From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04B1FC433F5 for ; Tue, 14 Sep 2021 02:50:08 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7FC17610F9 for ; Tue, 14 Sep 2021 02:50:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 7FC17610F9 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-420-2tusmy4FMOmdDSUPxB2PHg-1; Mon, 13 Sep 2021 22:50:04 -0400 X-MC-Unique: 2tusmy4FMOmdDSUPxB2PHg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 98C571084687; Tue, 14 Sep 2021 02:50:01 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2392A81F65; Tue, 14 Sep 2021 02:50:01 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7DF271800B9E; Tue, 14 Sep 2021 02:50:00 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 18E2nvej018658 for ; Mon, 13 Sep 2021 22:49:58 -0400 Received: by smtp.corp.redhat.com (Postfix) id D3B8B21677F4; Tue, 14 Sep 2021 02:49:57 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CE042215673B for ; Tue, 14 Sep 2021 02:49:54 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C1192101A529 for ; Tue, 14 Sep 2021 02:49:54 +0000 (UTC) Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-139-p6_nUI16PQOWQPlbwCYIkg-1; Mon, 13 Sep 2021 22:49:53 -0400 X-MC-Unique: p6_nUI16PQOWQPlbwCYIkg-1 Received: by mail-ej1-f51.google.com with SMTP id b10so18733697ejg.11 for ; Mon, 13 Sep 2021 19:49:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aejjrEwv9A+FPcsJO+PLrw1/sXo77HGUim4vKB8A0UY=; b=K07J47gxQoc36FLqkH5Ke17W9kb2oaKPxybUF3XsdLemrzryrmJkHaRsHuSNPt01Od mStLQvWkV/RdXEz+rBxh7WLLm+1mMMFkvgY9IqN1Hhxn/kMa4cyFXb0zXFjSYTECLSJh MVN7jQ059VBQdE7fgwgSRtK2Eihy+nSg8J83AUw55fsfdf80SBEy2bLXaPLx348/7Ntl TSI+txl6tehmuyakxF0ZxbdYqrxCcfEe++h3ZTRRsJinFm3fqolOqLoW4NFitbSYFvYp F4pIRarHpZsD7Rj9MVYxqglL0ypL2aN/Yj4AIT+WxKnqdJQw0XWkefZWuCU5g1kH8dZx vt2Q== X-Gm-Message-State: AOAM532Ov0LYegjLwJ2et3RBmY4HuRqqyFYxhOhraVP210O66WGzbyk+ 9Gl9acYLhKCyPLGxldEZAb/YAtu5YPgqJMeC21lm X-Google-Smtp-Source: ABdhPJzGREiUiVKzvVPxM9sqNoXunURxF1kR0zzzJ//z122o5jvF5bA9S3XPoctVm87ri6rJSWdH2ONVnszgf1oYmh0= X-Received: by 2002:a17:906:6011:: with SMTP id o17mr15793102ejj.157.1631587791643; Mon, 13 Sep 2021 19:49:51 -0700 (PDT) MIME-Version: 1.0 References: <20210824205724.GB490529@madcap2.tricolour.ca> <20210826011639.GE490529@madcap2.tricolour.ca> <20210826163230.GF490529@madcap2.tricolour.ca> <20210827133559.GG490529@madcap2.tricolour.ca> <20210828150356.GH490529@madcap2.tricolour.ca> <20210910005858.GL490529@madcap2.tricolour.ca> In-Reply-To: From: Paul Moore Date: Mon, 13 Sep 2021 22:49:40 -0400 Message-ID: Subject: Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring To: Richard Guy Briggs X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: linux-audit@redhat.com Cc: Jens Axboe , selinux@vger.kernel.org, Pavel Begunkov , linux-security-module@vger.kernel.org, linux-audit@redhat.com, Kumar Kartikeya Dwivedi , linux-fsdevel@vger.kernel.org, io-uring@vger.kernel.org X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Mon, Sep 13, 2021 at 9:50 PM Paul Moore wrote: > On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote: > > On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote: > > > On 2021-09-01 15:21, Paul Moore wrote: > > > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote: > > > > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs wrote: > > > > > > I did set a syscall filter for > > > > > > -a exit,always -F arch=b64 -S io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall > > > > > > and that yielded some records with a couple of orphans that surprised me > > > > > > a bit. > > > > > > > > > > Without looking too closely at the log you sent, you can expect URING > > > > > records without an associated SYSCALL record when the uring op is > > > > > being processed in the io-wq or sqpoll context. In the io-wq case the > > > > > processing is happening after the thread finished the syscall but > > > > > before the execution context returns to userspace and in the case of > > > > > sqpoll the processing is handled by a separate kernel thread with no > > > > > association to a process thread. > > > > > > > > I spent some time this morning/afternoon playing with the io_uring > > > > audit filtering capability and with your audit userspace > > > > ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes, > > > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't > > > > map the io_uring ops correctly), but I know you mentioned you have a > > > > number of fixes/improvements still as a work-in-progress there so I'm > > > > not too concerned. The important part is that the kernel pieces look > > > > to be working correctly. > > > > > > Ok, I have squashed and pushed the audit userspace support for iouring: > > > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb9b8fa93895ae35eea > > > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghak-iouring-filtering.v2.1 > > > There are test rpms for f35 here: > > > http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/ > > > > > > userspace v2 changelog: > > > - check for watch before adding perm > > > - update manpage to include filesystem filter > > > - update support for the uring filter list: doc, -U op, op names > > > - add support for the AUDIT_URINGOP record type > > > - add uringop support to ausearch > > > - add uringop support to aureport > > > - lots of bug fixes > > > > > > "auditctl -a uring,always -S ..." will now throw an error and require > > > "-U" instead. > > > > Thanks Richard. > > > > FYI, I rebased the io_uring/LSM/audit patchset on top of v5.15-rc1 > > today and tested both with your v1.0 and with your v2.1 branch and the > > various combinations seemed to work just fine (of course the v2.1 > > userspace branch was more polished, less warts, etc.). I'm going to > > go over the patch set one more time to make sure everything is still > > looking good, write up an updated cover letter, and post a v3 revision > > later tonight with the hope of merging it into -next later this week. > > Best laid plans of mice and men ... > > It turns out the LSM hook macros are full of warnings-now-errors that > should likely be resolved before sending anything LSM related to > Linus. I'll post v3 once I fix this, which may not be until tomorrow. > > (To be clear, the warnings/errors aren't new to this patchset, I'm > likely just the first person to notice them.) Actually, scratch that ... I'm thinking that might just be an oddity of the Intel 0day test robot building for the xtensa arch. I'll post the v3 patchset tonight. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit