From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86DAAC433F5 for ; Thu, 16 Sep 2021 14:20:05 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1A8AC60F50 for ; Thu, 16 Sep 2021 14:20:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1A8AC60F50 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631802004; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/5wEr6wNAMar07x7mGAFqkJ1ljv2iN+5eNkjMmpd/xE=; b=byz2bZK8tsOq3Z/ma8MBOiUKRd+fws1lPsWLo5OZt+5pSx0hDBYEyTnOaPtbUyjDIPWn8D KDn4Q0zkfidjjtYoqaYcQAadAA2Uqtc+Pq6KOrDde1qsXk9XKeUiQcHaunn5uks6ypBQAi h37OmJN0mDh8pwgfDsLjh4mXv2QBYTg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-235-dwbUdHSKMR2RU4MrtCdo0g-1; Thu, 16 Sep 2021 10:19:54 -0400 X-MC-Unique: dwbUdHSKMR2RU4MrtCdo0g-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9FA20802B9F; Thu, 16 Sep 2021 14:19:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 778425C1CF; Thu, 16 Sep 2021 14:19:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BFE441800FE4; Thu, 16 Sep 2021 14:19:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 18GEJmOa024718 for ; Thu, 16 Sep 2021 10:19:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id C2B9D1B4B8; Thu, 16 Sep 2021 14:19:48 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.3.128.14]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 65F571B5C0; Thu, 16 Sep 2021 14:19:38 +0000 (UTC) Date: Thu, 16 Sep 2021 10:19:35 -0400 From: Richard Guy Briggs To: Paul Moore Subject: Re: [PATCH v4 2/8] audit,io_uring,io-wq: add some basic audit support to io_uring Message-ID: <20210916141935.GQ490529@madcap2.tricolour.ca> References: <163172413301.88001.16054830862146685573.stgit@olly> <163172457152.88001.12700049763432531651.stgit@olly> <20210916133308.GP490529@madcap2.tricolour.ca> MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: linux-audit@redhat.com Cc: Jens Axboe , selinux@vger.kernel.org, Pavel Begunkov , linux-security-module@vger.kernel.org, linux-audit@redhat.com, Kumar Kartikeya Dwivedi , linux-fsdevel@vger.kernel.org, io-uring@vger.kernel.org X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 2021-09-16 10:02, Paul Moore wrote: > On Thu, Sep 16, 2021 at 9:33 AM Richard Guy Briggs wrote: > > On 2021-09-15 12:49, Paul Moore wrote: > > > This patch adds basic auditing to io_uring operations, regardless of > > > their context. This is accomplished by allocating audit_context > > > structures for the io-wq worker and io_uring SQPOLL kernel threads > > > as well as explicitly auditing the io_uring operations in > > > io_issue_sqe(). Individual io_uring operations can bypass auditing > > > through the "audit_skip" field in the struct io_op_def definition for > > > the operation; although great care must be taken so that security > > > relevant io_uring operations do not bypass auditing; please contact > > > the audit mailing list (see the MAINTAINERS file) with any questions. > > > > > > The io_uring operations are audited using a new AUDIT_URINGOP record, > > > an example is shown below: > > > > > > type=UNKNOWN[1336] msg=audit(1630523381.288:260): > > > uring_op=19 success=yes exit=0 items=0 ppid=853 pid=1204 > > > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > key=(null) > > > AUID="root" UID="root" GID="root" EUID="root" SUID="root" > > > FSUID="root" EGID="root" SGID="root" FSGID="root" > > > > > > Thanks to Richard Guy Briggs for review and feedback. > > > > I share Steve's concerns about the missing auid and ses. The userspace > > log interpreter conjured up AUID="root" from the absent auid=. > > > > Some of the creds are here including ppid, pid, a herd of *id and subj. > > *Something* initiated this action and then delegated it to iouring to > > carry out. That should be in there somewhere. You had a concern about > > shared queues and mis-attribution. All of these creds including auid > > and ses should be kept together to get this right. > > Look, there are a lot of things about io_uring that frustrate me from > a security perspective - this is one of them - but I've run out of > ways to say it's not possible to reliably capture the audit ID or > session ID here. With io_uring it is possible to submit an io_uring > operation, and capture the results, by simply reading and writing to a > mmap'd buffer. Yes, it would be nice to have that information, but I > don't believe there is a practical way to capture it. If you have any > suggestions on how to do so, please share, but please make it > concrete; hand wavy solutions aren't useful at this stage. I was hoping to give a more concrete solution but have other distractions at the moment. My concern is adding it later once the message format is committed. We have too many field orderings already. Recognizing this adds useless characters to the record type at this time, I'm even thinking auid=? ses=? until a solution can be found. So you are sure the rest of the creds are correct? > As for the userspace mysteriously creating an AUID out of thin air, > that was my mistake: I simply removed the "auid=" field from the > example and didn't remove the additional fields, e.g. AUID, that > auditd appends to the end of the record. I've updated the commit > description with a freshly generated record and removed the auditd > bonus bits as those probably shouldn't be shown in an example of a > kernel generated audit record. I'm not going to repost the patchset > just for this small edit to the description, but I have force-pushed > the update to the selinux/working-io_uring branch. Understood, no problem here. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit