From: Paul Moore <paul@paul-moore.com>
To: Steve Grubb <sgrubb@redhat.com>, Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
Date: Sun, 3 Oct 2021 19:21:38 -0400 [thread overview]
Message-ID: <CAHC9VhR0vKdR_N+LJf4=gDfa4yRUgz8acVaUu3DrO0ZBzPmc3w@mail.gmail.com> (raw)
In-Reply-To: <4721749.31r3eYUQgx@x2>
On Sat, Oct 2, 2021 at 9:16 AM Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> Since this is a chat to discuss merging the user space piece, I trimmed the
> recipients down to the audit community.
Good idea.
> On Thursday, September 9, 2021 8:58:58 PM EDT Richard Guy Briggs wrote:
> > > I spent some time this morning/afternoon playing with the io_uring
> > > audit filtering capability and with your audit userspace
> > > ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes,
> > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't
> > > map the io_uring ops correctly), but I know you mentioned you have a
> > > number of fixes/improvements still as a work-in-progress there so I'm
> > > not too concerned. The important part is that the kernel pieces look
> > > to be working correctly.
> >
> > Ok, I have squashed and pushed the audit userspace support for iouring:
> >
> > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb
> > 9b8fa93895ae35eea
> > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:g
> > hak-iouring-filtering.v2.1 There are test rpms for f35 here:
> > http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/
> >
> > userspace v2 changelog:
> > - check for watch before adding perm
> > - update manpage to include filesystem filter
> > - update support for the uring filter list: doc, -U op, op names
> > - add support for the AUDIT_URINGOP record type
> > - add uringop support to ausearch
> > - add uringop support to aureport
> > - lots of bug fixes
> >
> > "auditctl -a uring,always -S ..." will now throw an error and require
> > "-U" instead.
>
> OK, now that the bug fix release is out of the way, let's start merging this
> into user space. I think we should start with the code that let's auditd
> write the record correctly and then the auditctl piece that inserts the rule
> into the kernel. Those should be easy to merge.
>
> I see one section of code that mirrors all of the operations in ioring.h. I
> thought that Paul only wanted to audit some of the operations and not all of
> them. Did that change? Are we really going to allow auditing reads on ioring?
Only certain io_uring operations are audited, you can see the patch
here in the selinux/next tree (look for the io_op_defs struct changes
and the "audit_skip" field):
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=5bd2182d58e9d9c6279b7a8a2f9b41add0e7f9cb
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-10-03 23:22 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-11 20:48 [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring Paul Moore
2021-08-11 20:48 ` [RFC PATCH v2 1/9] audit: prepare audit_context for use in calling contexts beyond syscalls Paul Moore
2021-08-11 20:48 ` [RFC PATCH v2 2/9] audit, io_uring, io-wq: add some basic audit support to io_uring Paul Moore
2021-08-11 20:48 ` [RFC PATCH v2 3/9] audit: dev/test patch to force io_uring auditing Paul Moore
2021-08-11 20:48 ` [RFC PATCH v2 4/9] audit: add filtering for io_uring records Paul Moore
2021-08-11 20:48 ` [RFC PATCH v2 5/9] fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure() Paul Moore
2021-08-12 9:32 ` Mickaël Salaün
2021-08-12 14:32 ` Paul Moore
2021-08-12 15:35 ` Mickaël Salaün
2021-08-11 20:48 ` [RFC PATCH v2 6/9] io_uring: convert io_uring to the secure anon inode interface Paul Moore
2021-08-11 20:48 ` [RFC PATCH v2 7/9] lsm,io_uring: add LSM hooks to io_uring Paul Moore
2021-08-11 20:49 ` [RFC PATCH v2 8/9] selinux: add support for the io_uring access controls Paul Moore
2021-08-11 20:49 ` [RFC PATCH v2 9/9] Smack: Brutalist io_uring support with debug Paul Moore
2021-08-31 14:44 ` Paul Moore
2021-08-31 15:03 ` Casey Schaufler
2021-08-31 16:43 ` Paul Moore
2021-08-24 20:57 ` [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring Richard Guy Briggs
2021-08-24 22:27 ` Paul Moore
2021-08-25 1:36 ` Richard Guy Briggs
2021-08-26 1:16 ` Richard Guy Briggs
2021-08-26 1:34 ` Paul Moore
2021-08-26 16:32 ` Richard Guy Briggs
2021-08-26 19:14 ` Paul Moore
2021-08-27 13:35 ` Richard Guy Briggs
2021-08-27 19:49 ` Paul Moore
2021-08-28 15:03 ` Richard Guy Briggs
2021-08-29 15:18 ` Paul Moore
2021-09-01 19:21 ` Paul Moore
2021-09-10 0:58 ` Richard Guy Briggs
2021-09-13 19:23 ` Paul Moore
2021-09-14 1:50 ` Paul Moore
2021-09-14 2:49 ` Paul Moore
2021-09-15 12:29 ` Richard Guy Briggs
2021-09-15 13:02 ` Steve Grubb
2021-09-15 14:12 ` Paul Moore
2021-10-02 13:16 ` Steve Grubb
2021-10-03 23:21 ` Paul Moore [this message]
2021-10-04 12:39 ` Richard Guy Briggs
2021-10-04 13:27 ` Paul Moore
2021-10-04 14:59 ` Steve Grubb
2021-10-28 20:07 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhR0vKdR_N+LJf4=gDfa4yRUgz8acVaUu3DrO0ZBzPmc3w@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).