Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3654268iob;
        Mon, 2 May 2022 02:02:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwtKroWaMOTuy4Esjgml9wR5AQjbI1aSCT+geHu0mpfNdpyDBpuVDbzHuYl6jpd2QTk2Yhy
X-Received: by 2002:a17:903:22c7:b0:15d:1c51:5bf4 with SMTP id y7-20020a17090322c700b0015d1c515bf4mr11185175plg.54.1651482124731;
        Mon, 02 May 2022 02:02:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651482124; cv=none;
        d=google.com; s=arc-20160816;
        b=civcorUsrvolmPti2ByLsSFLpS0wc3BS9uzZnoBCtG975qzsOY/8942IEVjY2GYZzE
         r27n4pAJ+UZpdrVprrZXgUGsoWZheJhBUflaT4cxLjIA1UwjDMrveJxzgw9rLfadnZz0
         M7nFSdvPpC+xQmwC5lTgzK36LM7IW1B8rz0ivgmqzhOf1fAdq2dcM/9KbokcE0sJs1fB
         2/+DEnTpnqiwcbBYoAToVOfemro4hv/2YKUYFHZzlIynI1FphHnTr2fbwPm0ZMdyMySQ
         uHx0cdz9JpKjQt9rAc1tLobuoXzO5602K6Dk+x5/XQ59jtnpGZRvVxBOtNjClzH+spbs
         HmLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=TbBS5zGUgS72fwCgLEHg986yKV4qQhiV58eG+bVlwi0=;
        b=sXHdbC9UVEuqXGqaWMZfWwndnDvSHCbPceFoZpPeS8zs9AVTX19yR/ttuTBi5E6qlv
         GhKKKYoq1tAvZK8NsCYwrcXZUOxs631D9reuZf5JyNk0ue8bmgvLJpPmKKIok0Vdw1k/
         1q+PhT8mkp5ts9kN/6XkFeBbS60Xh8wrd+8RJa8eBVaA4MTgHrB4ni//n41dJu4Sc+LR
         W2VE+PZv9Ywxwbq57SiAwZB+8huLB64Kth/sfFDfM+ZJoFGrzz6/MgNLrIL7vsv+nHun
         hZqWg4UuqofkPI9o59dLVWEUy87EoaHcF0REQgpDxsnKsTGAB0oGo/BxJLTZTrAB/ls1
         vCeA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YIeTMHaC;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 129-20020a621887000000b0050d2ac6b8b6si12652152pfy.226.2022.05.02.02.01.49;
        Mon, 02 May 2022 02:02:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YIeTMHaC;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353589AbiD2A7K (ORCPT <rfc822;andreykovskii@gmail.com>
        + 99 others); Thu, 28 Apr 2022 20:59:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38698 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345344AbiD2A64 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Apr 2022 20:58:56 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC9DC4D247
        for <linux-kernel@vger.kernel.org>; Thu, 28 Apr 2022 17:55:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1651193738;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=TbBS5zGUgS72fwCgLEHg986yKV4qQhiV58eG+bVlwi0=;
        b=YIeTMHaChEiQn1LaQKKZ+yzBcRJd2jcRNF2nKEmtuSUwerzjwnR3CTFZR80VXwJdHFaD7H
        UK7VExFxAMtdsPc3JyEarnFwZuaWUjWqvFtKvCD2MbFTBCLUW+taTrJAjODrwfkt7rAa2c
        IZmSS7Pu/HHTxHCQbQPFw+cXMyrJNVs=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-470-YwUT7Fm4PhKmLw-WOikKfg-1; Thu, 28 Apr 2022 20:55:37 -0400
X-MC-Unique: YwUT7Fm4PhKmLw-WOikKfg-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 784D7811E75;
        Fri, 29 Apr 2022 00:55:36 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-0-8.rdu2.redhat.com [10.22.0.8])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 617E740E7F06;
        Fri, 29 Apr 2022 00:55:35 +0000 (UTC)
Date:   Thu, 28 Apr 2022 20:55:33 -0400
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org
Cc:     Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>,
        Steve Grubb <sgrubb@redhat.com>, Jan Kara <jack@suse.cz>
Subject: Re: [PATCH v2 0/3] fanotify: Allow user space to pass back
 additional audit info
Message-ID: <Yms3hVYSRD1zT+Rz@madcap2.tricolour.ca>
References: <cover.1651174324.git.rgb@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cover.1651174324.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2022-04-28 20:44, Richard Guy Briggs wrote:
> The Fanotify API can be used for access control by requesting permission
> event notification. The user space tooling that uses it may have a
> complicated policy that inherently contains additional context for the
> decision. If this information were available in the audit trail, policy
> writers can close the loop on debugging policy. Also, if this additional
> information were available, it would enable the creation of tools that
> can suggest changes to the policy similar to how audit2allow can help
> refine labeled security.
> 
> This patch defines 2 additional fields within the response structure
> returned from user space on a permission event. The first field is 16
> bits for the context type. The context type will describe what the
> meaning is of the second field. The audit system will separate the
> pieces and log them individually.
> 
> The audit function was updated to log the additional information in the
> AUDIT_FANOTIFY record. The following is an example of the new record
> format:
> 
> type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17

It might have been a good idea to tag this as RFC...  I have a few
questions:

1. Where did "resp=" come from?  It isn't in the field dictionary.  It
seems like a needless duplication of "res=".  If it isn't, maybe it
should have a "fan_" namespace prefix and become "fan_res="?

2. It appears I'm ok changing the "__u32 response" to "__u16" without
breaking old userspace.  Is this true on all arches?

3. What should be the action if response contains unknown flags or
types?  Is it reasonable to return -EINVAL?

4. Currently, struct fanotify_response has a fixed size, but if future
types get defined that have variable buffer sizes, how would that be
communicated or encoded?

> changelog:
> v1:
> - first version by Steve Grubb <sgrubb@redhat.com>
> Link: https://lore.kernel.org/r/2042449.irdbgypaU6@x2
> 
> v2:
> - enhancements suggested by Jan Kara <jack@suse.cz>
> - 1/3 change %d to %u in pr_debug
> - 2/3 change response from __u32 to __u16
> - mod struct fanotify_response and fanotify_perm_event add extra_info_type, extra_info_buf
> - extra_info_buf size max FANOTIFY_MAX_RESPONSE_EXTRA_LEN, add struct fanotify_response_audit_rule
> - extend debug statements
> - remove unneeded macros
> - [internal] change interface to finish_permission_event() and process_access_response()
> - 3/3 update format of extra information
> - [internal] change interface to audit_fanotify()
> - change ctx_type= to fan_type=
> Link: https://lore.kernel.org/r/cover.1651174324.git.rgb@redhat.com
> 
> Richard Guy Briggs (3):
>   fanotify: Ensure consistent variable type for response
>   fanotify: define struct members to hold response decision context
>   fanotify: Allow audit to use the full permission event response
> 
>  fs/notify/fanotify/fanotify.c      |  5 ++-
>  fs/notify/fanotify/fanotify.h      |  4 +-
>  fs/notify/fanotify/fanotify_user.c | 59 ++++++++++++++++++++----------
>  include/linux/audit.h              |  8 ++--
>  include/linux/fanotify.h           |  3 ++
>  include/uapi/linux/fanotify.h      | 27 +++++++++++++-
>  kernel/auditsc.c                   | 18 +++++++--
>  7 files changed, 94 insertions(+), 30 deletions(-)
> 
> -- 
> 2.27.0
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635