Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2152992pxj; Thu, 20 May 2021 01:04:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyG/dkDrhqLFLTd2Uz9IPuY6AvncxV4Sj8UmBb3RI9nJ6mY19J0C7714f+I/ZH6cRB9W2XI X-Received: by 2002:a6b:5a16:: with SMTP id o22mr4406932iob.63.1621497859667; Thu, 20 May 2021 01:04:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621497859; cv=none; d=google.com; s=arc-20160816; b=BlBe0hQyjz49w7cJg5sqobNv+KYDyI2KQ4JyTiS/McR9N9mN1c2hrUbwgaBU2PzVBC HJowFJ0SagOO4DhdnkLP1xsMm4eNFAw0fX2HWElDtf0GEj0R47aWVPPMie+k40mA1n57 btxPS1i8TMBflMgtUXK6eIlFQ6OW5gnNMS9p3xfBGAWoOwrXOgLOVoOs4otavrKUlalF ELuPJlSdxjAe+mkZKo+y0mOgPflxe3PuO5i8GgFf0xs9OzntZIxWQeJpojIyiYspFWFK PFhrnrv+3KuaqhqF4TK+a8GzDHlJPrx8Hyse193orK4sOLL8Mb8EvazCc4VICztqdGUZ ysrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Eqq27mVd5Zr7viQWh51qHLpqLfgwYrInNcv6P6ZTfvQ=; b=bLRKh42MPCPkgTwwo2iEXPTg+UvL6ZCTTeNQhqaNGTG4d+VoHUWdoXC51KQA1Nhxlr TDn2xx7cx4ZKGz8OcHM4b/dX/M218H/r008tbzObvbzymwMiT/Q9GE+MF58kpYUN/Z1n 3IiAPSdU8agdV8nqkENhwstp3ByxNK7XcGt200M05KcUeJGaN1SkDEb9Um8wHPEfJqQD yq+S2gR9LjZ3/JpGusdeJCvnjtDJn2fjekKgiqeYJPM2R+eWBn2mRbJ6JAAQSqMQyKTE klr3Z7CGM9Eyo4+bYFG29MZtx340d94PJrbxRsYng+y+gliKi+dz2s2n3PaW6skqLFrM 5z9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o2si323954iov.96.2021.05.20.01.04.06; Thu, 20 May 2021 01:04:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230426AbhETIEt (ORCPT + 99 others); Thu, 20 May 2021 04:04:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:34018 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229953AbhETIEp (ORCPT ); Thu, 20 May 2021 04:04:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7FFEB61001; Thu, 20 May 2021 08:03:21 +0000 (UTC) Date: Thu, 20 May 2021 10:03:18 +0200 From: Christian Brauner To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Paul Moore , Eric Paris , Steve Grubb , Alexander Viro , Eric Paris , linux-fsdevel@vger.kernel.org, Aleksa Sarai Subject: Re: [PATCH v4 3/3] audit: add OPENAT2 record to list how Message-ID: <20210520080318.owvsvvhh5qdhyzhk@wittgenstein> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 19, 2021 at 04:00:22PM -0400, Richard Guy Briggs wrote: > Since the openat2(2) syscall uses a struct open_how pointer to communicate > its parameters they are not usefully recorded by the audit SYSCALL record's > four existing arguments. > > Add a new audit record type OPENAT2 that reports the parameters in its > third argument, struct open_how with fields oflag, mode and resolve. > > The new record in the context of an event would look like: > time->Wed Mar 17 16:28:53 2021 > type=PROCTITLE msg=audit(1616012933.531:184): proctitle=73797363616C6C735F66696C652F6F70656E617432002F746D702F61756469742D7465737473756974652D737641440066696C652D6F70656E617432 > type=PATH msg=audit(1616012933.531:184): item=1 name="file-openat2" inode=29 dev=00:1f mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1616012933.531:184): item=0 name="/root/rgb/git/audit-testsuite/tests" inode=25 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(1616012933.531:184): cwd="/root/rgb/git/audit-testsuite/tests" > type=OPENAT2 msg=audit(1616012933.531:184): oflag=0100302 mode=0600 resolve=0xa > type=SYSCALL msg=audit(1616012933.531:184): arch=c000003e syscall=437 success=yes exit=4 a0=3 a1=7ffe315f1c53 a2=7ffe315f1550 a3=18 items=2 ppid=528 pid=540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="openat2" exe="/root/rgb/git/audit-testsuite/tests/syscalls_file/openat2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1616012933-bjAUcEPO" > > Signed-off-by: Richard Guy Briggs > Link: https://lore.kernel.org/r/d23fbb89186754487850367224b060e26f9b7181.1621363275.git.rgb@redhat.com > --- > fs/open.c | 2 ++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 18 +++++++++++++++++- > 5 files changed, 32 insertions(+), 1 deletion(-) > > diff --git a/fs/open.c b/fs/open.c > index e53af13b5835..2a15bec0cf6d 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -1235,6 +1235,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, > if (err) > return err; > > + audit_openat2_how(&tmp); > + > /* O_LARGEFILE is only allowed for non-O_PATH. */ > if (!(tmp.flags & O_PATH) && force_o_largefile()) > tmp.flags |= O_LARGEFILE; > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 283bc91a6932..580a52caf16f 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -399,6 +399,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > const struct cred *old); > extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > +extern void __audit_openat2_how(struct open_how *how); > extern void __audit_log_kern_module(char *name); > extern void __audit_fanotify(unsigned int response); > extern void __audit_tk_injoffset(struct timespec64 offset); > @@ -495,6 +496,12 @@ static inline void audit_mmap_fd(int fd, int flags) > __audit_mmap_fd(fd, flags); > } > > +static inline void audit_openat2_how(struct open_how *how) > +{ > + if (unlikely(!audit_dummy_context())) > + __audit_openat2_how(how); > +} > + > static inline void audit_log_kern_module(char *name) > { > if (!audit_dummy_context()) > @@ -646,6 +653,9 @@ static inline void audit_log_capset(const struct cred *new, > static inline void audit_mmap_fd(int fd, int flags) > { } > > +static inline void audit_openat2_how(struct open_how *how) > +{ } > + > static inline void audit_log_kern_module(char *name) > { > } > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index cd2d8279a5e4..67aea2370c6d 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -118,6 +118,7 @@ > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ > #define AUDIT_BPF 1334 /* BPF subsystem */ > #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ > +#define AUDIT_OPENAT2 1336 /* Record showing openat2 how args */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.h b/kernel/audit.h > index 1522e100fd17..c5af17905976 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -11,6 +11,7 @@ > #include > #include > #include > +#include // struct open_how > > /* AUDIT_NAMES is the number of slots we reserve in the audit_context > * for saving names from getname(). If we get more names we will allocate > @@ -185,6 +186,7 @@ struct audit_context { > int fd; > int flags; > } mmap; > + struct open_how openat2; > struct { > int argc; > } execve; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 3f59ab209dfd..faf2485323a9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,7 +76,7 @@ > #include > #include > #include > -#include > +#include // struct open_how > > #include "audit.h" > > @@ -1319,6 +1319,12 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, > context->mmap.flags); > break; > + case AUDIT_OPENAT2: > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", Hm, should we maybe follow the struct member names for all entries, i.e. replace s/oflag/flags? Otherwise Acked-by: Christian Brauner > + context->openat2.flags, > + context->openat2.mode, > + context->openat2.resolve); > + break; > case AUDIT_EXECVE: > audit_log_execve_info(context, &ab); > break; > @@ -2549,6 +2555,16 @@ void __audit_mmap_fd(int fd, int flags) > context->type = AUDIT_MMAP; > } > > +void __audit_openat2_how(struct open_how *how) > +{ > + struct audit_context *context = audit_context(); > + > + context->openat2.flags = how->flags; > + context->openat2.mode = how->mode; > + context->openat2.resolve = how->resolve; > + context->type = AUDIT_OPENAT2; > +} > + > void __audit_log_kern_module(char *name) > { > struct audit_context *context = audit_context(); > -- > 2.27.0 >