Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2111640pxb; Wed, 9 Feb 2022 11:05:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJwSOs+K5RHEIR/H6Pr96cdlbz13hpp6t74InAqGQ2JOoIX3BFPOYgjQOaFOpTMyFSIm1As0 X-Received: by 2002:a63:f947:: with SMTP id q7mr3127464pgk.22.1644433508995; Wed, 09 Feb 2022 11:05:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644433508; cv=none; d=google.com; s=arc-20160816; b=kN6RKagNNt3Ud0sJh0T1k+MCeal8ICSOWwUujhVE4LI7ZCdxLgfdVmkCVAEHruwg4a QEzvQTd8fQHVD4dIM/Hqykk9SpkhimMcboJkcHOQ00+NvtX++i8Tlmg0kMetzoHsNfYz n8MgkKRNO2ahNuTsX+4moTYMgaFHr4+yKTF6I87TmFsulIXWYFRRu9+64BE2/GxLReRw 3lGn5BXR5PXAIx8Q5gfnphKz0p7GJfUG+4lI+PqyfggzBIE1XZRJJ9X8EfK2ZCyzQyIy PRhaghNC8anl0ZzeMOv221chlRA94OpJz33RVvvjd1NDAN4eVnSp2GLQLQoJ60fUzwfo XBjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=CKTbfzAbzSzuDBlSqgffZBElxZWF6Y4ApMmrhfDad+k=; b=wVocW/zF0eLfHjYu9xXDVx24O/EMX8e3o6VBTLGv9NjXcVseEfECp7T1dowQEZp3UG 71Bd0dpJsTch6w8V4kbasQT60XTwTorw+3HWzI7R/WEhL+7baVddFEw9ULd6+fu11tY2 2WhL5AXvHC04zkq9vBapY+QmXpG6EZriGwFnVQz18wn1xn+PpaE6UdSQvjf/2iqdk3ud YoE5AXxItIf8Vv1Qj4D74w6riY88OMzOwpjuHA+thpkFd2DDKJXr9Xfwhc9gXCMTqPzP vVUQcL77lQWMWhhbhNQfWieBS4vCZ2+uhHB118aQmEIY/fxXJgX65D2LBxfR5RDiM98n 573w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=UwZU2yX6; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id d4si18979841plh.124.2022.02.09.11.05.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 11:05:08 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=UwZU2yX6; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9D762C094CA5; Wed, 9 Feb 2022 11:04:50 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236388AbiBIP51 (ORCPT + 99 others); Wed, 9 Feb 2022 10:57:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35728 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235691AbiBIP50 (ORCPT ); Wed, 9 Feb 2022 10:57:26 -0500 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A714C061355 for ; Wed, 9 Feb 2022 07:57:28 -0800 (PST) Received: by mail-ej1-x630.google.com with SMTP id p24so8700798ejo.1 for ; Wed, 09 Feb 2022 07:57:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CKTbfzAbzSzuDBlSqgffZBElxZWF6Y4ApMmrhfDad+k=; b=UwZU2yX6C2SsnLLgkzFuPVjHpXnuQ8gKHC30WzB0bO2tQYjKEaylb181yB1/Em0ROB pItD5MnneoScrwrsEBOaT2k5TGzV/ENvQpbMyBmy7yff5//ixlOTJEBTD9GEhkv07Fbf M6rT8diPRvG5jvfCOBHZP906B7CHbWHZt8zGbb87JelO3htRp2NoU8orygwREoDBDXJ1 GzF+oplcNz5ZsRBlvd+DMh98HTZa/zkP0lhkLVhZ1kS0SqsWMAqgvGnauZJOkgBaPvfx XpptjCYrd8LwTOiFAtA22j0vtA2jkfPywan2arAzG6Hq0L6bxdPoWPuQ26+wrEeUqIWK zjfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CKTbfzAbzSzuDBlSqgffZBElxZWF6Y4ApMmrhfDad+k=; b=HAADi53+A+cdxGjCBsZuwo0VCmTO4RQZL6qBVVOTQIGWD8AuG/+bUWV3BoexeaJqZd hi27zSxOxNiy7xpEwllOFnDnElBDiUKV/0sHY3oTRBIb/fdPVYSBagkB29YwD1aD3gUS FZ998h/4enFcmYey7N7DwuVMNGLWs4Nh+z2hFkLJ0UGKdxPT89sokh/IAZ/azDcRo1+R oGZG3iyE1fd0LmHAhrHpas3TnP6debmgvaT/1DTlJz6hv7Ekx1dh/LU1mukVSnAhb+gC zCBH9QJZieQTXzujOsQx2VsxDXT7pNVV/PT7XJ2WC8ySYIUNLUN7ug2hYnT+9fa8cAP9 IBYg== X-Gm-Message-State: AOAM5328v2J2uns0gLKA8AooPmfQnkhTHOTvEqDfWfdeteKRaf8ulSo2 8OaS4oBJoirDUoD5Q1hbYjonHwJDTZnSnkba+mDR X-Received: by 2002:a17:907:2d93:: with SMTP id gt19mr2521032ejc.610.1644422246743; Wed, 09 Feb 2022 07:57:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Wed, 9 Feb 2022 10:57:15 -0500 Message-ID: Subject: Re: [PATCH v4 2/3] audit: add support for the openat2 syscall To: Jeff Mahoney , Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Steve Grubb , Alexander Viro , Eric Paris , Tony Jones Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney wrote: > > Hi Richard - > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > > Signed-off-by: Richard Guy Briggs > > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > > --- > > [...] > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index d775ea16505b..3f59ab209dfd 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -76,6 +76,7 @@ > > #include > > #include > > #include > > +#include > > > > #include "audit.h" > > > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > > case AUDITSC_EXECVE: > > return mask & AUDIT_PERM_EXEC; > > + case AUDITSC_OPENAT2: > > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > > default: > > return 0; > > } > > ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. > > I'm getting oopses, like so: > BUG: unable to handle page fault for address: 00007fff961bbe70 Thanks Jeff. Yes, this is obviously the wrong thing to being doing; I remember checking to make sure we placed the audit_openat2_how() hook after the open_how was copied from userspace, but I missed the argv dereference in the syscall exit path when reviewing the code. Richard, as we are already copying the open_how info into audit_context::openat2 safely, the obvious fix is to convert audit_match_perm() to use the previously copied value instead of argv. If you can't submit a patch for this today please let me know. -- paul-moore.com