Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp247986iob; Mon, 2 May 2022 18:28:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8xy+dMIIqGXxLXK1JM56EUlFUG4dtf14r0ZvOLfu7rYU79bi92iE7NCkUXibdd3v4SxA+ X-Received: by 2002:a17:90a:ec16:b0:1da:3249:685b with SMTP id l22-20020a17090aec1600b001da3249685bmr2147545pjy.101.1651541291189; Mon, 02 May 2022 18:28:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651541291; cv=none; d=google.com; s=arc-20160816; b=tGHzdofQFJqUD3KP2VoxUU9qXBlpOiDGLaOrMnvqEPDb+kn2CnMuvbXnsmd/SoVbZe qtBoElQATQ49UpK6WqfLscrsNz7SklFCUl8TG/CT0PWwFBhGylL/Zfkb06HJtLjnluEv sjWjPYNZlQQ2PPdYG7YDGeo9fCsHhwjEyUBv0o3ji1rN9SzAdV7ur/iDPEDoXXr4q5sK P5rrL5DSZBGUBJomSDvxZaegVPr7kBDVywiIsahYwZsfU/+0kSRoyRk56TVqj7YIXc6A O1FefV/dydepw/bjJL1gFcG0eCVtiotUBENwigx2xjfy7ASbs5YqGOvRVC5BmQnilHat dkgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=kNk9ImiYyqs8H6PNkDNCstB2cSVahuRXdiPtWKtJN2c=; b=ZK8Ly75lU+MWqu61rHHQ7KVGGulnWTbL2GOlq7/mzE+itd1PQqLZB0COZ+sCd2kSog 6yiVxW1anRzyHCo4J1q/vuJqzDsNN+KclsFPoM9isrzC7yfJbHF9aOONmgV/aNj8+icC G6ytvVkipJvxJT2ms7dk6HTyQKVt4LTPCgznHpJyohq4uCu466AYvDLIj8z2XoTay8L1 NApoZA67d1yM3NGvNZXrO5MU2/eUEeABG8O0AIn99KodbMUIVL1N8LrLAMBvfjLSu6gi S14G5ZwwqFla6qm81UwzHRthkvh+4OYTtdEwm9tn2fnqQ2XrI7xZyGbga3uBye1vb6wa pYFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=gF3NudlK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id u22-20020a056a00159600b0050822e94cefsi16537875pfk.369.2022.05.02.18.28.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 May 2022 18:28:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=gF3NudlK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9756F29F; Mon, 2 May 2022 18:07:57 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229973AbiECATr (ORCPT + 99 others); Mon, 2 May 2022 20:19:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229458AbiECATp (ORCPT ); Mon, 2 May 2022 20:19:45 -0400 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 019B82F02B for ; Mon, 2 May 2022 17:16:13 -0700 (PDT) Received: by mail-wr1-x429.google.com with SMTP id c11so11564600wrn.8 for ; Mon, 02 May 2022 17:16:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kNk9ImiYyqs8H6PNkDNCstB2cSVahuRXdiPtWKtJN2c=; b=gF3NudlKE9cIBsVfyQYNBNcbiiEawjKgsk4NJn7Z3SN68TAr3NHMYtHWNUbXNG9b4M dNvPk1jdkXURu0uTDUGsRkRASLWGdXQlVnnFMstEqgCxLjN/qkjW1Ox9wos1Yf3p3WVI nqcViWTSZnYZrnrzpPwwrpEnuObEgrAUMlepzGoj0HPpGNfXXwiyB5NgLUiwDsH9R6H/ 1VpahIb0WwHGxypqkpGPN9MkjO6DpG8gy6AOfD3PvrbPjxiFaCEL5UbniSUygo42Tltp XBerRNHnAu9pOKrbBpPf27G6i9Z0SYqPBp19rfzypXuCYzsjC99T2tQTgIQToxpYvSs2 vcZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kNk9ImiYyqs8H6PNkDNCstB2cSVahuRXdiPtWKtJN2c=; b=FZIr2Cptpu+eASYaX+nLtgNmXLOLcOIvyPf+O3G2J898psJMZocjWk8wDVICn7n7+G HPnwuYJSl2b6worEAj5WL2H7dDkhegGvB0Q961fBNE2mnwbwA67hTNndrYetAy7nMXD5 pqba4yNPtmHQV8y6lgnqq+T2Ipj4BrxjxGj/sELjfAbXLCRb5RcaoN5ra+wjvH7kGFRr TPiCLbclDqpiMBI2sq5Wq8SeM9jlaXzAM6CBVLvIhGJhIrKyxeGfv2FOu+r2wQNC0jJP YDUXJftpGc5TWad5qQLM4j7PXpn7HkOKpK8T5JVuran/DdmMJyHAPqlnYQVWRROvaiFX mkkg== X-Gm-Message-State: AOAM532Q0b5JotJi6ZOe7WzOA+Bgd+KO3al/kaI2zSJuM4bp9Ppl76BO QF+4VQYPfb865scMk1MRCOGSIvUTu1m87DINN1OKRZ5dbA== X-Received: by 2002:a05:6000:80e:b0:20c:5b45:a700 with SMTP id bt14-20020a056000080e00b0020c5b45a700mr7229179wrb.662.1651536972237; Mon, 02 May 2022 17:16:12 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Mon, 2 May 2022 20:16:01 -0400 Message-ID: Subject: Re: [PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Steve Grubb , Jan Kara Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 28, 2022 at 8:55 PM Richard Guy Briggs wrote: > On 2022-04-28 20:44, Richard Guy Briggs wrote: > > The Fanotify API can be used for access control by requesting permission > > event notification. The user space tooling that uses it may have a > > complicated policy that inherently contains additional context for the > > decision. If this information were available in the audit trail, policy > > writers can close the loop on debugging policy. Also, if this additional > > information were available, it would enable the creation of tools that > > can suggest changes to the policy similar to how audit2allow can help > > refine labeled security. > > > > This patch defines 2 additional fields within the response structure > > returned from user space on a permission event. The first field is 16 > > bits for the context type. The context type will describe what the > > meaning is of the second field. The audit system will separate the > > pieces and log them individually. > > > > The audit function was updated to log the additional information in the > > AUDIT_FANOTIFY record. The following is an example of the new record > > format: > > > > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17 > > It might have been a good idea to tag this as RFC... I have a few > questions: > > 1. Where did "resp=" come from? According to the git log, it came from Steve Grubb via de8cd83e91bc ("audit: Record fanotify access control decisions"). Steve should have known what he was doing with respect to field names so I'm assuming he had a reason. > It isn't in the field dictionary. It > seems like a needless duplication of "res=". If it isn't, maybe it > should have a "fan_" namespace prefix and become "fan_res="? Regardless of what it should have been, it is "resp" now and we can't really change it. As far as the field dictionary is concerned, while we should document these fields, it is important to note that when the dictionary conflicts with the kernel, the kernel wins by definition. > 2. It appears I'm ok changing the "__u32 response" to "__u16" without > breaking old userspace. Is this true on all arches? I can't answer that for you, the fanotify folks will need to look at that, but you likely already know that. While I haven't gone through the entire patchset yet, if it was me I probably would have left response as a u32 and just added the extra fields; you are already increasing the size of fanotify_response so why bother with shrinking an existing field? > 3. What should be the action if response contains unknown flags or > types? Is it reasonable to return -EINVAL? Once again, not a fanotify expert, but EINVAL is intended for invalid input so it seems like a reasonable choice. > 4. Currently, struct fanotify_response has a fixed size, but if future > types get defined that have variable buffer sizes, how would that be > communicated or encoded? If that is a concern, you should probably include a length field in the structure before the variable length field. You can't put it before fd or response, so it's really a question of before or after your new extra_info_type; I might suggest *after* extra_info_type, but that's just me. -- paul-moore.com