[PATCH v4 0/3] audit: add support for openat2

[PATCH v4 0/3] audit: add support for openat2

[Richard Guy Briggs]

The openat2(2) syscall was added in v5.6.  Add support for openat2 to the
audit syscall classifier and for recording openat2 parameters that cannot
be captured in the syscall parameters of the SYSCALL record.

Supporting userspace code can be found in
https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2

Supporting test case can be found in
https://github.com/linux-audit/audit-testsuite/pull/103

Changelog:
v4:
- change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association

v3:
- re-add commit descriptions that somehow got dropped
- add new file to MAINTAINERS

v2:
- add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings:
        arch/x86/ia32/audit.c:3:
        ./include/linux/audit.h:12,
        ./include/linux/sched.h:22,
        ./include/linux/seccomp.h:21,
        ./arch/x86/include/asm/seccomp.h:5,
        ./arch/x86/include/asm/unistd.h:20,
        ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0
	...
        ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334
    previous:
        arch/x86/ia32/audit.c:2:
        ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3                                                                                                      
	...
        ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386

Richard Guy Briggs (3):
  audit: replace magic audit syscall class numbers with macros
  audit: add support for the openat2 syscall
  audit: add OPENAT2 record to list how

 MAINTAINERS                         |  1 +
 arch/alpha/kernel/audit.c           | 10 ++++++----
 arch/ia64/kernel/audit.c            | 10 ++++++----
 arch/parisc/kernel/audit.c          | 10 ++++++----
 arch/parisc/kernel/compat_audit.c   | 11 ++++++----
 arch/powerpc/kernel/audit.c         | 12 ++++++-----
 arch/powerpc/kernel/compat_audit.c  | 13 +++++++-----
 arch/s390/kernel/audit.c            | 12 ++++++-----
 arch/s390/kernel/compat_audit.c     | 13 +++++++-----
 arch/sparc/kernel/audit.c           | 12 ++++++-----
 arch/sparc/kernel/compat_audit.c    | 13 +++++++-----
 arch/x86/ia32/audit.c               | 13 +++++++-----
 arch/x86/kernel/audit_64.c          | 10 ++++++----
 fs/open.c                           |  2 ++
 include/linux/audit.h               | 11 ++++++++++
 include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++
 include/uapi/linux/audit.h          |  1 +
 kernel/audit.h                      |  2 ++
 kernel/auditsc.c                    | 31 +++++++++++++++++++++++------
 lib/audit.c                         | 14 ++++++++-----
 lib/compat_audit.c                  | 15 +++++++++-----
 21 files changed, 169 insertions(+), 71 deletions(-)
 create mode 100644 include/linux/auditsc_classmacros.h

-- 
2.27.0

[PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros

[Richard Guy Briggs]

Replace audit syscall class magic numbers with macros.

This required putting the macros into new header file
include/linux/auditsc_classmacros.h since the syscall macros were
included for both 64 bit and 32 bit in any compat code, causing
redefinition warnings.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com
---
 MAINTAINERS                         |  1 +
 arch/alpha/kernel/audit.c           |  8 ++++----
 arch/ia64/kernel/audit.c            |  8 ++++----
 arch/parisc/kernel/audit.c          |  8 ++++----
 arch/parisc/kernel/compat_audit.c   |  9 +++++----
 arch/powerpc/kernel/audit.c         | 10 +++++-----
 arch/powerpc/kernel/compat_audit.c  | 11 ++++++-----
 arch/s390/kernel/audit.c            | 10 +++++-----
 arch/s390/kernel/compat_audit.c     | 11 ++++++-----
 arch/sparc/kernel/audit.c           | 10 +++++-----
 arch/sparc/kernel/compat_audit.c    | 11 ++++++-----
 arch/x86/ia32/audit.c               | 11 ++++++-----
 arch/x86/kernel/audit_64.c          |  8 ++++----
 include/linux/audit.h               |  1 +
 include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++
 kernel/auditsc.c                    | 12 ++++++------
 lib/audit.c                         | 10 +++++-----
 lib/compat_audit.c                  | 11 ++++++-----
 18 files changed, 102 insertions(+), 71 deletions(-)
 create mode 100644 include/linux/auditsc_classmacros.h

diff --git a/MAINTAINERS b/MAINTAINERS
index bd7aff0c120f..3348d12019f9 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3036,6 +3036,7 @@ W:	https://github.com/linux-audit
 T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
 F:	include/asm-generic/audit_*.h
 F:	include/linux/audit.h
+F:	include/linux/auditsc_classmacros.h
 F:	include/uapi/linux/audit.h
 F:	kernel/audit*
 F:	lib/*audit.c
diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c
index 96a9d18ff4c4..81cbd804e375 100644
--- a/arch/alpha/kernel/audit.c
+++ b/arch/alpha/kernel/audit.c
@@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
 {
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c
index 5192ca899fe6..dba6a74c9ab3 100644
--- a/arch/ia64/kernel/audit.c
+++ b/arch/ia64/kernel/audit.c
@@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
 {
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c
index 9eb47b2225d2..14244e83db75 100644
--- a/arch/parisc/kernel/audit.c
+++ b/arch/parisc/kernel/audit.c
@@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
 #endif
 	switch (syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c
index 20c39c9d86a9..1d6347d37d92 100644
--- a/arch/parisc/kernel/compat_audit.c
+++ b/arch/parisc/kernel/compat_audit.c
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: GPL-2.0
+#include <linux/auditsc_classmacros.h>
 #include <asm/unistd.h>
 
 unsigned int parisc32_dir_class[] = {
@@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall)
 {
 	switch (syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 1;
+		return AUDITSC_COMPAT;
 	}
 }
diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c
index a2dddd7f3d09..6eb18ef77dff 100644
--- a/arch/powerpc/kernel/audit.c
+++ b/arch/powerpc/kernel/audit.c
@@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall)
 #endif
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c
index 55c6ccda0a85..b1dc2d1c4bad 100644
--- a/arch/powerpc/kernel/compat_audit.c
+++ b/arch/powerpc/kernel/compat_audit.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 #undef __powerpc64__
+#include <linux/auditsc_classmacros.h>
 #include <asm/unistd.h>
 
 unsigned ppc32_dir_class[] = {
@@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall)
 {
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 1;
+		return AUDITSC_COMPAT;
 	}
 }
diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c
index d395c6c9944c..7e331e1831d4 100644
--- a/arch/s390/kernel/audit.c
+++ b/arch/s390/kernel/audit.c
@@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall)
 #endif
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c
index 444fb1f66944..fc3d1c7ad21c 100644
--- a/arch/s390/kernel/compat_audit.c
+++ b/arch/s390/kernel/compat_audit.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 #undef __s390x__
+#include <linux/auditsc_classmacros.h>
 #include <asm/unistd.h>
 #include "audit.h"
 
@@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall)
 {
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 1;
+		return AUDITSC_COMPAT;
 	}
 }
diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c
index a6e91bf34d48..50fab35bdaba 100644
--- a/arch/sparc/kernel/audit.c
+++ b/arch/sparc/kernel/audit.c
@@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall)
 #endif
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c
index 10eeb4f15b20..1c1b6d075421 100644
--- a/arch/sparc/kernel/compat_audit.c
+++ b/arch/sparc/kernel/compat_audit.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 #define __32bit_syscall_numbers__
+#include <linux/auditsc_classmacros.h>
 #include <asm/unistd.h>
 #include "kernel.h"
 
@@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall)
 {
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 1;
+		return AUDITSC_COMPAT;
 	}
 }
diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c
index 6efe6cb3768a..eedc37a1ee13 100644
--- a/arch/x86/ia32/audit.c
+++ b/arch/x86/ia32/audit.c
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: GPL-2.0
+#include <linux/auditsc_classmacros.h>
 #include <asm/unistd_32.h>
 #include <asm/audit.h>
 
@@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall)
 {
 	switch (syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 	case __NR_execveat:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 1;
+		return AUDITSC_COMPAT;
 	}
 }
diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c
index 83d9cad4e68b..2a6cc9c9c881 100644
--- a/arch/x86/kernel/audit_64.c
+++ b/arch/x86/kernel/audit_64.c
@@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall)
 #endif
 	switch(syscall) {
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 	case __NR_execve:
 	case __NR_execveat:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 82b7c1116a85..283bc91a6932 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -11,6 +11,7 @@
 
 #include <linux/sched.h>
 #include <linux/ptrace.h>
+#include <linux/auditsc_classmacros.h> /* syscall class macros */
 #include <uapi/linux/audit.h>
 #include <uapi/linux/netfilter/nf_tables.h>
 
diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h
new file mode 100644
index 000000000000..18757d270961
--- /dev/null
+++ b/include/linux/auditsc_classmacros.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* auditsc_classmacros.h -- Auditing support syscall macros
+ *
+ * Copyright 2021 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * Author: Richard Guy Briggs <rgb@redhat.com>
+ */
+#ifndef _LINUX_AUDITSCM_H_
+#define _LINUX_AUDITSCM_H_
+
+enum auditsc_class_t {
+	AUDITSC_NATIVE = 0,
+	AUDITSC_COMPAT,
+	AUDITSC_OPEN,
+	AUDITSC_OPENAT,
+	AUDITSC_SOCKETCALL,
+	AUDITSC_EXECVE,
+
+	AUDITSC_NVALS /* count */
+};
+
+#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0a9a1569f1ea..d775ea16505b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
 	n = ctx->major;
 
 	switch (audit_classify_syscall(ctx->arch, n)) {
-	case 0:	/* native */
+	case AUDITSC_NATIVE:
 		if ((mask & AUDIT_PERM_WRITE) &&
 		     audit_match_class(AUDIT_CLASS_WRITE, n))
 			return 1;
@@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
 			return 1;
 		return 0;
-	case 1: /* 32bit on biarch */
+	case AUDITSC_COMPAT: /* 32bit on biarch */
 		if ((mask & AUDIT_PERM_WRITE) &&
 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
 			return 1;
@@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
 			return 1;
 		return 0;
-	case 2: /* open */
+	case AUDITSC_OPEN:
 		return mask & ACC_MODE(ctx->argv[1]);
-	case 3: /* openat */
+	case AUDITSC_OPENAT:
 		return mask & ACC_MODE(ctx->argv[2]);
-	case 4: /* socketcall */
+	case AUDITSC_SOCKETCALL:
 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
-	case 5: /* execve */
+	case AUDITSC_EXECVE:
 		return mask & AUDIT_PERM_EXEC;
 	default:
 		return 0;
diff --git a/lib/audit.c b/lib/audit.c
index 5004bff928a7..3ec1a94d8d64 100644
--- a/lib/audit.c
+++ b/lib/audit.c
@@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall)
 	switch(syscall) {
 #ifdef __NR_open
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 #endif
 #ifdef __NR_openat
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 #endif
 #ifdef __NR_socketcall
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 #endif
 #ifdef __NR_execveat
 	case __NR_execveat:
 #endif
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 0;
+		return AUDITSC_NATIVE;
 	}
 }
 
diff --git a/lib/compat_audit.c b/lib/compat_audit.c
index 77eabad69b4a..a38b282d353f 100644
--- a/lib/compat_audit.c
+++ b/lib/compat_audit.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/init.h>
 #include <linux/types.h>
+#include <linux/auditsc_classmacros.h>
 #include <asm/unistd32.h>
 
 unsigned compat_dir_class[] = {
@@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall)
 	switch (syscall) {
 #ifdef __NR_open
 	case __NR_open:
-		return 2;
+		return AUDITSC_OPEN;
 #endif
 #ifdef __NR_openat
 	case __NR_openat:
-		return 3;
+		return AUDITSC_OPENAT;
 #endif
 #ifdef __NR_socketcall
 	case __NR_socketcall:
-		return 4;
+		return AUDITSC_SOCKETCALL;
 #endif
 	case __NR_execve:
-		return 5;
+		return AUDITSC_EXECVE;
 	default:
-		return 1;
+		return AUDITSC_COMPAT;
 	}
 }
-- 
2.27.0

[PATCH v4 2/3] audit: add support for the openat2 syscall

[Richard Guy Briggs]

The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
("open: introduce openat2(2) syscall")

Add the openat2(2) syscall to the audit syscall classifier.

Link: https://github.com/linux-audit/audit-kernel/issues/67
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com
---
 arch/alpha/kernel/audit.c           | 2 ++
 arch/ia64/kernel/audit.c            | 2 ++
 arch/parisc/kernel/audit.c          | 2 ++
 arch/parisc/kernel/compat_audit.c   | 2 ++
 arch/powerpc/kernel/audit.c         | 2 ++
 arch/powerpc/kernel/compat_audit.c  | 2 ++
 arch/s390/kernel/audit.c            | 2 ++
 arch/s390/kernel/compat_audit.c     | 2 ++
 arch/sparc/kernel/audit.c           | 2 ++
 arch/sparc/kernel/compat_audit.c    | 2 ++
 arch/x86/ia32/audit.c               | 2 ++
 arch/x86/kernel/audit_64.c          | 2 ++
 include/linux/auditsc_classmacros.h | 1 +
 kernel/auditsc.c                    | 3 +++
 lib/audit.c                         | 4 ++++
 lib/compat_audit.c                  | 4 ++++
 16 files changed, 36 insertions(+)

diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c
index 81cbd804e375..3ab04709784a 100644
--- a/arch/alpha/kernel/audit.c
+++ b/arch/alpha/kernel/audit.c
@@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
 		return AUDITSC_OPENAT;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c
index dba6a74c9ab3..ec61f20ca61f 100644
--- a/arch/ia64/kernel/audit.c
+++ b/arch/ia64/kernel/audit.c
@@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
 		return AUDITSC_OPENAT;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c
index 14244e83db75..f420b5552140 100644
--- a/arch/parisc/kernel/audit.c
+++ b/arch/parisc/kernel/audit.c
@@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
 		return AUDITSC_OPENAT;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c
index 1d6347d37d92..3ec490c28656 100644
--- a/arch/parisc/kernel/compat_audit.c
+++ b/arch/parisc/kernel/compat_audit.c
@@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall)
 		return AUDITSC_OPENAT;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_COMPAT;
 	}
diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c
index 6eb18ef77dff..1bcfca5fdf67 100644
--- a/arch/powerpc/kernel/audit.c
+++ b/arch/powerpc/kernel/audit.c
@@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
 		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c
index b1dc2d1c4bad..251abf79d536 100644
--- a/arch/powerpc/kernel/compat_audit.c
+++ b/arch/powerpc/kernel/compat_audit.c
@@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall)
 		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_COMPAT;
 	}
diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c
index 7e331e1831d4..02051a596b87 100644
--- a/arch/s390/kernel/audit.c
+++ b/arch/s390/kernel/audit.c
@@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
 		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c
index fc3d1c7ad21c..4b3d463e7d97 100644
--- a/arch/s390/kernel/compat_audit.c
+++ b/arch/s390/kernel/compat_audit.c
@@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall)
 		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_COMPAT;
 	}
diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c
index 50fab35bdaba..b092274eca79 100644
--- a/arch/sparc/kernel/audit.c
+++ b/arch/sparc/kernel/audit.c
@@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall)
 		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c
index 1c1b6d075421..2a3f71206fc5 100644
--- a/arch/sparc/kernel/compat_audit.c
+++ b/arch/sparc/kernel/compat_audit.c
@@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall)
 		return AUDITSC_SOCKETCALL;
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_COMPAT;
 	}
diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c
index eedc37a1ee13..efc7d832fefb 100644
--- a/arch/x86/ia32/audit.c
+++ b/arch/x86/ia32/audit.c
@@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall)
 	case __NR_execve:
 	case __NR_execveat:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_COMPAT;
 	}
diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c
index 2a6cc9c9c881..44c3601cfdc4 100644
--- a/arch/x86/kernel/audit_64.c
+++ b/arch/x86/kernel/audit_64.c
@@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
 	case __NR_execve:
 	case __NR_execveat:
 		return AUDITSC_EXECVE;
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h
index 18757d270961..dc8e72536dbd 100644
--- a/include/linux/auditsc_classmacros.h
+++ b/include/linux/auditsc_classmacros.h
@@ -16,6 +16,7 @@ enum auditsc_class_t {
 	AUDITSC_OPENAT,
 	AUDITSC_SOCKETCALL,
 	AUDITSC_EXECVE,
+	AUDITSC_OPENAT2,
 
 	AUDITSC_NVALS /* count */
 };
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d775ea16505b..3f59ab209dfd 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -76,6 +76,7 @@
 #include <linux/fsnotify_backend.h>
 #include <uapi/linux/limits.h>
 #include <uapi/linux/netfilter/nf_tables.h>
+#include <uapi/linux/openat2.h>
 
 #include "audit.h"
 
@@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
 	case AUDITSC_EXECVE:
 		return mask & AUDIT_PERM_EXEC;
+	case AUDITSC_OPENAT2:
+		return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
 	default:
 		return 0;
 	}
diff --git a/lib/audit.c b/lib/audit.c
index 3ec1a94d8d64..738bda22dd39 100644
--- a/lib/audit.c
+++ b/lib/audit.c
@@ -60,6 +60,10 @@ int audit_classify_syscall(int abi, unsigned syscall)
 #endif
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+#ifdef __NR_openat2
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
+#endif
 	default:
 		return AUDITSC_NATIVE;
 	}
diff --git a/lib/compat_audit.c b/lib/compat_audit.c
index a38b282d353f..e2a0f914d8b6 100644
--- a/lib/compat_audit.c
+++ b/lib/compat_audit.c
@@ -46,6 +46,10 @@ int audit_classify_compat_syscall(int abi, unsigned syscall)
 #endif
 	case __NR_execve:
 		return AUDITSC_EXECVE;
+#ifdef __NR_openat2
+	case __NR_openat2:
+		return AUDITSC_OPENAT2;
+#endif
 	default:
 		return AUDITSC_COMPAT;
 	}
-- 
2.27.0

Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros

[Christian Brauner]

On Wed, May 19, 2021 at 04:00:20PM -0400, Richard Guy Briggs wrote:
> Replace audit syscall class magic numbers with macros.
> 
> This required putting the macros into new header file
> include/linux/auditsc_classmacros.h since the syscall macros were
> included for both 64 bit and 32 bit in any compat code, causing
> redefinition warnings.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com

Looks good.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>

Fwiw, I would explicitly number all enum values in auditsc_class_t not
just the first one.

> ---
>  MAINTAINERS                         |  1 +
>  arch/alpha/kernel/audit.c           |  8 ++++----
>  arch/ia64/kernel/audit.c            |  8 ++++----
>  arch/parisc/kernel/audit.c          |  8 ++++----
>  arch/parisc/kernel/compat_audit.c   |  9 +++++----
>  arch/powerpc/kernel/audit.c         | 10 +++++-----
>  arch/powerpc/kernel/compat_audit.c  | 11 ++++++-----
>  arch/s390/kernel/audit.c            | 10 +++++-----
>  arch/s390/kernel/compat_audit.c     | 11 ++++++-----
>  arch/sparc/kernel/audit.c           | 10 +++++-----
>  arch/sparc/kernel/compat_audit.c    | 11 ++++++-----
>  arch/x86/ia32/audit.c               | 11 ++++++-----
>  arch/x86/kernel/audit_64.c          |  8 ++++----
>  include/linux/audit.h               |  1 +
>  include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++
>  kernel/auditsc.c                    | 12 ++++++------
>  lib/audit.c                         | 10 +++++-----
>  lib/compat_audit.c                  | 11 ++++++-----
>  18 files changed, 102 insertions(+), 71 deletions(-)
>  create mode 100644 include/linux/auditsc_classmacros.h
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index bd7aff0c120f..3348d12019f9 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -3036,6 +3036,7 @@ W:	https://github.com/linux-audit
>  T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
>  F:	include/asm-generic/audit_*.h
>  F:	include/linux/audit.h
> +F:	include/linux/auditsc_classmacros.h
>  F:	include/uapi/linux/audit.h
>  F:	kernel/audit*
>  F:	lib/*audit.c
> diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c
> index 96a9d18ff4c4..81cbd804e375 100644
> --- a/arch/alpha/kernel/audit.c
> +++ b/arch/alpha/kernel/audit.c
> @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  {
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c
> index 5192ca899fe6..dba6a74c9ab3 100644
> --- a/arch/ia64/kernel/audit.c
> +++ b/arch/ia64/kernel/audit.c
> @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  {
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c
> index 9eb47b2225d2..14244e83db75 100644
> --- a/arch/parisc/kernel/audit.c
> +++ b/arch/parisc/kernel/audit.c
> @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  #endif
>  	switch (syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c
> index 20c39c9d86a9..1d6347d37d92 100644
> --- a/arch/parisc/kernel/compat_audit.c
> +++ b/arch/parisc/kernel/compat_audit.c
> @@ -1,4 +1,5 @@
>  // SPDX-License-Identifier: GPL-2.0
> +#include <linux/auditsc_classmacros.h>
>  #include <asm/unistd.h>
>  
>  unsigned int parisc32_dir_class[] = {
> @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall)
>  {
>  	switch (syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 1;
> +		return AUDITSC_COMPAT;
>  	}
>  }
> diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c
> index a2dddd7f3d09..6eb18ef77dff 100644
> --- a/arch/powerpc/kernel/audit.c
> +++ b/arch/powerpc/kernel/audit.c
> @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  #endif
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c
> index 55c6ccda0a85..b1dc2d1c4bad 100644
> --- a/arch/powerpc/kernel/compat_audit.c
> +++ b/arch/powerpc/kernel/compat_audit.c
> @@ -1,5 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0
>  #undef __powerpc64__
> +#include <linux/auditsc_classmacros.h>
>  #include <asm/unistd.h>
>  
>  unsigned ppc32_dir_class[] = {
> @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall)
>  {
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 1;
> +		return AUDITSC_COMPAT;
>  	}
>  }
> diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c
> index d395c6c9944c..7e331e1831d4 100644
> --- a/arch/s390/kernel/audit.c
> +++ b/arch/s390/kernel/audit.c
> @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  #endif
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c
> index 444fb1f66944..fc3d1c7ad21c 100644
> --- a/arch/s390/kernel/compat_audit.c
> +++ b/arch/s390/kernel/compat_audit.c
> @@ -1,5 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0
>  #undef __s390x__
> +#include <linux/auditsc_classmacros.h>
>  #include <asm/unistd.h>
>  #include "audit.h"
>  
> @@ -32,14 +33,14 @@ int s390_classify_syscall(unsigned syscall)
>  {
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 1;
> +		return AUDITSC_COMPAT;
>  	}
>  }
> diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c
> index a6e91bf34d48..50fab35bdaba 100644
> --- a/arch/sparc/kernel/audit.c
> +++ b/arch/sparc/kernel/audit.c
> @@ -48,15 +48,15 @@ int audit_classify_syscall(int abi, unsigned int syscall)
>  #endif
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c
> index 10eeb4f15b20..1c1b6d075421 100644
> --- a/arch/sparc/kernel/compat_audit.c
> +++ b/arch/sparc/kernel/compat_audit.c
> @@ -1,5 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0
>  #define __32bit_syscall_numbers__
> +#include <linux/auditsc_classmacros.h>
>  #include <asm/unistd.h>
>  #include "kernel.h"
>  
> @@ -32,14 +33,14 @@ int sparc32_classify_syscall(unsigned int syscall)
>  {
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 1;
> +		return AUDITSC_COMPAT;
>  	}
>  }
> diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c
> index 6efe6cb3768a..eedc37a1ee13 100644
> --- a/arch/x86/ia32/audit.c
> +++ b/arch/x86/ia32/audit.c
> @@ -1,4 +1,5 @@
>  // SPDX-License-Identifier: GPL-2.0
> +#include <linux/auditsc_classmacros.h>
>  #include <asm/unistd_32.h>
>  #include <asm/audit.h>
>  
> @@ -31,15 +32,15 @@ int ia32_classify_syscall(unsigned syscall)
>  {
>  	switch (syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  	case __NR_execveat:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 1;
> +		return AUDITSC_COMPAT;
>  	}
>  }
> diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c
> index 83d9cad4e68b..2a6cc9c9c881 100644
> --- a/arch/x86/kernel/audit_64.c
> +++ b/arch/x86/kernel/audit_64.c
> @@ -47,14 +47,14 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  #endif
>  	switch(syscall) {
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  	case __NR_execve:
>  	case __NR_execveat:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 82b7c1116a85..283bc91a6932 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -11,6 +11,7 @@
>  
>  #include <linux/sched.h>
>  #include <linux/ptrace.h>
> +#include <linux/auditsc_classmacros.h> /* syscall class macros */
>  #include <uapi/linux/audit.h>
>  #include <uapi/linux/netfilter/nf_tables.h>
>  
> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h
> new file mode 100644
> index 000000000000..18757d270961
> --- /dev/null
> +++ b/include/linux/auditsc_classmacros.h
> @@ -0,0 +1,23 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later */
> +/* auditsc_classmacros.h -- Auditing support syscall macros
> + *
> + * Copyright 2021 Red Hat Inc., Durham, North Carolina.
> + * All Rights Reserved.
> + *
> + * Author: Richard Guy Briggs <rgb@redhat.com>
> + */
> +#ifndef _LINUX_AUDITSCM_H_
> +#define _LINUX_AUDITSCM_H_
> +
> +enum auditsc_class_t {
> +	AUDITSC_NATIVE = 0,
> +	AUDITSC_COMPAT,
> +	AUDITSC_OPEN,
> +	AUDITSC_OPENAT,
> +	AUDITSC_SOCKETCALL,
> +	AUDITSC_EXECVE,
> +
> +	AUDITSC_NVALS /* count */
> +};
> +
> +#endif
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 0a9a1569f1ea..d775ea16505b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -166,7 +166,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
>  	n = ctx->major;
>  
>  	switch (audit_classify_syscall(ctx->arch, n)) {
> -	case 0:	/* native */
> +	case AUDITSC_NATIVE:
>  		if ((mask & AUDIT_PERM_WRITE) &&
>  		     audit_match_class(AUDIT_CLASS_WRITE, n))
>  			return 1;
> @@ -177,7 +177,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
>  		     audit_match_class(AUDIT_CLASS_CHATTR, n))
>  			return 1;
>  		return 0;
> -	case 1: /* 32bit on biarch */
> +	case AUDITSC_COMPAT: /* 32bit on biarch */
>  		if ((mask & AUDIT_PERM_WRITE) &&
>  		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
>  			return 1;
> @@ -188,13 +188,13 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
>  		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
>  			return 1;
>  		return 0;
> -	case 2: /* open */
> +	case AUDITSC_OPEN:
>  		return mask & ACC_MODE(ctx->argv[1]);
> -	case 3: /* openat */
> +	case AUDITSC_OPENAT:
>  		return mask & ACC_MODE(ctx->argv[2]);
> -	case 4: /* socketcall */
> +	case AUDITSC_SOCKETCALL:
>  		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
> -	case 5: /* execve */
> +	case AUDITSC_EXECVE:
>  		return mask & AUDIT_PERM_EXEC;
>  	default:
>  		return 0;
> diff --git a/lib/audit.c b/lib/audit.c
> index 5004bff928a7..3ec1a94d8d64 100644
> --- a/lib/audit.c
> +++ b/lib/audit.c
> @@ -45,23 +45,23 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  	switch(syscall) {
>  #ifdef __NR_open
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  #endif
>  #ifdef __NR_openat
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  #endif
>  #ifdef __NR_socketcall
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  #endif
>  #ifdef __NR_execveat
>  	case __NR_execveat:
>  #endif
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 0;
> +		return AUDITSC_NATIVE;
>  	}
>  }
>  
> diff --git a/lib/compat_audit.c b/lib/compat_audit.c
> index 77eabad69b4a..a38b282d353f 100644
> --- a/lib/compat_audit.c
> +++ b/lib/compat_audit.c
> @@ -1,6 +1,7 @@
>  // SPDX-License-Identifier: GPL-2.0
>  #include <linux/init.h>
>  #include <linux/types.h>
> +#include <linux/auditsc_classmacros.h>
>  #include <asm/unistd32.h>
>  
>  unsigned compat_dir_class[] = {
> @@ -33,19 +34,19 @@ int audit_classify_compat_syscall(int abi, unsigned syscall)
>  	switch (syscall) {
>  #ifdef __NR_open
>  	case __NR_open:
> -		return 2;
> +		return AUDITSC_OPEN;
>  #endif
>  #ifdef __NR_openat
>  	case __NR_openat:
> -		return 3;
> +		return AUDITSC_OPENAT;
>  #endif
>  #ifdef __NR_socketcall
>  	case __NR_socketcall:
> -		return 4;
> +		return AUDITSC_SOCKETCALL;
>  #endif
>  	case __NR_execve:
> -		return 5;
> +		return AUDITSC_EXECVE;
>  	default:
> -		return 1;
> +		return AUDITSC_COMPAT;
>  	}
>  }
> -- 
> 2.27.0
> 

Re: [PATCH v4 2/3] audit: add support for the openat2 syscall

[Christian Brauner]

On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote:
> The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> ("open: introduce openat2(2) syscall")
> 
> Add the openat2(2) syscall to the audit syscall classifier.
> 
> Link: https://github.com/linux-audit/audit-kernel/issues/67
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com
> ---
>  arch/alpha/kernel/audit.c           | 2 ++
>  arch/ia64/kernel/audit.c            | 2 ++
>  arch/parisc/kernel/audit.c          | 2 ++
>  arch/parisc/kernel/compat_audit.c   | 2 ++
>  arch/powerpc/kernel/audit.c         | 2 ++
>  arch/powerpc/kernel/compat_audit.c  | 2 ++
>  arch/s390/kernel/audit.c            | 2 ++
>  arch/s390/kernel/compat_audit.c     | 2 ++
>  arch/sparc/kernel/audit.c           | 2 ++
>  arch/sparc/kernel/compat_audit.c    | 2 ++
>  arch/x86/ia32/audit.c               | 2 ++
>  arch/x86/kernel/audit_64.c          | 2 ++
>  include/linux/auditsc_classmacros.h | 1 +
>  kernel/auditsc.c                    | 3 +++
>  lib/audit.c                         | 4 ++++
>  lib/compat_audit.c                  | 4 ++++
>  16 files changed, 36 insertions(+)
> 
> diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c
> index 81cbd804e375..3ab04709784a 100644
> --- a/arch/alpha/kernel/audit.c
> +++ b/arch/alpha/kernel/audit.c
> @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  		return AUDITSC_OPENAT;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c
> index dba6a74c9ab3..ec61f20ca61f 100644
> --- a/arch/ia64/kernel/audit.c
> +++ b/arch/ia64/kernel/audit.c
> @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  		return AUDITSC_OPENAT;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c
> index 14244e83db75..f420b5552140 100644
> --- a/arch/parisc/kernel/audit.c
> +++ b/arch/parisc/kernel/audit.c
> @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  		return AUDITSC_OPENAT;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c
> index 1d6347d37d92..3ec490c28656 100644
> --- a/arch/parisc/kernel/compat_audit.c
> +++ b/arch/parisc/kernel/compat_audit.c
> @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall)
>  		return AUDITSC_OPENAT;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_COMPAT;
>  	}
> diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c
> index 6eb18ef77dff..1bcfca5fdf67 100644
> --- a/arch/powerpc/kernel/audit.c
> +++ b/arch/powerpc/kernel/audit.c
> @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c
> index b1dc2d1c4bad..251abf79d536 100644
> --- a/arch/powerpc/kernel/compat_audit.c
> +++ b/arch/powerpc/kernel/compat_audit.c
> @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall)
>  		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_COMPAT;
>  	}
> diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c
> index 7e331e1831d4..02051a596b87 100644
> --- a/arch/s390/kernel/audit.c
> +++ b/arch/s390/kernel/audit.c
> @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c
> index fc3d1c7ad21c..4b3d463e7d97 100644
> --- a/arch/s390/kernel/compat_audit.c
> +++ b/arch/s390/kernel/compat_audit.c
> @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall)
>  		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_COMPAT;
>  	}
> diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c
> index 50fab35bdaba..b092274eca79 100644
> --- a/arch/sparc/kernel/audit.c
> +++ b/arch/sparc/kernel/audit.c
> @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall)
>  		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c
> index 1c1b6d075421..2a3f71206fc5 100644
> --- a/arch/sparc/kernel/compat_audit.c
> +++ b/arch/sparc/kernel/compat_audit.c
> @@ -40,6 +40,8 @@ int sparc32_classify_syscall(unsigned int syscall)
>  		return AUDITSC_SOCKETCALL;
>  	case __NR_execve:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_COMPAT;
>  	}
> diff --git a/arch/x86/ia32/audit.c b/arch/x86/ia32/audit.c
> index eedc37a1ee13..efc7d832fefb 100644
> --- a/arch/x86/ia32/audit.c
> +++ b/arch/x86/ia32/audit.c
> @@ -40,6 +40,8 @@ int ia32_classify_syscall(unsigned syscall)
>  	case __NR_execve:
>  	case __NR_execveat:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_COMPAT;
>  	}
> diff --git a/arch/x86/kernel/audit_64.c b/arch/x86/kernel/audit_64.c
> index 2a6cc9c9c881..44c3601cfdc4 100644
> --- a/arch/x86/kernel/audit_64.c
> +++ b/arch/x86/kernel/audit_64.c
> @@ -53,6 +53,8 @@ int audit_classify_syscall(int abi, unsigned syscall)
>  	case __NR_execve:
>  	case __NR_execveat:
>  		return AUDITSC_EXECVE;
> +	case __NR_openat2:
> +		return AUDITSC_OPENAT2;
>  	default:
>  		return AUDITSC_NATIVE;
>  	}
> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h
> index 18757d270961..dc8e72536dbd 100644
> --- a/include/linux/auditsc_classmacros.h
> +++ b/include/linux/auditsc_classmacros.h
> @@ -16,6 +16,7 @@ enum auditsc_class_t {
>  	AUDITSC_OPENAT,
>  	AUDITSC_SOCKETCALL,
>  	AUDITSC_EXECVE,
> +	AUDITSC_OPENAT2,
>  
>  	AUDITSC_NVALS /* count */
>  };
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index d775ea16505b..3f59ab209dfd 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -76,6 +76,7 @@
>  #include <linux/fsnotify_backend.h>
>  #include <uapi/linux/limits.h>
>  #include <uapi/linux/netfilter/nf_tables.h>
> +#include <uapi/linux/openat2.h>
>  
>  #include "audit.h"
>  
> @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
>  		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
>  	case AUDITSC_EXECVE:
>  		return mask & AUDIT_PERM_EXEC;
> +	case AUDITSC_OPENAT2:
> +		return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);

That's a lot of dereferncing, casting and masking all at once. Maybe a
small static inline helper would be good for the sake of legibility? Sm
like:

static inline u32 audit_openat2_acc(struct open_how *how, int mask)
{
	u32 flags = how->flags;
	return mask & ACC_MODE(flags);
}

but not sure. Just seems more legible to me.
Otherwise.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>

Re: [PATCH v4 2/3] audit: add support for the openat2 syscall

[Paul Moore]

On Thu, May 20, 2021 at 3:58 AM Christian Brauner
<christian.brauner@ubuntu.com> wrote:
> On Wed, May 19, 2021 at 04:00:21PM -0400, Richard Guy Briggs wrote:
> > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> > ("open: introduce openat2(2) syscall")
> >
> > Add the openat2(2) syscall to the audit syscall classifier.
> >
> > Link: https://github.com/linux-audit/audit-kernel/issues/67
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com
> > ---
> >  arch/alpha/kernel/audit.c           | 2 ++
> >  arch/ia64/kernel/audit.c            | 2 ++
> >  arch/parisc/kernel/audit.c          | 2 ++
> >  arch/parisc/kernel/compat_audit.c   | 2 ++
> >  arch/powerpc/kernel/audit.c         | 2 ++
> >  arch/powerpc/kernel/compat_audit.c  | 2 ++
> >  arch/s390/kernel/audit.c            | 2 ++
> >  arch/s390/kernel/compat_audit.c     | 2 ++
> >  arch/sparc/kernel/audit.c           | 2 ++
> >  arch/sparc/kernel/compat_audit.c    | 2 ++
> >  arch/x86/ia32/audit.c               | 2 ++
> >  arch/x86/kernel/audit_64.c          | 2 ++
> >  include/linux/auditsc_classmacros.h | 1 +
> >  kernel/auditsc.c                    | 3 +++
> >  lib/audit.c                         | 4 ++++
> >  lib/compat_audit.c                  | 4 ++++
> >  16 files changed, 36 insertions(+)

...

> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index d775ea16505b..3f59ab209dfd 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -76,6 +76,7 @@
> >  #include <linux/fsnotify_backend.h>
> >  #include <uapi/linux/limits.h>
> >  #include <uapi/linux/netfilter/nf_tables.h>
> > +#include <uapi/linux/openat2.h>
> >
> >  #include "audit.h"
> >
> > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
> >               return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
> >       case AUDITSC_EXECVE:
> >               return mask & AUDIT_PERM_EXEC;
> > +     case AUDITSC_OPENAT2:
> > +             return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
>
> That's a lot of dereferncing, casting and masking all at once. Maybe a
> small static inline helper would be good for the sake of legibility? Sm
> like:
>
> static inline u32 audit_openat2_acc(struct open_how *how, int mask)
> {
>         u32 flags = how->flags;
>         return mask & ACC_MODE(flags);
> }
>
> but not sure. Just seems more legible to me.
> Otherwise.

I'm on the fence about this.  I understand Christian's concern, but I
have a bit of hatred towards single caller functions like this.  Since
this function isn't really high-touch, and I don't expect that to
change in the near future, let's leave the casting mess as-is.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros

[Paul Moore]

On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Replace audit syscall class magic numbers with macros.
>
> This required putting the macros into new header file
> include/linux/auditsc_classmacros.h since the syscall macros were
> included for both 64 bit and 32 bit in any compat code, causing
> redefinition warnings.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git.rgb@redhat.com
> ---
>  MAINTAINERS                         |  1 +
>  arch/alpha/kernel/audit.c           |  8 ++++----
>  arch/ia64/kernel/audit.c            |  8 ++++----
>  arch/parisc/kernel/audit.c          |  8 ++++----
>  arch/parisc/kernel/compat_audit.c   |  9 +++++----
>  arch/powerpc/kernel/audit.c         | 10 +++++-----
>  arch/powerpc/kernel/compat_audit.c  | 11 ++++++-----
>  arch/s390/kernel/audit.c            | 10 +++++-----
>  arch/s390/kernel/compat_audit.c     | 11 ++++++-----
>  arch/sparc/kernel/audit.c           | 10 +++++-----
>  arch/sparc/kernel/compat_audit.c    | 11 ++++++-----
>  arch/x86/ia32/audit.c               | 11 ++++++-----
>  arch/x86/kernel/audit_64.c          |  8 ++++----
>  include/linux/audit.h               |  1 +
>  include/linux/auditsc_classmacros.h | 23 +++++++++++++++++++++++
>  kernel/auditsc.c                    | 12 ++++++------
>  lib/audit.c                         | 10 +++++-----
>  lib/compat_audit.c                  | 11 ++++++-----
>  18 files changed, 102 insertions(+), 71 deletions(-)
>  create mode 100644 include/linux/auditsc_classmacros.h

...

> diff --git a/include/linux/auditsc_classmacros.h b/include/linux/auditsc_classmacros.h
> new file mode 100644
> index 000000000000..18757d270961
> --- /dev/null
> +++ b/include/linux/auditsc_classmacros.h
> @@ -0,0 +1,23 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later */
> +/* auditsc_classmacros.h -- Auditing support syscall macros
> + *
> + * Copyright 2021 Red Hat Inc., Durham, North Carolina.
> + * All Rights Reserved.
> + *
> + * Author: Richard Guy Briggs <rgb@redhat.com>
> + */
> +#ifndef _LINUX_AUDITSCM_H_
> +#define _LINUX_AUDITSCM_H_
> +
> +enum auditsc_class_t {
> +       AUDITSC_NATIVE = 0,
> +       AUDITSC_COMPAT,
> +       AUDITSC_OPEN,
> +       AUDITSC_OPENAT,
> +       AUDITSC_SOCKETCALL,
> +       AUDITSC_EXECVE,
> +
> +       AUDITSC_NVALS /* count */
> +};
> +
> +#endif

My apologies Richard, for some reason I had it in my mind that this
series was waiting on you to answer a question and/or respin; however,
now that I'm clearing my patch queues looking for any stragglers I see
that isn't the case.  Looking over the patchset I think it looks okay
to me, my only concern is that "auditsc_classmacros.h" is an awfully
specific header file name and could prove to be annoying if we want to
add to it in the future.  What do you think about something like
"audit_arch.h" instead?

If that change is okay with you I can go ahead and do the rename while
I'm merging the patches, I'll consider it penance for letting this
patchset sit for so long :/

-- 
paul moore
www.paul-moore.com