Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1225542pxb; Fri, 1 Apr 2022 07:53:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYvJ4OcXra8B75rgmYAnNmtFo+S286mPlHx0syT5BqAIKVniViyiIl2ba0Cv/8nXQB41is X-Received: by 2002:a17:907:94c6:b0:6da:9561:ce0 with SMTP id dn6-20020a17090794c600b006da95610ce0mr172407ejc.342.1648824784228; Fri, 01 Apr 2022 07:53:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648824784; cv=none; d=google.com; s=arc-20160816; b=JKlIikNYXj+KZVI0KIqR6fuyYZFIQpNSjdEBGJ+lWAAlVQcAzurCqZUfMe9GhneI9g tdYD4fck8bu3gvkypUSxcmtI+40gOqmc6W+xf9KAHWgPCpyxxmshGZ2re6PZQGzDoEoB P4KuCl5UCGo/7/qqjIAGWrIn2PqHsx4qJcpbaONyE+b4xPOMi8NFQWoVHyMOIupvEv1U QQ/GjjmcIzYTwEhLo7142eDeWsI+yj0Dccr6crstcCcwYaKE8aki+yy8t+hGgiISba4K Jp5iAB+oq6vaeZr0Z1kUkPKDr1c3c7g79KcrAAUH1wP++iOVR8LWFapeFBO5gUeb8SgB OS1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature; bh=h6NQyMqLB58mw6AkprjfrT2eMsB7dX14dgGFHiYBaig=; b=MyVqhpVA/w8rDuxxTiwSv36cn+inrtDYJds2hatxfc5ORvYA9WfNq8z1XTB+IgoErE Bv4RIdKGpAcm1c7gkcjhq4HcTzG1r+cEfnEgenLJNi23YADEK8WlP/Q+/ymgRASOTNwM 70gdV96bzw05kgUMhUaJl4Vyt3YNE2Qb5XsQlt3THrg7qByi552Wo3jyvvMOGPsoGQWc 6X59GDy/Fm4HmCstWIrST1hga5qvAw9WCI2lNVyvvPKrda6aadmH1YiEVrYzk0sR/Hd6 QqXqz7QoSGzcaKHtyLkg4E7xvt9JMDUQChxIUwtuHh+63S6c2XWFbwPcEMRygao1uCHc CbjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Te19cyqT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r18-20020aa7d592000000b0041945e1fb48si1676641edq.628.2022.04.01.07.52.38; Fri, 01 Apr 2022 07:53:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Te19cyqT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233825AbiDANli (ORCPT + 99 others); Fri, 1 Apr 2022 09:41:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346450AbiDANle (ORCPT ); Fri, 1 Apr 2022 09:41:34 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B4E53377F8 for ; Fri, 1 Apr 2022 06:39:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648820383; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=h6NQyMqLB58mw6AkprjfrT2eMsB7dX14dgGFHiYBaig=; b=Te19cyqTItTb52oZEDD3sn2FbFExWtyZDX9jMIg6oN91xyskJ2/Gk+Wk6QBgOnzY1wV8N7 zeaanDsJx+1n+Ef/2oaD7x2dJ3IfrMOvUcsc52zxzd3CNq7Bu+3Fm6quJnBaZT6zmVGcHy jvYp1wp0R7Iht0hB82Ac2IykXvwBSmM= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-450-nL7KlP4-Pv-1HD6HzTPi4A-1; Fri, 01 Apr 2022 09:39:40 -0400 X-MC-Unique: nL7KlP4-Pv-1HD6HzTPi4A-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0E27B101AA64; Fri, 1 Apr 2022 13:39:40 +0000 (UTC) Received: from x2.localnet (unknown [10.22.11.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6157342CFE9; Fri, 1 Apr 2022 13:39:39 +0000 (UTC) From: Steve Grubb To: Paul Moore , linux-audit@redhat.com, CGEL Cc: kbuild-all@lists.01.org, Zeal Robot , linux-kernel@vger.kernel.org, eparis@redhat.com, dai.shixin@zte.com.cn, Yang Yang , linux-audit@redhat.com, ink@jurassic.park.msu.ru, huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn, mattst88@gmail.com Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid Date: Fri, 01 Apr 2022 09:39:38 -0400 Message-ID: <2777189.mvXUDI8C0e@x2> Organization: Red Hat In-Reply-To: <62465bf3.1c69fb81.d5424.365e@mx.google.com> References: <20220326094654.2361956-1-yang.yang29@zte.com.cn> <62465bf3.1c69fb81.d5424.365e@mx.google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote: > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote: > > On Wed, Mar 30, 2022 at 10:29 PM CGEL wrote: > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote: > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS > > > > syscalls, I would consider that a bug which should be fixed. > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better > > > be forcible or be a rule that can be configure? I think configure is > > > better. > > > > It isn't clear to me exactly what you are asking, but I would expect > > the existing audit syscall filtering mechanism to work regardless if > > the syscall is valid or not. > > Thanks, I try to make it more clear. We found that auditctl would only > set rule with syscall number (>=0 && <2047). So if userspace using > syscall whose number is (<0 || >=2047), there seems no meaning for > kernel audit to handle it, since this kind of syscall will never hit > any audit rule(this rule could not be set by auditctl). This limit is imposed by: /usr/include/linux/audit.h struct audit_rule_data { ... __u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */ Where #define AUDIT_BITMASK_SIZE 64 So, 64 * 32 = 2048 -Steve > By the way it's a little strange for auditctl(using libaudit.c) to limit > syscall number (>=0 && <2047)(see audit_rule_syscall_data()), especially > we know NR_syscalls is the real limit in kernel, you can see how other > kernel code to the similar thing in ftrace_syscall_enter(): > > static void ftrace_syscall_enter(void *data, struct pt_regs > *regs, long id) > { > ... > syscall_nr = trace_get_syscall_nr(current, regs); > if (syscall_nr < 0 || syscall_nr >= NR_syscalls) > return; > ... > } > > Thanks. > > > Beware that there are some limitations > > to the audit syscall filter, which are unfortunately baked into the > > current design/implementation, which may affect this to some extent. > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit