Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp176737rwe; Wed, 31 Aug 2022 19:09:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR4zP/jeMXVmjeBQR02a2tajImUccQpHbPhDsrisHNSX3RK5cIdGz1y6NolE2JNQAkkGWyGy X-Received: by 2002:a63:fa4a:0:b0:430:74b4:902c with SMTP id g10-20020a63fa4a000000b0043074b4902cmr1194809pgk.253.1661998186791; Wed, 31 Aug 2022 19:09:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661998186; cv=none; d=google.com; s=arc-20160816; b=PcdOQEg6ug0LYAbKHbOjgqWXyDRRvlT9rkHPXc3qzESU4PM8499+1FJGrgTyMsEbnF OG1UiGQ9sw5DHPMx1MdqCSzk8bGu9lGwB4jM8Mi3xw0YeUDcK/WnkZnRnuwMt2ou3hKc c38POZoBaNTXppKhTbgys2kOOFiKXnuNYOM69SChx59YV7qcdSwduxkrxSJ3nhclmkRj 9w2/XO5+vLYc/seshHSKBzad35SMxMFlfPXtIGNYlQNyiX3pln26xOrW0EEXfQ9P4B7d dAx6uLHqUZM15aPW8reIp6s5kkmgEKtFkZCHf7Pppre0gwA3vuxFg+0QnFRaEBOh3qCi HyBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=TlN3L7u+wXIinFsuYqdK27x2WtBpHcllYjmImCLuHAQ=; b=heswONyBB9066tIGfL6SxA5//CREIL/4Ru+ABNFQE6WTf1piV7gBP9gi7fFlNcFm7+ rFj/Dh788GWcd4v5vmD2/+fMZUEldQwpCDqg1Em9Iow5YZ258UghGTx8nMoGKYyR+Iqr 7oAxGNgfDRmWrVmnxrma9VJjwBkUHTGRVLawDtD6lkrgDtLJLeBd/hDdX3lTUAZDSgXK wa+ULuAVijc1OXeG/CXyJUPMokLBqc4qogHuSKZquxhe0o9XHM+tAaklN1cKKg4iGTg5 +jBI5PHYohjQC3gAqF6zQESK0f3swOOIeqxhMKNH/TjsnvrfoFstPACV0McgvNSZQULR lNKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=K1OeB1Ys; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v27-20020a63151b000000b0042a39b56e98si6682346pgl.389.2022.08.31.19.09.35; Wed, 31 Aug 2022 19:09:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=K1OeB1Ys; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232842AbiIABr0 (ORCPT + 99 others); Wed, 31 Aug 2022 21:47:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232771AbiIABrW (ORCPT ); Wed, 31 Aug 2022 21:47:22 -0400 Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A585AA4C0 for ; Wed, 31 Aug 2022 18:47:21 -0700 (PDT) Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-11f34610d4aso17562116fac.9 for ; Wed, 31 Aug 2022 18:47:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=TlN3L7u+wXIinFsuYqdK27x2WtBpHcllYjmImCLuHAQ=; b=K1OeB1YszbZTqWguTLKSaKYwSr3mt4ww03N3PZsfia1GxvfsN1Vr3pwWf8GoktXXX9 ozwgxAa2ZfMOrzcUVIVZhdGYMC5BPpCdf0WfGLz/ywPkLp7kp6goP7wt0TDbmv6L/Kka L3+hS3CC6sEp3kgIonBvcts8dAPIWeJbM7fmr7qoxpUNeXcs03/ewiiWBknnzftkoHNZ lAvbk/LdDbeP8Mm7B+F0SKaaYRE9cKWDdoXHcKhfvM7mmPF/BPyGa+o8SYQgqjf/hRpn O2zu+/QyMKgNre9l59JqIxrboEDqP/k9kWl26cd4a8eTjU1tbRf953RGX9S9YViz+mmy sN2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=TlN3L7u+wXIinFsuYqdK27x2WtBpHcllYjmImCLuHAQ=; b=FWebCtZCjq/hiIwecK6wXAb3AJam0/RCY/lgw1+ngGB3y4mKhfHTtbJHxEwEfXfLBN gS8N4oMbOFjX8r+dXNDcAjHIPkqTNxfmUQQa7PfHpDaXMtFxo/hhNnkSvycAZQSqPyCy +4hrw/i8otOFvJgNR5wo5mlGNRY88qNo5WKlKgG2IeL2rCiz5Rgs4AHxdXmTgAD8W+nY 3hJ2Zck/Va0hY/WmvAqN/Ky2YdYpurahCK95N0euy+GKLyrs0yfu1o6Rqupcr6nxA3Mr oEM53cgi1xStyEoI7rpkTh766HVJ++5zgrDoaxYUvTpw8x+/yjRCGNZ61oJulL9XduLi jHLw== X-Gm-Message-State: ACgBeo1TQKDTzbZAmIJh6DEhZBK4vl0oo9vOqw9tBxxG01GAL8KfUvM8 51oIJT4ipU/Mh8AYlpTa/3x5KhhSCVpJOU386tXU X-Received: by 2002:a05:6871:796:b0:11e:b92e:731e with SMTP id o22-20020a056871079600b0011eb92e731emr2981881oap.41.1661996840312; Wed, 31 Aug 2022 18:47:20 -0700 (PDT) MIME-Version: 1.0 References: <12063373.O9o76ZdvQC@x2> <5600292.DvuYhMxLoT@x2> In-Reply-To: <5600292.DvuYhMxLoT@x2> From: Paul Moore Date: Wed, 31 Aug 2022 21:47:09 -0400 Message-ID: Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response To: Steve Grubb Cc: Richard Guy Briggs , Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Jan Kara , Amir Goldstein Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 31, 2022 at 7:55 PM Steve Grubb wrote: > On Wednesday, August 31, 2022 6:19:40 PM EDT Richard Guy Briggs wrote: > > On 2022-08-31 17:25, Steve Grubb wrote: > > > On Wednesday, August 31, 2022 5:07:25 PM EDT Richard Guy Briggs wrote: > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > > index 433418d73584..f000fec52360 100644 > > > > > > --- a/kernel/auditsc.c > > > > > > +++ b/kernel/auditsc.c > > > > > > @@ -64,6 +64,7 @@ > > > > > > #include > > > > > > #include > > > > > > #include // struct open_how > > > > > > +#include > > > > > > > > > > > > #include "audit.h" > > > > > > > > > > > > @@ -2899,10 +2900,34 @@ void __audit_log_kern_module(char *name) > > > > > > context->type = AUDIT_KERN_MODULE; > > > > > > } > > > > > > > > > > > > -void __audit_fanotify(u32 response) > > > > > > +void __audit_fanotify(u32 response, size_t len, char *buf) > > > > > > { > > > > > > - audit_log(audit_context(), GFP_KERNEL, > > > > > > - AUDIT_FANOTIFY, "resp=%u", response); > > > > > > + struct fanotify_response_info_audit_rule *friar; > > > > > > + size_t c = len; > > > > > > + char *ib = buf; > > > > > > + > > > > > > + if (!(len && buf)) { > > > > > > + audit_log(audit_context(), GFP_KERNEL, > > > > > > AUDIT_FANOTIFY, > > > > > > + "resp=%u fan_type=0 fan_info=?", > > > > > > response); > > > > > > + return; > > > > > > + } > > > > > > + while (c >= sizeof(struct fanotify_response_info_header)) { > > > > > > + friar = (struct fanotify_response_info_audit_rule > > > > > > *)buf; > > > > > > > > > > Since the only use of this at the moment is the > > > > > fanotify_response_info_rule, why not pass the > > > > > fanotify_response_info_rule struct directly into this function? We > > > > > can always change it if we need to in the future without affecting > > > > > userspace, and it would simplify the code. > > > > > > > > Steve, would it make any sense for there to be more than one > > > > FAN_RESPONSE_INFO_AUDIT_RULE header in a message? Could there be more > > > > than one rule that contributes to a notify reason? If not, would it be > > > > reasonable to return -EINVAL if there is more than one? > > > > > > I don't see a reason for sending more than one header. What is more > > > probable is the need to send additional data in that header. I was > > > thinking of maybe bit mapping it in the rule number. But I'd suggest > > > padding the struct just in case it needs expanding some day. > > > > This doesn't exactly answer my question about multiple rules > > contributing to one decision. > > I don't forsee that. > > > The need for more as yet undefined information sounds like a good reason > > to define a new header if that happens. > > It's much better to pad the struct so that the size doesn't change. > > > At this point, is it reasonable to throw an error if more than one RULE > > header appears in a message? > > It is a write syscall. I'd silently discard everything else and document that > in the man pages. But the fanotify maintainers should really weigh in on > this. > > > The way I had coded this last patchset was to allow for more than one RULE > > header and each one would get its own record in the event. > > I do not forsee a need for this. > > > How many rules total are likely to exist? > > Could be a thousand. But I already know some missing information we'd like to > return to user space in an audit event, so the bit mapping on the rule number > might happen. I'd suggest padding one u32 for future use. A better way to handle an expansion like that would be to have a length/version field at the top of the struct that could be used to determine the size and layout of the struct. However, to be clear, my original suggestion of passing the fanotify_response_info_rule struct internally didn't require any additional future proofing as it is an internal implementation detail and not something that is exposed to userspace; the function arguments could be changed in the future and not break userspace. I'm not quite sure how we ended up on this topic ... -- paul-moore.com