Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3654268iob; Mon, 2 May 2022 02:02:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtKroWaMOTuy4Esjgml9wR5AQjbI1aSCT+geHu0mpfNdpyDBpuVDbzHuYl6jpd2QTk2Yhy X-Received: by 2002:a17:903:22c7:b0:15d:1c51:5bf4 with SMTP id y7-20020a17090322c700b0015d1c515bf4mr11185175plg.54.1651482124731; Mon, 02 May 2022 02:02:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651482124; cv=none; d=google.com; s=arc-20160816; b=civcorUsrvolmPti2ByLsSFLpS0wc3BS9uzZnoBCtG975qzsOY/8942IEVjY2GYZzE r27n4pAJ+UZpdrVprrZXgUGsoWZheJhBUflaT4cxLjIA1UwjDMrveJxzgw9rLfadnZz0 M7nFSdvPpC+xQmwC5lTgzK36LM7IW1B8rz0ivgmqzhOf1fAdq2dcM/9KbokcE0sJs1fB 2/+DEnTpnqiwcbBYoAToVOfemro4hv/2YKUYFHZzlIynI1FphHnTr2fbwPm0ZMdyMySQ uHx0cdz9JpKjQt9rAc1tLobuoXzO5602K6Dk+x5/XQ59jtnpGZRvVxBOtNjClzH+spbs HmLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=TbBS5zGUgS72fwCgLEHg986yKV4qQhiV58eG+bVlwi0=; b=sXHdbC9UVEuqXGqaWMZfWwndnDvSHCbPceFoZpPeS8zs9AVTX19yR/ttuTBi5E6qlv GhKKKYoq1tAvZK8NsCYwrcXZUOxs631D9reuZf5JyNk0ue8bmgvLJpPmKKIok0Vdw1k/ 1q+PhT8mkp5ts9kN/6XkFeBbS60Xh8wrd+8RJa8eBVaA4MTgHrB4ni//n41dJu4Sc+LR W2VE+PZv9Ywxwbq57SiAwZB+8huLB64Kth/sfFDfM+ZJoFGrzz6/MgNLrIL7vsv+nHun hZqWg4UuqofkPI9o59dLVWEUy87EoaHcF0REQgpDxsnKsTGAB0oGo/BxJLTZTrAB/ls1 vCeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YIeTMHaC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 129-20020a621887000000b0050d2ac6b8b6si12652152pfy.226.2022.05.02.02.01.49; Mon, 02 May 2022 02:02:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YIeTMHaC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353589AbiD2A7K (ORCPT + 99 others); Thu, 28 Apr 2022 20:59:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345344AbiD2A64 (ORCPT ); Thu, 28 Apr 2022 20:58:56 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC9DC4D247 for ; Thu, 28 Apr 2022 17:55:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651193738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=TbBS5zGUgS72fwCgLEHg986yKV4qQhiV58eG+bVlwi0=; b=YIeTMHaChEiQn1LaQKKZ+yzBcRJd2jcRNF2nKEmtuSUwerzjwnR3CTFZR80VXwJdHFaD7H UK7VExFxAMtdsPc3JyEarnFwZuaWUjWqvFtKvCD2MbFTBCLUW+taTrJAjODrwfkt7rAa2c IZmSS7Pu/HHTxHCQbQPFw+cXMyrJNVs= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-470-YwUT7Fm4PhKmLw-WOikKfg-1; Thu, 28 Apr 2022 20:55:37 -0400 X-MC-Unique: YwUT7Fm4PhKmLw-WOikKfg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 784D7811E75; Fri, 29 Apr 2022 00:55:36 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-0-8.rdu2.redhat.com [10.22.0.8]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 617E740E7F06; Fri, 29 Apr 2022 00:55:35 +0000 (UTC) Date: Thu, 28 Apr 2022 20:55:33 -0400 From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org Cc: Paul Moore , Eric Paris , Steve Grubb , Jan Kara Subject: Re: [PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-04-28 20:44, Richard Guy Briggs wrote: > The Fanotify API can be used for access control by requesting permission > event notification. The user space tooling that uses it may have a > complicated policy that inherently contains additional context for the > decision. If this information were available in the audit trail, policy > writers can close the loop on debugging policy. Also, if this additional > information were available, it would enable the creation of tools that > can suggest changes to the policy similar to how audit2allow can help > refine labeled security. > > This patch defines 2 additional fields within the response structure > returned from user space on a permission event. The first field is 16 > bits for the context type. The context type will describe what the > meaning is of the second field. The audit system will separate the > pieces and log them individually. > > The audit function was updated to log the additional information in the > AUDIT_FANOTIFY record. The following is an example of the new record > format: > > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17 It might have been a good idea to tag this as RFC... I have a few questions: 1. Where did "resp=" come from? It isn't in the field dictionary. It seems like a needless duplication of "res=". If it isn't, maybe it should have a "fan_" namespace prefix and become "fan_res="? 2. It appears I'm ok changing the "__u32 response" to "__u16" without breaking old userspace. Is this true on all arches? 3. What should be the action if response contains unknown flags or types? Is it reasonable to return -EINVAL? 4. Currently, struct fanotify_response has a fixed size, but if future types get defined that have variable buffer sizes, how would that be communicated or encoded? > changelog: > v1: > - first version by Steve Grubb > Link: https://lore.kernel.org/r/2042449.irdbgypaU6@x2 > > v2: > - enhancements suggested by Jan Kara > - 1/3 change %d to %u in pr_debug > - 2/3 change response from __u32 to __u16 > - mod struct fanotify_response and fanotify_perm_event add extra_info_type, extra_info_buf > - extra_info_buf size max FANOTIFY_MAX_RESPONSE_EXTRA_LEN, add struct fanotify_response_audit_rule > - extend debug statements > - remove unneeded macros > - [internal] change interface to finish_permission_event() and process_access_response() > - 3/3 update format of extra information > - [internal] change interface to audit_fanotify() > - change ctx_type= to fan_type= > Link: https://lore.kernel.org/r/cover.1651174324.git.rgb@redhat.com > > Richard Guy Briggs (3): > fanotify: Ensure consistent variable type for response > fanotify: define struct members to hold response decision context > fanotify: Allow audit to use the full permission event response > > fs/notify/fanotify/fanotify.c | 5 ++- > fs/notify/fanotify/fanotify.h | 4 +- > fs/notify/fanotify/fanotify_user.c | 59 ++++++++++++++++++++---------- > include/linux/audit.h | 8 ++-- > include/linux/fanotify.h | 3 ++ > include/uapi/linux/fanotify.h | 27 +++++++++++++- > kernel/auditsc.c | 18 +++++++-- > 7 files changed, 94 insertions(+), 30 deletions(-) > > -- > 2.27.0 > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635