Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp247986iob;
        Mon, 2 May 2022 18:28:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz8xy+dMIIqGXxLXK1JM56EUlFUG4dtf14r0ZvOLfu7rYU79bi92iE7NCkUXibdd3v4SxA+
X-Received: by 2002:a17:90a:ec16:b0:1da:3249:685b with SMTP id l22-20020a17090aec1600b001da3249685bmr2147545pjy.101.1651541291189;
        Mon, 02 May 2022 18:28:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651541291; cv=none;
        d=google.com; s=arc-20160816;
        b=tGHzdofQFJqUD3KP2VoxUU9qXBlpOiDGLaOrMnvqEPDb+kn2CnMuvbXnsmd/SoVbZe
         qtBoElQATQ49UpK6WqfLscrsNz7SklFCUl8TG/CT0PWwFBhGylL/Zfkb06HJtLjnluEv
         sjWjPYNZlQQ2PPdYG7YDGeo9fCsHhwjEyUBv0o3ji1rN9SzAdV7ur/iDPEDoXXr4q5sK
         P5rrL5DSZBGUBJomSDvxZaegVPr7kBDVywiIsahYwZsfU/+0kSRoyRk56TVqj7YIXc6A
         O1FefV/dydepw/bjJL1gFcG0eCVtiotUBENwigx2xjfy7ASbs5YqGOvRVC5BmQnilHat
         dkgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=kNk9ImiYyqs8H6PNkDNCstB2cSVahuRXdiPtWKtJN2c=;
        b=ZK8Ly75lU+MWqu61rHHQ7KVGGulnWTbL2GOlq7/mzE+itd1PQqLZB0COZ+sCd2kSog
         6yiVxW1anRzyHCo4J1q/vuJqzDsNN+KclsFPoM9isrzC7yfJbHF9aOONmgV/aNj8+icC
         G6ytvVkipJvxJT2ms7dk6HTyQKVt4LTPCgznHpJyohq4uCu466AYvDLIj8z2XoTay8L1
         NApoZA67d1yM3NGvNZXrO5MU2/eUEeABG8O0AIn99KodbMUIVL1N8LrLAMBvfjLSu6gi
         S14G5ZwwqFla6qm81UwzHRthkvh+4OYTtdEwm9tn2fnqQ2XrI7xZyGbga3uBye1vb6wa
         pYFA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=gF3NudlK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id u22-20020a056a00159600b0050822e94cefsi16537875pfk.369.2022.05.02.18.28.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 02 May 2022 18:28:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=gF3NudlK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9756F29F;
	Mon,  2 May 2022 18:07:57 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229973AbiECATr (ORCPT <rfc822;ankuragr.engg@gmail.com>
        + 99 others); Mon, 2 May 2022 20:19:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57986 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229458AbiECATp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 2 May 2022 20:19:45 -0400
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 019B82F02B
        for <linux-kernel@vger.kernel.org>; Mon,  2 May 2022 17:16:13 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id c11so11564600wrn.8
        for <linux-kernel@vger.kernel.org>; Mon, 02 May 2022 17:16:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=kNk9ImiYyqs8H6PNkDNCstB2cSVahuRXdiPtWKtJN2c=;
        b=gF3NudlKE9cIBsVfyQYNBNcbiiEawjKgsk4NJn7Z3SN68TAr3NHMYtHWNUbXNG9b4M
         dNvPk1jdkXURu0uTDUGsRkRASLWGdXQlVnnFMstEqgCxLjN/qkjW1Ox9wos1Yf3p3WVI
         nqcViWTSZnYZrnrzpPwwrpEnuObEgrAUMlepzGoj0HPpGNfXXwiyB5NgLUiwDsH9R6H/
         1VpahIb0WwHGxypqkpGPN9MkjO6DpG8gy6AOfD3PvrbPjxiFaCEL5UbniSUygo42Tltp
         XBerRNHnAu9pOKrbBpPf27G6i9Z0SYqPBp19rfzypXuCYzsjC99T2tQTgIQToxpYvSs2
         vcZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=kNk9ImiYyqs8H6PNkDNCstB2cSVahuRXdiPtWKtJN2c=;
        b=FZIr2Cptpu+eASYaX+nLtgNmXLOLcOIvyPf+O3G2J898psJMZocjWk8wDVICn7n7+G
         HPnwuYJSl2b6worEAj5WL2H7dDkhegGvB0Q961fBNE2mnwbwA67hTNndrYetAy7nMXD5
         pqba4yNPtmHQV8y6lgnqq+T2Ipj4BrxjxGj/sELjfAbXLCRb5RcaoN5ra+wjvH7kGFRr
         TPiCLbclDqpiMBI2sq5Wq8SeM9jlaXzAM6CBVLvIhGJhIrKyxeGfv2FOu+r2wQNC0jJP
         YDUXJftpGc5TWad5qQLM4j7PXpn7HkOKpK8T5JVuran/DdmMJyHAPqlnYQVWRROvaiFX
         mkkg==
X-Gm-Message-State: AOAM532Q0b5JotJi6ZOe7WzOA+Bgd+KO3al/kaI2zSJuM4bp9Ppl76BO
        QF+4VQYPfb865scMk1MRCOGSIvUTu1m87DINN1OKRZ5dbA==
X-Received: by 2002:a05:6000:80e:b0:20c:5b45:a700 with SMTP id
 bt14-20020a056000080e00b0020c5b45a700mr7229179wrb.662.1651536972237; Mon, 02
 May 2022 17:16:12 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1651174324.git.rgb@redhat.com> <Yms3hVYSRD1zT+Rz@madcap2.tricolour.ca>
In-Reply-To: <Yms3hVYSRD1zT+Rz@madcap2.tricolour.ca>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 2 May 2022 20:16:01 -0400
Message-ID: <CAHC9VhSGda5NofudLtsKspPjGc9bnZd=DZL9Mo-PJtJbb9RO4w@mail.gmail.com>
Subject: Re: [PATCH v2 0/3] fanotify: Allow user space to pass back additional
 audit info
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>,
        Steve Grubb <sgrubb@redhat.com>, Jan Kara <jack@suse.cz>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Apr 28, 2022 at 8:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2022-04-28 20:44, Richard Guy Briggs wrote:
> > The Fanotify API can be used for access control by requesting permission
> > event notification. The user space tooling that uses it may have a
> > complicated policy that inherently contains additional context for the
> > decision. If this information were available in the audit trail, policy
> > writers can close the loop on debugging policy. Also, if this additional
> > information were available, it would enable the creation of tools that
> > can suggest changes to the policy similar to how audit2allow can help
> > refine labeled security.
> >
> > This patch defines 2 additional fields within the response structure
> > returned from user space on a permission event. The first field is 16
> > bits for the context type. The context type will describe what the
> > meaning is of the second field. The audit system will separate the
> > pieces and log them individually.
> >
> > The audit function was updated to log the additional information in the
> > AUDIT_FANOTIFY record. The following is an example of the new record
> > format:
> >
> > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17
>
> It might have been a good idea to tag this as RFC...  I have a few
> questions:
>
> 1. Where did "resp=" come from?

According to the git log, it came from Steve Grubb via de8cd83e91bc
("audit: Record fanotify access control decisions").  Steve should
have known what he was doing with respect to field names so I'm
assuming he had a reason.

> It isn't in the field dictionary.  It
> seems like a needless duplication of "res=".  If it isn't, maybe it
> should have a "fan_" namespace prefix and become "fan_res="?

Regardless of what it should have been, it is "resp" now and we can't
really change it.  As far as the field dictionary is concerned, while
we should document these fields, it is important to note that when the
dictionary conflicts with the kernel, the kernel wins by definition.

> 2. It appears I'm ok changing the "__u32 response" to "__u16" without
> breaking old userspace.  Is this true on all arches?

I can't answer that for you, the fanotify folks will need to look at
that, but you likely already know that.  While I haven't gone through
the entire patchset yet, if it was me I probably would have left
response as a u32 and just added the extra fields; you are already
increasing the size of fanotify_response so why bother with shrinking
an existing field?

> 3. What should be the action if response contains unknown flags or
> types?  Is it reasonable to return -EINVAL?

Once again, not a fanotify expert, but EINVAL is intended for invalid
input so it seems like a reasonable choice.

> 4. Currently, struct fanotify_response has a fixed size, but if future
> types get defined that have variable buffer sizes, how would that be
> communicated or encoded?

If that is a concern, you should probably include a length field in
the structure before the variable length field.  You can't put it
before fd or response, so it's really a question of before or after
your new extra_info_type; I might suggest *after* extra_info_type, but
that's just me.


--
paul-moore.com