Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp669559pxy; Fri, 30 Apr 2021 13:41:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJznQNB38IFrdUMarF+i2l3a6/E11kxd1wJtMFl8XsUDK9N8BwD1np7P7TwgIuuy8tYLB3lt X-Received: by 2002:aa7:c98b:: with SMTP id c11mr8391034edt.50.1619815270448; Fri, 30 Apr 2021 13:41:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619815270; cv=none; d=google.com; s=arc-20160816; b=v/u1NjHdNp8GzMrTf0sLjbHv6GOj38DnaIrwUh8XyeNvmy2Zh0n6ycUSShq/O4bDbY C5MIqesYLZtHlgimKqwGyneFqnF2A4IE2g+KV0FTFYrvFhtrItFRWZQjofe/63u6IWbc z3eFE5n8Bgx/G7ASgTEdbxvVGi3C09HrVHensV6nnB7DzZYofvWNXu1j+crLaOfHVdM6 NUqXQU9nVtt5UpvUvkIYGZw9xTwBFv84hYFvugF0Cg3/hSdLjcLgBIHBODE9GzKMG/Ll k+TZmBgr7kqmUFM+EcazjtkSLbmZnZXHpgBxztBGF4kHddeRoGyHnNMKr7GhiEt2MBPI bWHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=N6V30Sob6slzfesQyLeYP7vBnXqoSeHwGk+XUPTQPFo=; b=mQRhQO8sQwYMW0T+3K6dfsUFj6BW8lq/39tXJ0sV32ALMtEP6ZZKxgJwD5PB1dLgsR 2Z8jiRMz79FNxl7WJHZME9mZ78RBoOXxt8/0aPr6K7EHjKckqEhbNtCAKlf0jXVsapwB XSIQAdj0yE5jz6j1jY2KKy8PYVYx4uNIWwpnLzxbBi8LUwEHeBP4RfRgM/L1sid8Ya8m +TrfKvkMoTHY8Qm5T/acANJ0wKXDRcIMYUV2EDV7NkDzk7bsh83F9evbX7BXsMn8JpCb l5Z8fewqrUaZG8ToSvjmAItoXirEiPLwtkJfiK5pHjeH9v+VJ4mTqHfXJ9c46HkBdN3j 6TYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZkxL4mHC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id zc8si4107162ejb.452.2021.04.30.13.40.47; Fri, 30 Apr 2021 13:41:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZkxL4mHC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235964AbhD3Uhq (ORCPT + 99 others); Fri, 30 Apr 2021 16:37:46 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:39358 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235921AbhD3Uhm (ORCPT ); Fri, 30 Apr 2021 16:37:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619815011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N6V30Sob6slzfesQyLeYP7vBnXqoSeHwGk+XUPTQPFo=; b=ZkxL4mHCLY0bCgCJibhAEcD798wRiqXmbmrtmoOLfTolGJIIMaKEk4/rA8ShBpcTC52EOs aNqMJxcJ0ocD2k7YwLpL+FINF9UXbzI+JgLPEtAVa6ZDFfZ0kL+66hAiQO2ibzgcOiCtlj sM4K3WnvxBeAe+VIDS9s9z6Illf8PbI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-210-wihMuOlBO9S_Itlyxz2nCA-1; Fri, 30 Apr 2021 16:36:49 -0400 X-MC-Unique: wihMuOlBO9S_Itlyxz2nCA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BCC00107ACCD; Fri, 30 Apr 2021 20:36:48 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.3.128.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C8705C674; Fri, 30 Apr 2021 20:36:36 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML Cc: Paul Moore , Eric Paris , Steve Grubb , Richard Guy Briggs , Alexander Viro , Eric Paris , linux-fsdevel@vger.kernel.org, Aleksa Sarai Subject: [PATCH v3 3/3] audit: add OPENAT2 record to list how Date: Fri, 30 Apr 2021 16:35:23 -0400 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since the openat2(2) syscall uses a struct open_how pointer to communicate its parameters they are not usefully recorded by the audit SYSCALL record's four existing arguments. Add a new audit record type OPENAT2 that reports the parameters in its third argument, struct open_how with fields oflag, mode and resolve. The new record in the context of an event would look like: time->Wed Mar 17 16:28:53 2021 type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" Signed-off-by: Richard Guy Briggs --- fs/open.c | 2 ++ include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 18 +++++++++++++++++- 5 files changed, 32 insertions(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index e53af13b5835..2a15bec0cf6d 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, if (err) return err; + audit_openat2_how(&tmp); + /* O_LARGEFILE is only allowed for non-O_PATH. */ if (!(tmp.flags & O_PATH) && force_o_largefile()) tmp.flags |= O_LARGEFILE; diff --git a/include/linux/audit.h b/include/linux/audit.h index 1137df4d4171..32095e1f5bac 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, const struct cred *old); extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); +extern void __audit_openat2_how(struct open_how *how); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); extern void __audit_tk_injoffset(struct timespec64 offset); @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) __audit_mmap_fd(fd, flags); } +static inline void audit_openat2_how(struct open_how *how) +{ + if (unlikely(!audit_dummy_context())) + __audit_openat2_how(how); +} + static inline void audit_log_kern_module(char *name) { if (!audit_dummy_context()) @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, static inline void audit_mmap_fd(int fd, int flags) { } +static inline void audit_openat2_how(struct open_how *how) +{ } + static inline void audit_log_kern_module(char *name) { } diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index cd2d8279a5e4..67aea2370c6d 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -118,6 +118,7 @@ #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_BPF 1334 /* BPF subsystem */ #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.h b/kernel/audit.h index 1522e100fd17..c5af17905976 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@ #include #include #include +#include // struct open_how /* AUDIT_NAMES is the number of slots we reserve in the audit_context * for saving names from getname(). If we get more names we will allocate @@ -185,6 +186,7 @@ struct audit_context { int fd; int flags; } mmap; + struct open_how openat2; struct { int argc; } execve; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 27c747e0d5ab..2e9a1eea8b12 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,7 +76,7 @@ #include #include #include -#include +#include // struct open_how #include "audit.h" @@ -1310,6 +1310,12 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, context->mmap.flags); break; + case AUDIT_OPENAT2: + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", + context->openat2.flags, + context->openat2.mode, + context->openat2.resolve); + break; case AUDIT_EXECVE: audit_log_execve_info(context, &ab); break; @@ -2529,6 +2535,16 @@ void __audit_mmap_fd(int fd, int flags) context->type = AUDIT_MMAP; } +void __audit_openat2_how(struct open_how *how) +{ + struct audit_context *context = audit_context(); + + context->openat2.flags = how->flags; + context->openat2.mode = how->mode; + context->openat2.resolve = how->resolve; + context->type = AUDIT_OPENAT2; +} + void __audit_log_kern_module(char *name) { struct audit_context *context = audit_context(); -- 2.27.0