Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp460933pxb; Thu, 31 Mar 2022 09:14:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFHwoYk4FRalh1xYG1kqMh5ionpY6658eRe0uP9z9oHdbueYCGLHC+WRYxTcG5oyPPAdzI X-Received: by 2002:a63:5014:0:b0:380:132:6b25 with SMTP id e20-20020a635014000000b0038001326b25mr11418343pgb.211.1648743258828; Thu, 31 Mar 2022 09:14:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648743258; cv=none; d=google.com; s=arc-20160816; b=Y4iPxNIC8blTuXNymgUekgNPnEUSM6dUGQR8AZ5SgN9eM8y76ABcU7HneQYLu1zuMS pvf2pB5rwU693vmXJUuYiAEcg6X7kHP1LHV5IQ3dB0V3viKoupEzdBBqwjEV31IHNYjY G85upXBGKgf/ImnIjZW83I3FBxz+I9GjnNk/K19v/HJfmNNV4SjyEI5PE92nRPKxcLSQ 2z2AgSGHM7KrDJWIutBAl/W6P5gTlLiVO82Vo2vWAGPoxRnXWsQrQHGvCbJghNZmsW7x 0aQH+Ri7a8E0XpKcrC6N0jlsIq7JzqTtXMgaCiddsJ3VzYsNi99LcJ9zB8auZlo9Qfif +bzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=RZY1I0gGM56CYEYUCvZVOQWZgbjY8lJqjXjcYcc3yMY=; b=oIOC1B2kZmel0Fkx56NM0F7IcM6cvWtvf2OpWrNDufQen+1ooOA/1uKnz0ri78O1y8 jnCtUyYLgzSjzz4H2zksUfqLPn50E669F0B0VaJ7D7UaBEKvKvIpOyTPc40H4hAvx/ns 5J1Y2jYBPBgeiz+6klxvXIkS1bPRNk0+xlzPirT9ad5FQ/DO1aM6fAEKsK51cXkwdi1V RrofvLoziTdk8QgWztaAYqotmdUcGE2jpZxneriWKooFJZp1nDrXySXr/BZ1/pmhyQPd EqSFTiyvVkduHQwDIyhj+xOY3Adb6NzApZDGywa/wgGIbHw3WoCVslakeInTTstAn9pO QMIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=x6SkBhGD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r3-20020a170902ea4300b001541e18252csi22851339plg.238.2022.03.31.09.14.03; Thu, 31 Mar 2022 09:14:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=x6SkBhGD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237418AbiCaOSa (ORCPT + 99 others); Thu, 31 Mar 2022 10:18:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231631AbiCaOS3 (ORCPT ); Thu, 31 Mar 2022 10:18:29 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3FEB21C701 for ; Thu, 31 Mar 2022 07:16:41 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id r23so28367919edb.0 for ; Thu, 31 Mar 2022 07:16:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RZY1I0gGM56CYEYUCvZVOQWZgbjY8lJqjXjcYcc3yMY=; b=x6SkBhGDI4SvIL7CQYSlCsTx/jcSajyH4EEyBsBZZG3MI0hJvseEbM9bqCtOybSSoL uAdPVGa4cCr5omd9tLrluDMfsoRMzzkV58rU6BhbynEj312PybhPIQejKd9sEUnV0HEZ fsMyjPU7gQxfZsZLuruQoL6+Ey70vMX7HMQ3ktRlf8FhYrCQU5bc7iNW7e8GIoEHQ1dn pp9Zi5cE4EOc/muKNCzs01NNi/Elmp9yhP8EMOb8va9cHrIx8zZeZRe0Ac7P/4/l/gfA Zn1o1hl5YLj5mryKk1ArUUAzNHGfcwDK/msoWWmVoVSu0PcZlHhclrDbQLIM2DPqJ2BA fwGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RZY1I0gGM56CYEYUCvZVOQWZgbjY8lJqjXjcYcc3yMY=; b=r790hloaxaCoLqo2Y1DL5QgTI5VtFeqdHTz5R+hclmZXCLxKd2A2kITnh+hRbPcuc9 PW/3Zh89UB1o/IeY+EanpEEBhIi37dMsZMiAwjU+xH2CPlnr0cffzc6DXvUKad9U6L1L viAQxDzU3WaET7sg4ZtDOWt9+0UOyJ9Y6shyioAwLuQcu2A4MsXQVecl/Zrw62HfAE/n Sfj5jTetjhOf766/K2QMkp2cEk4LZBUvjCx8GhEReJP/Ccs+Sd0PHZnMztYJPIJU/Cda cJPwHgiVdCfMhtCVqn2bn9X3PqL/viRJNPNi3pyrJvDJ4x4oXacrCuG9bMopzdtqeVKq pD2w== X-Gm-Message-State: AOAM532oK3OZdwYAsVQBX/Aque4ywX0/r5y7yWyn1ppeU+0DNl/VMWZW qf/hED+9ON6ZxmXwijdC62KUoV8SsgszvUDnjhxb X-Received: by 2002:a05:6402:35c5:b0:419:2c72:66c3 with SMTP id z5-20020a05640235c500b004192c7266c3mr16874437edc.343.1648736195233; Thu, 31 Mar 2022 07:16:35 -0700 (PDT) MIME-Version: 1.0 References: <20220326094654.2361956-1-yang.yang29@zte.com.cn> <202203270449.WBYQF9X3-lkp@intel.com> <62426553.1c69fb81.bb808.345c@mx.google.com> <62427b5c.1c69fb81.fc2a7.d1af@mx.google.com> <6243f1d7.1c69fb81.b19c7.7ec1@mx.google.com> <6245121e.1c69fb81.ea0ab.0c2e@mx.google.com> In-Reply-To: <6245121e.1c69fb81.ea0ab.0c2e@mx.google.com> From: Paul Moore Date: Thu, 31 Mar 2022 10:16:23 -0400 Message-ID: Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid To: CGEL Cc: rth@twiddle.net, ink@jurassic.park.msu.ru, mattst88@gmail.com, eparis@redhat.com, linux-audit@redhat.com, kbuild-all@lists.01.org, linux-kernel@vger.kernel.org, Yang Yang , Zeal Robot , guo.xiaofeng@zte.com.cn, huang.junhua@zte.com.cn, dai.shixin@zte.com.cn Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 30, 2022 at 10:29 PM CGEL wrote: > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote: > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS > > syscalls, I would consider that a bug which should be fixed. > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better > be forcible or be a rule that can be configure? I think configure is > better. It isn't clear to me exactly what you are asking, but I would expect the existing audit syscall filtering mechanism to work regardless if the syscall is valid or not. Beware that there are some limitations to the audit syscall filter, which are unfortunately baked into the current design/implementation, which may affect this to some extent. -- paul-moore.com