From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>,
Steve Grubb <sgrubb@redhat.com>, Jan Kara <jack@suse.cz>,
Amir Goldstein <amir73il@gmail.com>
Subject: Re: [PATCH v3 3/3] fanotify: Allow audit to use the full permission event response
Date: Mon, 16 May 2022 21:57:05 -0400 [thread overview]
Message-ID: <YoMA8YtkNrx1YNlw@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAHC9VhSZNbQoFfStWp96G18_pdEtV1orKRvQ0reXfD7L4TiUHA@mail.gmail.com>
On 2022-05-16 21:42, Paul Moore wrote:
> On Mon, May 16, 2022 at 4:22 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> >
> > This patch passes the full value so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> > the AUDIT_FANOTIFY record. The following is an example of the new record
> > format:
> >
> > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17
> >
> > Suggested-by: Steve Grubb <sgrubb@redhat.com>
> > Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > fs/notify/fanotify/fanotify.c | 4 +++-
> > include/linux/audit.h | 9 +++++----
> > kernel/auditsc.c | 18 +++++++++++++++---
> > 3 files changed, 23 insertions(+), 8 deletions(-)
>
> ...
>
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 6973be0bf6c9..cb93c6ed07cd 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2893,10 +2894,21 @@ void __audit_log_kern_module(char *name)
> > context->type = AUDIT_KERN_MODULE;
> > }
> >
> > -void __audit_fanotify(u32 response)
> > +void __audit_fanotify(u32 response, u32 type, union fanotify_response_extra *info)
> > {
> > - audit_log(audit_context(), GFP_KERNEL,
> > - AUDIT_FANOTIFY, "resp=%u", response);
> > + switch (type) {
> > + case FAN_RESPONSE_INFO_AUDIT_RULE:
> > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > + "resp=%u fan_type=%u fan_ctx=%u",
> > + response, type, info->audit_rule);
> > + break;
> > + case FAN_RESPONSE_INFO_NONE:
> > + default:
> > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > + "resp=%u fan_type=%u fan_ctx=?",
> > + response, type);
> > + break;
> > + }
> > }
>
> Two things:
>
> * Instead of "fan_ctx=", would it make sense to call it "fan_extra="
> to better match the UAPI struct? I don't feel strongly either way,
> but it did occur to me just now while looking at the code so I thought
> I would mention it.
Yes, this is a good point. This is the reason I changed from
FAN_RESPONSE_INFO_AUDIT_NONE to FAN_RESPONSE_INFO_NONE, anticipating
that the extra information could have nothing to do with audit.
> * I'm also wondering if there is a way to be a bit proactive about
> future proofing this field. Since we already hex encode some fields
> with "bad" characters, would it make sense to hex encode this field
> too? Not for the "bad" character reason, but more as a way of
> marshalling the fanotify_response_extra union into an audit record. I
> can't see far enough into the future to know if this would be a good
> idea or not, but like the other point above, it popped into my head
> while looking at the code so I thought I would put it in the email :)
I resisted that idea because it adds overhead and makes it more complex
than currently necessary. I'm open to it, but would like to hear
Steve's input on this.
Thanks for the quick response.
> paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
prev parent reply other threads:[~2022-05-17 1:57 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 20:22 [PATCH v3 0/3] fanotify: Allow user space to pass back additional audit info Richard Guy Briggs
2022-05-16 20:22 ` [PATCH v3 1/3] fanotify: Ensure consistent variable type for response Richard Guy Briggs
2022-05-16 23:06 ` Paul Moore
2022-05-16 20:22 ` [PATCH v3 2/3] fanotify: define struct members to hold response decision context Richard Guy Briggs
2022-05-17 5:37 ` Amir Goldstein
2022-05-17 10:32 ` Jan Kara
2022-05-17 11:31 ` Amir Goldstein
2022-05-17 12:06 ` Amir Goldstein
2022-05-19 0:07 ` Richard Guy Briggs
2022-05-19 6:03 ` Amir Goldstein
2022-05-19 9:55 ` Jan Kara
2022-05-17 7:16 ` kernel test robot
2022-05-17 7:26 ` kernel test robot
2022-05-16 20:22 ` [PATCH v3 3/3] fanotify: Allow audit to use the full permission event response Richard Guy Briggs
2022-05-17 1:42 ` Paul Moore
2022-05-17 1:57 ` Richard Guy Briggs [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YoMA8YtkNrx1YNlw@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=amir73il@gmail.com \
--cc=eparis@parisplace.org \
--cc=jack@suse.cz \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).