From: david.abdurachmanov@gmail.com (David Abdurachmanov) To: linux-riscv@lists.infradead.org Subject: [PATCH 0/2] riscv: add audit support Date: Tue, 6 Nov 2018 22:25:20 +0100 [thread overview] Message-ID: <CAEn-LTqQgQkA1XyihEg0MpADLPQADf3Ej2noUp29UtbcEaf0RA@mail.gmail.com> (raw) In-Reply-To: <CAHC9VhSaGo0BmX5AsTcnppiVz2Lz8BFkjRA0jg_uuPix3Ziiog@mail.gmail.com> On Tue, Nov 6, 2018 at 9:06 PM Paul Moore <paul@paul-moore.com> wrote: > > On Mon, Oct 29, 2018 at 6:49 AM David Abdurachmanov > <david.abdurachmanov@gmail.com> wrote: > > This patchset adds system call audit support on riscv (riscv32 & > > riscv64). > > > > The pachset was prepared on top of v4.19 tag. > > > > audit-userspace changes were submitted. See: > > https://github.com/linux-audit/audit-userspace/pull/73 > > > > Tested the following manually: > > - auditctl (checked several different example rules from internet) > > - aulast > > - aulastlog > > - ausearch > > - ausyscall > > - aureport > > - autrace (compared some syscalls to strace: order and return > > value/input arguments seem to be correct) > > - /proc/self/loginuid (required by DNF [package manager]) > > > > I looked into audit-testsuite and with some adjustments results are: > > > > Failed 4/14 test programs. 19/88 subtests failed. > > I realize that the test suite failures are likely not due to your > code, but rather shortcomings in the test suite itself, but I think it > is important to resolve these problems before we commit the kernel > changes. > > You mention Fedora 29/RISCV below, is that the distro you are using > for testing? Also, are you using a stock kernel config from the > distro or your own? > > > The failing tests were due to missing CONFIG_IP_NF_MANGLE ... > > Assuming a general purpose like Fedora, that seems like an odd > omission. Any chance you can rebuild your kernel with the mangle > table? When we build Fedora, the kernel is not built in a standard way. It's only build statically and contains minimal setup. We also don't do loadable kernel modules, because there wasn't support for it months ago. It's not tested yet by us. I did rebuild with CONFIG_IP_NF_MANGLE, but I think, there was more stuff missing. Have to look again. I am experimenting on building kernel in normal Fedora way, but there are some issues right now. It also takes 12-24 hours for a single attempt. > > > ... 'id -Z' not printing categories (don't know why) ... > > Are you seeing the MLS/MCS sensitivity level, s0, or are you not > seeing any of the MLS/MCS fields? I boot my VM "selinux=1 enforcing=0". [root at fedora-riscv ~]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * [root at fedora-riscv ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0 > > > ... not having loadable kernel module support enablled ... > > Much like the netfilter config, any chance you can enable this in your kernel? Experimenting, not sure if it works yet. > > > ... and syscall_socketcall not being relevant for new arches. > > We will probably need to make that ABI dependent in the test suite. > > > audit-testsuite with adjustments: > > https://github.com/davidlt/audit-testsuite/tree/riscv64 > > > > Depends on: > > [PATCH 1/2] Move EM_RISCV into elf-em.h > > http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html > > > > This should solve DNF issues in Fedora 29/RISCV. > > -- > paul moore > www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: David Abdurachmanov <david.abdurachmanov@gmail.com> To: Paul Moore <paul@paul-moore.com> Cc: linux-riscv@lists.infradead.org, Palmer Dabbelt <palmer@sifive.com>, linux-kernel@vger.kernel.org, aou@eecs.berkeley.edu, linux-audit@redhat.com Subject: Re: [PATCH 0/2] riscv: add audit support Date: Tue, 6 Nov 2018 22:25:20 +0100 [thread overview] Message-ID: <CAEn-LTqQgQkA1XyihEg0MpADLPQADf3Ej2noUp29UtbcEaf0RA@mail.gmail.com> (raw) Message-ID: <20181106212520.Aai_6lOhZ2JkfAOMc77HWzMty7N-zdylr8viIzOX1pM@z> (raw) In-Reply-To: <CAHC9VhSaGo0BmX5AsTcnppiVz2Lz8BFkjRA0jg_uuPix3Ziiog@mail.gmail.com> On Tue, Nov 6, 2018 at 9:06 PM Paul Moore <paul@paul-moore.com> wrote: > > On Mon, Oct 29, 2018 at 6:49 AM David Abdurachmanov > <david.abdurachmanov@gmail.com> wrote: > > This patchset adds system call audit support on riscv (riscv32 & > > riscv64). > > > > The pachset was prepared on top of v4.19 tag. > > > > audit-userspace changes were submitted. See: > > https://github.com/linux-audit/audit-userspace/pull/73 > > > > Tested the following manually: > > - auditctl (checked several different example rules from internet) > > - aulast > > - aulastlog > > - ausearch > > - ausyscall > > - aureport > > - autrace (compared some syscalls to strace: order and return > > value/input arguments seem to be correct) > > - /proc/self/loginuid (required by DNF [package manager]) > > > > I looked into audit-testsuite and with some adjustments results are: > > > > Failed 4/14 test programs. 19/88 subtests failed. > > I realize that the test suite failures are likely not due to your > code, but rather shortcomings in the test suite itself, but I think it > is important to resolve these problems before we commit the kernel > changes. > > You mention Fedora 29/RISCV below, is that the distro you are using > for testing? Also, are you using a stock kernel config from the > distro or your own? > > > The failing tests were due to missing CONFIG_IP_NF_MANGLE ... > > Assuming a general purpose like Fedora, that seems like an odd > omission. Any chance you can rebuild your kernel with the mangle > table? When we build Fedora, the kernel is not built in a standard way. It's only build statically and contains minimal setup. We also don't do loadable kernel modules, because there wasn't support for it months ago. It's not tested yet by us. I did rebuild with CONFIG_IP_NF_MANGLE, but I think, there was more stuff missing. Have to look again. I am experimenting on building kernel in normal Fedora way, but there are some issues right now. It also takes 12-24 hours for a single attempt. > > > ... 'id -Z' not printing categories (don't know why) ... > > Are you seeing the MLS/MCS sensitivity level, s0, or are you not > seeing any of the MLS/MCS fields? I boot my VM "selinux=1 enforcing=0". [root@fedora-riscv ~]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * [root@fedora-riscv ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0 > > > ... not having loadable kernel module support enablled ... > > Much like the netfilter config, any chance you can enable this in your kernel? Experimenting, not sure if it works yet. > > > ... and syscall_socketcall not being relevant for new arches. > > We will probably need to make that ABI dependent in the test suite. > > > audit-testsuite with adjustments: > > https://github.com/davidlt/audit-testsuite/tree/riscv64 > > > > Depends on: > > [PATCH 1/2] Move EM_RISCV into elf-em.h > > http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html > > > > This should solve DNF issues in Fedora 29/RISCV. > > -- > paul moore > www.paul-moore.com _______________________________________________ linux-riscv mailing list linux-riscv@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2018-11-06 21:25 UTC|newest] Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-29 10:48 [PATCH 0/2] riscv: add audit support David Abdurachmanov 2018-10-29 10:48 ` David Abdurachmanov 2018-10-29 10:48 ` [PATCH 1/2] " David Abdurachmanov 2018-10-29 10:48 ` David Abdurachmanov 2018-11-13 1:52 ` Palmer Dabbelt 2018-11-13 1:52 ` Palmer Dabbelt 2018-11-13 23:34 ` Paul Moore 2018-11-13 23:34 ` Paul Moore 2018-11-14 23:40 ` Palmer Dabbelt 2018-11-14 23:40 ` Palmer Dabbelt 2018-10-29 10:48 ` [PATCH 2/2] riscv: audit: add audit hook in do_syscall_trace_enter/exit() David Abdurachmanov 2018-10-29 10:48 ` David Abdurachmanov 2018-10-29 22:57 ` [PATCH 0/2] riscv: add audit support Paul Moore 2018-10-29 22:57 ` Paul Moore 2018-11-06 20:06 ` Paul Moore 2018-11-06 20:06 ` Paul Moore 2018-11-06 21:25 ` David Abdurachmanov [this message] 2018-11-06 21:25 ` David Abdurachmanov 2018-11-07 10:45 ` David Abdurachmanov 2018-11-07 10:45 ` David Abdurachmanov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAEn-LTqQgQkA1XyihEg0MpADLPQADf3Ej2noUp29UtbcEaf0RA@mail.gmail.com \ --to=david.abdurachmanov@gmail.com \ --cc=linux-riscv@lists.infradead.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).