer to "open" flags, > my guess is Richard is trying to be consistent here. I agree it's a > little odd, but it looks like the right thing to me from an audit > perspective; the audit perspective is a little odd after all :) Thanks Paul. I could have sworn I had a conversation with someone about this but I can't find any of that evidence otherwise I'd paste it here. With the help of our audit field dictionary we have some guidance of what these new field names should be: https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv The "flags" field is used for the mmap record (coincidentally in the context diff), so should not be used here because it will cause issues in the userspace parser. The open syscall flags are listed with "oflag". Other flag fields are named after their domain. The value field has a precedence of "val" that is not associated with any particular domain and is alphanumeric. Other value fields take the name of their domain, so that was a possibility. "resolve" would be a new field for which I have a note to add it to this document if the patch is accepted. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit