Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3425159pxb; Mon, 4 Apr 2022 16:35:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy10HkFtfEEE2Xv9uISQB+DuHs0YwWHK21njadOeX03586JHp6AbYj3exQ+D80FB1UwTfKy X-Received: by 2002:a17:90b:4acc:b0:1c7:f18:1141 with SMTP id mh12-20020a17090b4acc00b001c70f181141mr801936pjb.31.1649115348970; Mon, 04 Apr 2022 16:35:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649115348; cv=none; d=google.com; s=arc-20160816; b=oxI/Cgu9rVzNmf/VvbpHKzCjopecMbC7UPbCKEVWRE9uLryBhIMIRLUqkncDlPsF+q JUGDRnq/0JOh3n7f9olPFDS7i6pkPibOiDtC22JA+P3kTn7QpzMRUMDMNwI2+JJDJAoP PIhGJF9sp/dttWiNA0Q/pU7falz64meHhmjyaxVnE1Lp0a3y1OBifL/b9FP8NvRxt0s7 Lb2C4wdIGQicsy7U6e2rcQn7XQXxivOx9YlWtGJPeAVeOZwIbNKHnBlPhdYLF+A8Wg0s Ied7f+N9as0IdDIlqHKB7ftxzSL3H7KAWPJcMkmu+kp6JiytsRycEyYt1yEHba+dEtbj VivA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:subject:cc:to:from:date:message-id:dkim-signature; bh=Ws4yj3fg0ILxPJj/9lrXi9irg5Vwgnd7Bl7EJpCplb4=; b=KM1fZHcYMwsgNWdDIXh8s+VtjWMRzk1AYPSGYPf0i5vO0o6lzu+4jn5EYlfxrZRvEp vIxg2ckdLG1WB7d4tVBPrKGwxbW4GcqpSYFL3o+8GBXjaca4XTi7gTahQFDz4ww9VfMx Ab/crgtYpy/XWHPTrptmhd1okTOC0JBW3hr7OcLVvXgsWvFW3B/KcgqxB9dQWI99GgH7 V0o9HXVhRhoSvR3nzWz1d7iw04GffnoB0IEwEi9cgobbi6TV49ywNWLo08exLzYjTBr/ ychDTkmYTOP5hF8b6e35lVtlS/wP4UHGBGqSn48QhyDVpJQnobccMwRrOybu8PUrCCrn JsWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=KVBpvFHZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id j9-20020a17090276c900b001549d3bcb48si10366338plt.582.2022.04.04.16.35.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 16:35:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=KVBpvFHZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 59F713EF01; Mon, 4 Apr 2022 16:29:55 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238993AbiDBIIJ (ORCPT + 99 others); Sat, 2 Apr 2022 04:08:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229948AbiDBIII (ORCPT ); Sat, 2 Apr 2022 04:08:08 -0400 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A48F3B011 for ; Sat, 2 Apr 2022 01:06:17 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id b18so3927797qtk.13 for ; Sat, 02 Apr 2022 01:06:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:from:to:cc:subject:references:mime-version :content-disposition:in-reply-to; bh=Ws4yj3fg0ILxPJj/9lrXi9irg5Vwgnd7Bl7EJpCplb4=; b=KVBpvFHZHv4/9dXvw0FUo4hVWaqn3dWHSWxe9lqX1/n3eViJZr4Y2e0VeR5RGCLxFW NXFrH+4UkKpCOQv2iIcJ5otbBV0lRZcoI/qY+0kjrYApl38bNLgFBO4treJcLqT8ww+X 2f5YRP35MdECqVZDm4RQGngCZznEBRJx8WvcO1zVCYb+Sr9AB+fRvW5yo/H9InO0auiT 5NIcK2iT9dP+vytoaXwSvDL6GY335M/pUEpar5QBO4SR/+Sah1eT7NLV8fpwBUPgoGNX 9SqFv3l78EaSmvuCZty3V/y2hsvR4nQLBTTxIiUDCVsaKm2yWDo3oxKCqo/4thKE+kyO I11g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:from:to:cc:subject:references :mime-version:content-disposition:in-reply-to; bh=Ws4yj3fg0ILxPJj/9lrXi9irg5Vwgnd7Bl7EJpCplb4=; b=unHj2Az72PWEEIkios4BDe+RaZ6RjoQ8syEe8/j25fHzKFxYh/Pczz8jz7GkTo7rgT B2zANdqD49wjYb8b0cID3wqHCaX99B3zTiEMj6LFZ75MbViZjQbrR/lkwCcdBAulMCWI eyl5jJGxp8eWC21LjV8q35pFFCuDF8XcnAF1iqUeNUhDhY4kBSljm2CTgM3LnKiUHDqI /qMZgcDO5nJJO0kYj/z2GC7wmjwuUDDBxQZpkJqLKaBIlyFUBRKJqOItjnqGa07F7j/j SYUE6fsBedBewhI+FcTPvM2cNAh3B3y2neh2hbzbz9u2nDFmMwDS5uItG0h5+tOOx3eZ uw5g== X-Gm-Message-State: AOAM533RSxkurqpKZxsZsRdFauWnSetEprtsST35Nmi72RklXlKgZLOt dA1VkQIqzDabq41yOY3d2btF8a9oP4Y= X-Received: by 2002:ac8:5702:0:b0:2e1:ec8a:917a with SMTP id 2-20020ac85702000000b002e1ec8a917amr11061065qtw.682.1648886776230; Sat, 02 Apr 2022 01:06:16 -0700 (PDT) Received: from localhost ([193.203.214.57]) by smtp.gmail.com with ESMTPSA id g21-20020ac85815000000b002e06e2623a7sm3431644qtg.0.2022.04.02.01.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 Apr 2022 01:06:15 -0700 (PDT) Message-ID: <624803f7.1c69fb81.972da.2dd0@mx.google.com> X-Google-Original-Message-ID: <20220402080612.GA2412487@cgel.zte@gmail.com> Date: Sat, 2 Apr 2022 08:06:12 +0000 From: CGEL To: Paul Moore Cc: Steve Grubb , linux-audit@redhat.com, kbuild-all@lists.01.org, Zeal Robot , linux-kernel@vger.kernel.org, eparis@redhat.com, dai.shixin@zte.com.cn, Yang Yang , ink@jurassic.park.msu.ru, huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn, mattst88@gmail.com Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid References: <20220326094654.2361956-1-yang.yang29@zte.com.cn> <62465bf3.1c69fb81.d5424.365e@mx.google.com> <2777189.mvXUDI8C0e@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote: > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb wrote: > > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote: > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote: > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL wrote: > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote: > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS > > > > > > syscalls, I would consider that a bug which should be fixed. > > > > > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better > > > > > be forcible or be a rule that can be configure? I think configure is > > > > > better. > > > > > > > > It isn't clear to me exactly what you are asking, but I would expect > > > > the existing audit syscall filtering mechanism to work regardless if > > > > the syscall is valid or not. > > > > > > Thanks, I try to make it more clear. We found that auditctl would only > > > set rule with syscall number (>=0 && <2047) ... > > That is exactly why I wrote the warning below in my response ... > I think the question is more clear now. 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and syscall with number 3000 are both invalid syscall. But 2000 can be set by auditctl, and 3000 cannot be set by auditctl. A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h). 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall See this patch. If we want audit invalid syscall as you said before. libaudit.c should not do the forbidden, auditctl should allow setting syscall rule with 'any' number. So do you think we should fix libaudit.c? > > > > Beware that there are some limitations > > > > to the audit syscall filter, which are unfortunately baked into the > > > > current design/implementation, which may affect this to some extent. > > -- > paul-moore.com