From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=L8yJ=OY=redhat.com=linux-audit-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E5D0DC433EF
	for <linux-audit@archiver.kernel.org>; Mon,  4 Oct 2021 13:28:57 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 5D2AA61153
	for <linux-audit@archiver.kernel.org>; Mon,  4 Oct 2021 13:28:57 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5D2AA61153
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=redhat.com
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-448-XLkETp1yOWOxzLbxoETCmw-1; Mon, 04 Oct 2021 09:28:55 -0400
X-MC-Unique: XLkETp1yOWOxzLbxoETCmw-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 97E3619057A0;
	Mon,  4 Oct 2021 13:28:51 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4E05B5D9F4;
	Mon,  4 Oct 2021 13:28:51 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 209411800B9E;
	Mon,  4 Oct 2021 13:28:50 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
	[10.11.54.5])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 194DSmDw009704 for <linux-audit@listman.util.phx.redhat.com>;
	Mon, 4 Oct 2021 09:28:48 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 734A817458; Mon,  4 Oct 2021 13:28:48 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6AF80170ED
	for <linux-audit@redhat.com>; Mon,  4 Oct 2021 13:28:15 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 894B0802C15
	for <linux-audit@redhat.com>; Mon,  4 Oct 2021 13:28:15 +0000 (UTC)
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com
	[209.85.208.43]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-240-VVKEcj8WMlGkkIe1sANboQ-1; Mon, 04 Oct 2021 09:28:13 -0400
X-MC-Unique: VVKEcj8WMlGkkIe1sANboQ-1
Received: by mail-ed1-f43.google.com with SMTP id b8so30305910edk.2
	for <linux-audit@redhat.com>; Mon, 04 Oct 2021 06:28:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20210112;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc;
	bh=bT4rn1MM8JtRYphc3jcYi25Z8pDosFX/L1bmP6VnVTk=;
	b=hcBhqVnE4E/1QGUMP8No27x4V11q405odF6+Vkn/pPLyNt/EcxsV7Ndle258SayhBe
	NJv5CBRx1q7eBEiVUDWwEnc5/1hZVvKWEY/MC4bEcdHRP5s+3sEKHi1DGg3h9MZkPX+i
	HPjKvkZX8dGFb+nmmLTQwiyoQQ2KQ1+ewxWlQFoak8DkAoQOW7QhPmkHPkzEXe4ngG7u
	ODNyJnjX6d4tSolQKQMvHFuM0iuHCUr0JjdaaGcR1D5jqNaZQDSeBLJUZ9SfdyJ0a9ce
	fbbWV6hUf6wk07jsjhzAMdn95JtCg7oRfMWLLEg5Cm978fZbrpLXk+RhL7MlyVf1L2rU
	mF3A==
X-Gm-Message-State: AOAM533S+JdJnLClqtvz8L+5RAL7mSuu/e0M+p7Nk5qFPcC+6B6Enkie
	OFw/haC1THkXE+QqXxjTWrxLzETecWHjxtA3AuIo
X-Google-Smtp-Source: ABdhPJzJavKpePXeYsgtGMKIprXKL3ND2Hen7JoAHGFTqHgYjS4Qamp+ZHVcesOwt4khSnlj3MKXIMaHNCDjetRubTQ=
X-Received: by 2002:a05:6402:5114:: with SMTP id
	m20mr5210324edd.256.1633354064123; 
	Mon, 04 Oct 2021 06:27:44 -0700 (PDT)
MIME-Version: 1.0
References: <20210824205724.GB490529@madcap2.tricolour.ca>
	<CAHC9VhQD8hKekqosjGgWPxZFqS=EFy-_kQL5zAo1sg0MU=6n5A@mail.gmail.com>
	<20210910005858.GL490529@madcap2.tricolour.ca> <4721749.31r3eYUQgx@x2>
	<CAHC9VhR0vKdR_N+LJf4=gDfa4yRUgz8acVaUu3DrO0ZBzPmc3w@mail.gmail.com>
	<20211004123952.GD3977594@madcap2.tricolour.ca>
In-Reply-To: <20211004123952.GD3977594@madcap2.tricolour.ca>
From: Paul Moore <paul@paul-moore.com>
Date: Mon, 4 Oct 2021 09:27:33 -0400
Message-ID: <CAHC9VhQcWFrpV6GY5kB4TP-bChwE_-KOpsoF8g4uBmZkFezY5g@mail.gmail.com>
Subject: Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to
	io_uring
To: Richard Guy Briggs <rgb@redhat.com>
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-loop: linux-audit@redhat.com
Cc: linux-audit@redhat.com
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Mon, Oct 4, 2021 at 8:40 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2021-10-03 19:21, Paul Moore wrote:
> > On Sat, Oct 2, 2021 at 9:16 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Thursday, September 9, 2021 8:58:58 PM EDT Richard Guy Briggs wrote:
> > > > > I spent some time this morning/afternoon playing with the io_uring
> > > > > audit filtering capability and with your audit userspace
> > > > > ghau-iouring-filtering.v1.0 branch it appears to work correctly.  Yes,
> > > > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't
> > > > > map the io_uring ops correctly), but I know you mentioned you have a
> > > > > number of fixes/improvements still as a work-in-progress there so I'm
> > > > > not too concerned.  The important part is that the kernel pieces look
> > > > > to be working correctly.
> > > >
> > > > Ok, I have squashed and pushed the audit userspace support for iouring:
> > > >
> > > > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb
> > > > 9b8fa93895ae35eea
> > > > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:g
> > > > hak-iouring-filtering.v2.1 There are test rpms for f35 here:
> > > >         http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/
> > > >
> > > > userspace v2 changelog:
> > > > - check for watch before adding perm
> > > > - update manpage to include filesystem filter
> > > > - update support for the uring filter list: doc, -U op, op names
> > > > - add support for the AUDIT_URINGOP record type
> > > > - add uringop support to ausearch
> > > > - add uringop support to aureport
> > > > - lots of bug fixes
> > > >
> > > > "auditctl -a uring,always -S ..." will now throw an error and require
> > > > "-U" instead.
> > >
> > > OK, now that the bug fix release is out of the way, let's start merging this
> > > into user space. I think we should start with the code that let's auditd
> > > write the record correctly and then the auditctl piece that inserts the rule
> > > into the kernel. Those should be easy to merge.
> > >
> > > I see one section of code that mirrors all of the operations in ioring.h. I
> > > thought that Paul only wanted to audit some of the operations and not all of
> > > them. Did that change? Are we really going to allow auditing reads on ioring?
> >
> > Only certain io_uring operations are audited, you can see the patch
> > here in the selinux/next tree (look for the io_op_defs struct changes
> > and the "audit_skip" field):
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=5bd2182d58e9d9c6279b7a8a2f9b41add0e7f9cb
>
> I understood that was the default, but that it could be changed by
> userspace configuration?  Now that I say this, I realize there is no API
> to do so, but that could be added without breaking anything.

The approach implemented in the patch currently living in selinux/next
was a carefully arranged compromise with the io_uring devs (see all of
the on-list discussions); it is unlikely to change.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit