Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
From:   Steve Grubb <sgrubb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org, Richard Guy Briggs <rgb@redhat.com>
Cc:     Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>, Jan Kara <jack@suse.cz>
Subject: Re: [PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info
Date:   Tue, 03 May 2022 16:57:57 -0400
Message-ID: <8060610.T7Z3S40VBb@x2>
Organization: Red Hat
In-Reply-To: <Yms3hVYSRD1zT+Rz@madcap2.tricolour.ca>
References: <cover.1651174324.git.rgb@redhat.com> <Yms3hVYSRD1zT+Rz@madcap2.tricolour.ca>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk

On Thursday, April 28, 2022 8:55:33 PM EDT Richard Guy Briggs wrote:
> On 2022-04-28 20:44, Richard Guy Briggs wrote:
> > The Fanotify API can be used for access control by requesting permission
> > event notification. The user space tooling that uses it may have a
> > complicated policy that inherently contains additional context for the
> > decision. If this information were available in the audit trail, policy
> > writers can close the loop on debugging policy. Also, if this additional
> > information were available, it would enable the creation of tools that
> > can suggest changes to the policy similar to how audit2allow can help
> > refine labeled security.
> > 
> > This patch defines 2 additional fields within the response structure
> > returned from user space on a permission event. The first field is 16
> > bits for the context type. The context type will describe what the
> > meaning is of the second field. The audit system will separate the
> > pieces and log them individually.
> > 
> > The audit function was updated to log the additional information in the
> > AUDIT_FANOTIFY record. The following is an example of the new record
> > format:
> > 
> > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17
> 
> It might have been a good idea to tag this as RFC...  I have a few
> questions:
> 
> 1. Where did "resp=" come from? 

This is an abbreviation for the response field of struct fanotify_response. I 
wanted to keep it short to save bytes.

> It isn't in the field dictionary.  It seems like a needless duplication of
> "res=".  If it isn't, maybe it should have a "fan_" namespace prefix and
> become "fan_res="?

At this point it's been interpretted for years.
 
> 2. It appears I'm ok changing the "__u32 response" to "__u16" without
> breaking old userspace.  Is this true on all arches?

If done carefully. Old user space won't try to use the new capabilities. The 
only trick is new user space/old kernel.

> 3. What should be the action if response contains unknown flags or
> types?  Is it reasonable to return -EINVAL?

The original patch was designed to allow the response metadata to take on 
various different meanings based on new usage. The original patch only defined 
a rule order numbering which if something else wanted to send it's own 
metadata about a decision, a new patch could layer on top of this without 
interfering.

If this is an access decision that is rejected with EINVAL (and assuming 
future decisions will also be formed the same way), the whole system is 
getting ready to lock up - even though a real answer is in the response.

> 4. Currently, struct fanotify_response has a fixed size, but if future
> types get defined that have variable buffer sizes, how would that be
> communicated or encoded?

I hadn't considered that as it would be too much of a change that I would be 
uncomfortable doing. That could be a future evolution if it's ever needed.

-Steve