Received: by 2002:a05:6a10:83d0:0:0:0:0 with SMTP id o16csp24698pxh; Thu, 7 Apr 2022 12:52:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyse5m3HXZWHGsTb/vav/VWl37zsgueIsThsVGR+nB4tmf9pglTa4iMs7KelwkihnSOIjG/ X-Received: by 2002:a05:6a00:849:b0:4fb:1112:c19f with SMTP id q9-20020a056a00084900b004fb1112c19fmr15752512pfk.74.1649361145121; Thu, 07 Apr 2022 12:52:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649361145; cv=none; d=google.com; s=arc-20160816; b=DTl0cswZzz1gv2389nH3iGZcyfntNsnjftNeqvSfR9bdwgy/26AeJ5666kClIeH5vo 2ko7bj2RX1tAM9rGNNV4egJ++53KUt9z1xG/0tIDIUQmTw3oS/aHNbIzveu93+rY8Q3e TwLUJOlmWIhwdyttmDTvXK7WcdRNWh0VNuZMAr/yXzl5dwxx7bekQTtSsypQGu0vI/Lv oVwhJu5Z21Aw9CsWaz274LoT/YJZfL4ZsBPwKCkO8v4BL5/5xQlTQDP08JOgfLljmDka Ep1VE+vo0cYXcaMFPOElFdbj324DnfopA88iNDjQUM79+AS0ubPxf6YGG5sSk9Yt3tI+ OrVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:subject:cc:to:from:date:message-id:dkim-signature; bh=+wiEiEBvfqMK7vD0yutIlibA0Tc+znw73+00dq2SFVo=; b=qY6MDOH0oMHmOcMSnlCPDKzbCS8RU9AD3qP6FG0PnvUcjj1BYAxJd5P5MnZTedUjv0 cHqBvHNLFyqV27+SOGjBwOZmw4lzxEN5UuOhZtKhVIHYXREnE4TS1LnqkxsHbrIhxPce 9vZpIhObfSqggamvTIFXC5/oj8Wv0TO5fk8mevSbWu9uYvXW5TEepWMechC/jC8IgMrD U6NuN4DkjwWh8xDA7mU1GbvqPgtGc+yNc/iPtWvr8iiEcqx3OrcvzyAhmaidnKoYmgwc PAjFiTtlNnm8zT8c5Ngd5kxx0WvXgnK0W3SQBpInkQZdx4Ylik4BfZMe9Bs8VJmSmGdB YZ9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=OG+xhOfQ; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id z6-20020a170902834600b00153b2d16576si461416pln.382.2022.04.07.12.52.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Apr 2022 12:52:25 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=OG+xhOfQ; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 35A48272ACE; Thu, 7 Apr 2022 12:23:21 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239197AbiDGCiT (ORCPT + 99 others); Wed, 6 Apr 2022 22:38:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39160 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231450AbiDGCiR (ORCPT ); Wed, 6 Apr 2022 22:38:17 -0400 Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6DF2029829 for ; Wed, 6 Apr 2022 19:36:17 -0700 (PDT) Received: by mail-qv1-xf29.google.com with SMTP id i15so4045128qvh.0 for ; Wed, 06 Apr 2022 19:36:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:from:to:cc:subject:references:mime-version :content-disposition:in-reply-to; bh=+wiEiEBvfqMK7vD0yutIlibA0Tc+znw73+00dq2SFVo=; b=OG+xhOfQK5Xuxz2rciHCm6J8j5xZrHaAmhfjLTh7X3aAb+0SEsUOeeVAky5AqMNjx7 mli22qVHf1BqUPj52/PXEtOHyjGM/Qv2sQgJb0G4qFIbHuBRfX8TG99kagvH4B7QL4LT PxGqqKLvC28yxfgAqIeMkdIDrKMjMm/2aFAfvgSPpPCb5mSnz4VY4/WOl+G4svNzdcio VgeJVZE2YhwAHATo17Ij5GAHFwzUZznPWF8AU90u79mUXdSxCqqlllOjFOJ7L1C5HexA 0iCtG2VidJVwJE+6ChMjNEAGnSitTOv1VWY9owMLN6AuEvI5EOm67q7zkTe1KCa7xKaZ nqow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:from:to:cc:subject:references :mime-version:content-disposition:in-reply-to; bh=+wiEiEBvfqMK7vD0yutIlibA0Tc+znw73+00dq2SFVo=; b=eMO4bPRyqc1IHRzbIfF9rCMVdlTlPmTxvEq1+reHdr0JPE5QiXuGFCGu3/wJccutB3 bodxIAlVET7aMkBZ0eVEAsBjX5bvd/GbEI7CTNhqybIlAHG6OqV6PKlghqWHdqEcyGkO iCx+zX4atvoKthPEFrfyqDUaQ/Y4cc+NIwQ9cvCQTvcTjnVjMk5TZNuulit2gs0MmBJt X2pzHbN1Ov+HQcrrUJ+0XdSKeWK6XxamoIhz9IxFNigNp+Zkj8x60jeRzFpIwExoVVHT wyP+a6rDt8+0+sUcNhpPYsYGkYADcfnGALL2Mx8OEotVH2onEKyV0JXmI4N5vH0jKAGW 6DXA== X-Gm-Message-State: AOAM530RrOliz5Sk29wPU6xZgOOrFkr5Ur50sRynnUPqUSDdfR9edXTZ eBBlGWXGqegrnPTv1TJt8UM= X-Received: by 2002:a05:6214:411e:b0:443:d734:df45 with SMTP id kc30-20020a056214411e00b00443d734df45mr9934133qvb.46.1649298976620; Wed, 06 Apr 2022 19:36:16 -0700 (PDT) Received: from localhost ([193.203.214.57]) by smtp.gmail.com with ESMTPSA id a9-20020ac85b89000000b002e2072c9dedsm15758392qta.67.2022.04.06.19.36.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 19:36:15 -0700 (PDT) Message-ID: <624e4e1f.1c69fb81.7e74e.f971@mx.google.com> X-Google-Original-Message-ID: <20220407023612.GA2490044@cgel.zte@gmail.com> Date: Thu, 7 Apr 2022 02:36:12 +0000 From: CGEL To: Richard Guy Briggs Cc: Paul Moore , kbuild-all@lists.01.org, Zeal Robot , linux-kernel@vger.kernel.org, eparis@redhat.com, dai.shixin@zte.com.cn, Yang Yang , linux-audit@redhat.com, ink@jurassic.park.msu.ru, huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn, mattst88@gmail.com Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid References: <20220326094654.2361956-1-yang.yang29@zte.com.cn> <62465bf3.1c69fb81.d5424.365e@mx.google.com> <2777189.mvXUDI8C0e@x2> <624803f7.1c69fb81.972da.2dd0@mx.google.com> <624cea8e.1c69fb81.422be.e03b@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 06, 2022 at 12:49:54PM -0400, Richard Guy Briggs wrote: > On 2022-04-06 01:19, CGEL wrote: > > On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote: > > > On 2022-04-02 08:06, CGEL wrote: > > > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote: > > > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb wrote: > > > > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote: > > > > > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote: > > > > > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL wrote: > > > > > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote: > > > > > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS > > > > > > > > > > syscalls, I would consider that a bug which should be fixed. > > > > > > > > > > > > > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better > > > > > > > > > be forcible or be a rule that can be configure? I think configure is > > > > > > > > > better. > > > > > > > > > > > > > > > > It isn't clear to me exactly what you are asking, but I would expect > > > > > > > > the existing audit syscall filtering mechanism to work regardless if > > > > > > > > the syscall is valid or not. > > > > > > > > > > > > > > Thanks, I try to make it more clear. We found that auditctl would only > > > > > > > set rule with syscall number (>=0 && <2047) ... > > > > > > > > > > That is exactly why I wrote the warning below in my response ... > > > > > > > > > I think the question is more clear now. > > > > > > > > 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent > > > > Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and > > > > syscall with number 3000 are both invalid syscall. But 2000 can be set by > > > > auditctl, and 3000 cannot be set by auditctl. > > > > A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h). > > > > > > > > 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall > > > > See this patch. > > > > > > > > If we want audit invalid syscall as you said before. libaudit.c should not > > > > do the forbidden, auditctl should allow setting syscall rule with 'any' number. > > > > So do you think we should fix libaudit.c? > > > > > > I'm having a bit of trouble understanding what you've said above. > > > > > > The kernel ultimately must protect itself from malice and mistakes, so > > > it must verify all data sent to it. > > > > > > Userspace can help by knowing what that kernel policy is so it can avoid > > > violating that policy or provide useful feedback if it can't. Userspace > > > can be used to make things more efficient, but the kernel is the last > > > step for security. > > > > > > If userspace and the kernel are mismatched or out of sync, then the > > > kernel enforces policy to protect itself. > > > > Much appreciate for your interpretation. Have you get any idea of how > > to solve the mismatched? From your viewpoint, I think it's better for > > kernel to not handle syscall of syscall number<0, because it's invaild > > of all arch, and has no value for attacker to probing for specific > > syscall numbers. > > Going back to the very first quoted line above, if you can generate a > test case that shows that audit is missing an auditable event, that is a > bug that should be fixed. > To reproduce "missing auditing invalid syscall": 1.add audit rule auditctl -a always,exit -F arch=b64 -S all 2.run program with invalid syscalls Code as below. Both syscall can not be audited. #include #include #include #include #include #include #include #include #include #include int main(int argc, char * argv[]) { int syscall_num = -1; syscall(syscall_num, 0, NULL); printf("syscall num is %d errno is %d, %s, %d\n",syscall_num, errno, __FILE__, __LINE__); syscall_num = 3000; syscall(syscall_num, 0, NULL); printf("syscall num is %d errno is %d, %s, %d\n",syscall_num, errno, __FILE__, __LINE__); return 1; } > > > > > > > > to the audit syscall filter, which are unfortunately baked into the > > > > > > > > current design/implementation, which may affect this to some extent. > > > > > > > > > > -- > > > > > paul-moore.com > > > > > > - RGB > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635