Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3204689rwb; Mon, 15 Aug 2022 21:01:51 -0700 (PDT) X-Google-Smtp-Source: AA6agR56ljdQYZY4x5lhymY2kbUfEpmSIATf5k7GbpH/9x6cIyjFDcnnw9hKIlsjxjV+w2dT1EPw X-Received: by 2002:a17:907:7fa7:b0:731:51b4:5020 with SMTP id qk39-20020a1709077fa700b0073151b45020mr12000725ejc.352.1660622511090; Mon, 15 Aug 2022 21:01:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660622511; cv=none; d=google.com; s=arc-20160816; b=WaTFmTMIzDSEitc4VfW6+7zJoWFRsJx+3C7wemzieGvduQCAhQI2lm+rXl5e2Fbfnf xSoN/gikZtSVqfK2zPlsmq5cdqM3oavxEF0hwexnFxFKRtAzq9djB/cUSb/aItzEiRRy tnKY3Hq2yMOPTnMhL/B51MjhaehCmAZny3RIcKH4xsncXZZKaIlngwh4cUzR8CzOq87h y+4ptLUmGZ7lAXMxyyZ2HgpagaXu0vb698lstdNBUDNlwfqe/Ty46iD53gGOHC9kL0HN KQ2GsZ8/rdysWzjw3xumfeRE1HscIQi+3Rq2VmO/ip3bQd/AmsOcXbRiuTUy+BpKTG1u /ZUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Ajnf35L9FmE9vnp7SP1zj7Jbq2jKHjuvig7dYRcDFug=; b=OSG0UcWj/HP1Kmv/6xU5YjUK2tsPfHGTuJX0BB6iyuZtt4ETwD/VwjLFq2tYUy2FSE cWffWZZDA2QC7NruQPCLlJs+1sPF2Eb5lGrMXpYSY9KD/EesyK9AyOK0EM14a75Wmf7W fKWiocNYpFo8zwcf8xofKXBIfAxX15n2kYtPkUZ9Pbv6VNRNEDUq/9q1/TQyLG9UQcw4 YMQb9zGUyAyWrGDfdbYF1Dh5+uWcPMv4HnPW462qeebGXaFqQ4D+nraSjbT7YujXBlHa 7rCTAiySGBl5kUpsGVeo9SCNA3FVHUTKdlOzasiXx3wML6DGqqEwxO/FhphvZ3z9tpiV 1Qwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=RtgF+ge0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y6-20020a056402270600b0043e72fe84bdsi10732982edd.44.2022.08.15.21.01.24; Mon, 15 Aug 2022 21:01:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=RtgF+ge0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229575AbiHPD4A (ORCPT + 99 others); Mon, 15 Aug 2022 23:56:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229568AbiHPDz2 (ORCPT ); Mon, 15 Aug 2022 23:55:28 -0400 Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5D2D33DC6E for ; Mon, 15 Aug 2022 17:22:15 -0700 (PDT) Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-10ee900cce0so10000563fac.5 for ; Mon, 15 Aug 2022 17:22:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=Ajnf35L9FmE9vnp7SP1zj7Jbq2jKHjuvig7dYRcDFug=; b=RtgF+ge0o/5apZ+XTX/XqckJ2zulTrx3nLcGGV1o7Y9ezUhj+RUp09IW4vWuclfe7o bPfWbqL+8JGi1WAGWFPNSTjnMJUH4jyITqYSCntaw0G7/0K6u/NsprX9RSTZY5l6RGKe PMtR4tOg0/SD9ZYa22965atYkl13KwRExZizkR57kf1ejHg+TBf86fKIuMblY37VQbIO DZsm5flBSF+YS7J28rYgLFCWmtZc+pixqNsDOckgNr596pCNKvm7GETxNi+Ds2KFXSJr DIcrQNyeDHN/28Dp3URc1jbKgtGoAlg7QDeUkBnS3E4EbjXtn/AwhJyO8b9S3iDApl5o cbjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=Ajnf35L9FmE9vnp7SP1zj7Jbq2jKHjuvig7dYRcDFug=; b=jnoaTxErOHpiiJq2ptZzz87dgqYSjLzChhD6NjCe8t0tTddfullxyYLFCdBMRMP5yv ee5GwYK7H6xPCaFO27h6JgABzo/tV7wop7CtuRkGXbADtw/XQ1Jt3JYTNjGhcd5Tvek2 rXw8BeZA8qEEaYFMU5Icm6uZ2Vb0Kyk0g59IS+jy6bHFj10g69MyWWu9ElauIga3BXZY 7Zh874KHb/BYi7KCJ39pP1rjXH6cKYGNNTPO8dGMyP331xDtB6F6ZEIc9h1jhtR1vVj0 ozKIN01h3lIAlYYKq+TwJnsOqOQmfTP3bHnVY6gXbIjUPTWAZGuoBjYxSwvhd4T70kHd VwKg== X-Gm-Message-State: ACgBeo3uAx3HbqiacwLs2aixostMMHpnF3Hvgby5kOAa3+vez7MFj5lw U0h24QMPjFUDp0+er/4/IunyQwBuRogc0T6c/IMdqUVA8Q== X-Received: by 2002:a05:6870:9588:b0:101:c003:bfe6 with SMTP id k8-20020a056870958800b00101c003bfe6mr12233196oao.41.1660609334831; Mon, 15 Aug 2022 17:22:14 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Mon, 15 Aug 2022 20:22:04 -0400 Message-ID: Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Steve Grubb , Jan Kara , Amir Goldstein Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 9, 2022 at 1:23 PM Richard Guy Briggs wrote: > > This patch passes the full value so that the audit function can use all > of it. The audit function was updated to log the additional information in > the AUDIT_FANOTIFY record. The following is an example of the new record > format: > > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_info=17 > > Suggested-by: Steve Grubb > Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 > Signed-off-by: Richard Guy Briggs > --- > fs/notify/fanotify/fanotify.c | 3 ++- > include/linux/audit.h | 9 +++++---- > kernel/auditsc.c | 31 ++++++++++++++++++++++++++++--- > 3 files changed, 35 insertions(+), 8 deletions(-) You've hopefully already seen the kernel test robot build warning, so I won't bring that up again, but a few comments below ... > diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c > index 0f36062521f4..36c3ed1af085 100644 > --- a/fs/notify/fanotify/fanotify.c > +++ b/fs/notify/fanotify/fanotify.c > @@ -276,7 +276,8 @@ static int fanotify_get_response(struct fsnotify_group *group, > > /* Check if the response should be audited */ > if (event->response & FAN_AUDIT) > - audit_fanotify(event->response & ~FAN_AUDIT); > + audit_fanotify(event->response & ~FAN_AUDIT, > + event->info_len, event->info_buf); > > pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__, > group, event, ret); > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 3ea198a2cd59..c69efdba12ca 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -14,6 +14,7 @@ > #include > #include > #include > +#include > > #define AUDIT_INO_UNSET ((unsigned long)-1) > #define AUDIT_DEV_UNSET ((dev_t)-1) > @@ -417,7 +418,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > extern void __audit_openat2_how(struct open_how *how); > extern void __audit_log_kern_module(char *name); > -extern void __audit_fanotify(u32 response); > +extern void __audit_fanotify(u32 response, size_t len, char *buf); > extern void __audit_tk_injoffset(struct timespec64 offset); > extern void __audit_ntp_log(const struct audit_ntp_data *ad); > extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, > @@ -524,10 +525,10 @@ static inline void audit_log_kern_module(char *name) > __audit_log_kern_module(name); > } > > -static inline void audit_fanotify(u32 response) > +static inline void audit_fanotify(u32 response, size_t len, char *buf) > { > if (!audit_dummy_context()) > - __audit_fanotify(response); > + __audit_fanotify(response, len, buf); > } > > static inline void audit_tk_injoffset(struct timespec64 offset) > @@ -684,7 +685,7 @@ static inline void audit_log_kern_module(char *name) > { > } > > -static inline void audit_fanotify(u32 response) > +static inline void audit_fanotify(u32 response, size_t len, char *buf) > { } > > static inline void audit_tk_injoffset(struct timespec64 offset) > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 433418d73584..f000fec52360 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -64,6 +64,7 @@ > #include > #include > #include // struct open_how > +#include > > #include "audit.h" > > @@ -2899,10 +2900,34 @@ void __audit_log_kern_module(char *name) > context->type = AUDIT_KERN_MODULE; > } > > -void __audit_fanotify(u32 response) > +void __audit_fanotify(u32 response, size_t len, char *buf) > { > - audit_log(audit_context(), GFP_KERNEL, > - AUDIT_FANOTIFY, "resp=%u", response); > + struct fanotify_response_info_audit_rule *friar; > + size_t c = len; > + char *ib = buf; > + > + if (!(len && buf)) { > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, > + "resp=%u fan_type=0 fan_info=?", response); > + return; > + } > + while (c >= sizeof(struct fanotify_response_info_header)) { > + friar = (struct fanotify_response_info_audit_rule *)buf; Since the only use of this at the moment is the fanotify_response_info_rule, why not pass the fanotify_response_info_rule struct directly into this function? We can always change it if we need to in the future without affecting userspace, and it would simplify the code. > + switch (friar->hdr.type) { > + case FAN_RESPONSE_INFO_AUDIT_RULE: > + if (friar->hdr.len < sizeof(*friar)) { > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, > + "resp=%u fan_type=%u fan_info=(incomplete)", > + response, friar->hdr.type); > + return; > + } > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, > + "resp=%u fan_type=%u fan_info=%u", > + response, friar->hdr.type, friar->audit_rule); > + } > + c -= friar->hdr.len; > + ib += friar->hdr.len; > + } > } > > void __audit_tk_injoffset(struct timespec64 offset) > -- > 2.27.0 -- paul-moore.com