Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1047589rwe; Thu, 1 Sep 2022 11:35:04 -0700 (PDT) X-Google-Smtp-Source: AA6agR5GO2oeluDUa7bjm55jrC8b23NgD85KyL/pFoTMhTfA4AFG03KUzJn1yZzXPrGCRZvTocBu X-Received: by 2002:a63:fa4a:0:b0:430:74b4:902c with SMTP id g10-20020a63fa4a000000b0043074b4902cmr4243328pgk.253.1662057304390; Thu, 01 Sep 2022 11:35:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662057304; cv=none; d=google.com; s=arc-20160816; b=JEUGd/knospE5acuP6nc7dIIVLixUnO8jXzrfvgnm4hUpbgo8dgn/bhyTKN5KBNvON TH1V+uXaoSWk/0OlRG9iYvcg7gRCp+kwhr7CSdDopArBrreLjg5rJAs5nVT+xjYxg6e8 g8JiUAgEfWqUggQ8Onsq+nah1YnXKonDd60AgMwYfC0IyYxaHAfXxqpt2yT59BtOT4/Z y5lYj/bKRq7pYD+6mqS4GEBTtQJIg2YNlg3UK40a/rGML/WNeQgO2iHacT+yecVyxL7G o6AGRjp2UAnz/AXs7NXXSEah13sg08tDB2U39Bt4fpQtBEvaa4pJzn3iLIbekZsOXazn RL6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DWclz0cI2Qzp/WFkCaK+AoAFDfwG7DzVDaialA7WOVA=; b=IZXdtgs7VYiOnqG8SXRKjlEWYtKnmeECo2RhBHy/Y7MmJrvXXuTaLfveOy9H8QYyd/ P/7uo886OrH8hxaJ+yZKbz7dGqXfkhvpXvtl1RkHGNsW11yt1DRe218UMWyrKnQF7UcV V5ADRm2pxmeaRoGrg90PlzpSvDOgZO6+4XgjKo5r9y5jGzOwrmsvWhmB2gw89smzXmJc hFQVRiNmZmAWotJAzfxVf9D6qbuA1uOUYhbxEqmcA0a3pPZba2YauM+BBzU6t56VETCZ cn90t2KZV0QPxK7rfIZRpjELMv/Bue8O0ECFTfRJuAW57zWrPTZ7mZAoKdATgH6cG5gh NPdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=VQUzR7mE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j3-20020a056a00130300b0052f9293affcsi8691158pfu.335.2022.09.01.11.34.46; Thu, 01 Sep 2022 11:35:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=VQUzR7mE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231281AbiIASbQ (ORCPT + 99 others); Thu, 1 Sep 2022 14:31:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231589AbiIASbO (ORCPT ); Thu, 1 Sep 2022 14:31:14 -0400 Received: from mail-oa1-x2c.google.com (mail-oa1-x2c.google.com [IPv6:2001:4860:4864:20::2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3995165810 for ; Thu, 1 Sep 2022 11:31:13 -0700 (PDT) Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-11eab59db71so29779501fac.11 for ; Thu, 01 Sep 2022 11:31:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=DWclz0cI2Qzp/WFkCaK+AoAFDfwG7DzVDaialA7WOVA=; b=VQUzR7mE00Iv3vCd3+i0WpUYdn9aP59Pbv4I9ZtntuyG5+07xtyFGsIU9XPMhmJPQr Ue7O44guqoWzlr4kDQi/hLdYLyqJcLni8d4CJ5cyhLLZs7PWSroE+/LZLEeSn3ntnXey Kvg0CseM0umyM7HTJ2dBL9aK5wP1d1u5vBhRJarQfoIYVPX6pSjlSg5w6Po9NrwG8UYg EXN+lx18gHnkJ3659AigDLSmbuPI7SVGfTghpLXw6CZfg9Ij1AYksDyipHc2bH/yZYtV K96X+tdewpVSHI+/WIJjuWa5PBRKhYN16yRtsEv3AihoiAGB6IqqgUUB7etOCOCv8dI/ PMlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=DWclz0cI2Qzp/WFkCaK+AoAFDfwG7DzVDaialA7WOVA=; b=IFyS+FnNRCYsMpD7VGDyHRPMpp6nD+73vLvW8cu7HT8cSXKdndl9ZkYsy1fwgsY7c/ bZaRfkTqM2zUTZIuG/eA6A5hyhKgtvZAP2j6vh7SP3BLJnp7iMBbENdLK4iUQyJn9iq8 nzaPhnUWqkt7+APWo6BmzsFWYO/eVQ7dm1nCYhyp0mocdDxi3WrCQRI98tjgj2KcMoMC eqSrrRgNHWRB7CQ1D1yMqvzkCdlRnA47CPhqpgkMXgvlow79N5Q7rqPeFDjfgRrzDfxP qsbsD85ZeXSbe3y6zbhJx47k4zIjJ7XcLtyQJloMjV5Jhgb5WFMFYohPTRnBPFqXeV7C ujJg== X-Gm-Message-State: ACgBeo2/XfEHHr7FupSw57UNxI3u+JmrfAAuiAMo4eyLa6e5Sivp3SUH EY4VPabpreS+08UGH+BZKD4Eb82ZG4tYKtT6q94o X-Received: by 2002:a05:6871:796:b0:11e:b92e:731e with SMTP id o22-20020a056871079600b0011eb92e731emr269638oap.41.1662057072424; Thu, 01 Sep 2022 11:31:12 -0700 (PDT) MIME-Version: 1.0 References: <12063373.O9o76ZdvQC@x2> <5600292.DvuYhMxLoT@x2> <20220901075158.jqwaz3pklf3rqc6q@quack3> In-Reply-To: <20220901075158.jqwaz3pklf3rqc6q@quack3> From: Paul Moore Date: Thu, 1 Sep 2022 14:31:01 -0400 Message-ID: Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response To: Jan Kara , Steve Grubb , Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Amir Goldstein Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 1, 2022 at 3:52 AM Jan Kara wrote: > On Wed 31-08-22 21:47:09, Paul Moore wrote: > > On Wed, Aug 31, 2022 at 7:55 PM Steve Grubb wrote: > > > On Wednesday, August 31, 2022 6:19:40 PM EDT Richard Guy Briggs wrote: > > > > On 2022-08-31 17:25, Steve Grubb wrote: > > > > > On Wednesday, August 31, 2022 5:07:25 PM EDT Richard Guy Briggs wrote: > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > > > > index 433418d73584..f000fec52360 100644 > > > > > > > > --- a/kernel/auditsc.c > > > > > > > > +++ b/kernel/auditsc.c > > > > > > > > @@ -64,6 +64,7 @@ > > > > > > > > #include > > > > > > > > #include > > > > > > > > #include // struct open_how > > > > > > > > +#include > > > > > > > > > > > > > > > > #include "audit.h" > > > > > > > > > > > > > > > > @@ -2899,10 +2900,34 @@ void __audit_log_kern_module(char *name) > > > > > > > > context->type = AUDIT_KERN_MODULE; > > > > > > > > } > > > > > > > > > > > > > > > > -void __audit_fanotify(u32 response) > > > > > > > > +void __audit_fanotify(u32 response, size_t len, char *buf) > > > > > > > > { > > > > > > > > - audit_log(audit_context(), GFP_KERNEL, > > > > > > > > - AUDIT_FANOTIFY, "resp=%u", response); > > > > > > > > + struct fanotify_response_info_audit_rule *friar; > > > > > > > > + size_t c = len; > > > > > > > > + char *ib = buf; > > > > > > > > + > > > > > > > > + if (!(len && buf)) { > > > > > > > > + audit_log(audit_context(), GFP_KERNEL, > > > > > > > > AUDIT_FANOTIFY, > > > > > > > > + "resp=%u fan_type=0 fan_info=?", > > > > > > > > response); > > > > > > > > + return; > > > > > > > > + } > > > > > > > > + while (c >= sizeof(struct fanotify_response_info_header)) { > > > > > > > > + friar = (struct fanotify_response_info_audit_rule > > > > > > > > *)buf; > > > > > > > > > > > > > > Since the only use of this at the moment is the > > > > > > > fanotify_response_info_rule, why not pass the > > > > > > > fanotify_response_info_rule struct directly into this function? We > > > > > > > can always change it if we need to in the future without affecting > > > > > > > userspace, and it would simplify the code. > > > > > > > > > > > > Steve, would it make any sense for there to be more than one > > > > > > FAN_RESPONSE_INFO_AUDIT_RULE header in a message? Could there be more > > > > > > than one rule that contributes to a notify reason? If not, would it be > > > > > > reasonable to return -EINVAL if there is more than one? > > > > > > > > > > I don't see a reason for sending more than one header. What is more > > > > > probable is the need to send additional data in that header. I was > > > > > thinking of maybe bit mapping it in the rule number. But I'd suggest > > > > > padding the struct just in case it needs expanding some day. > > > > > > > > This doesn't exactly answer my question about multiple rules > > > > contributing to one decision. > > > > > > I don't forsee that. > > > > > > > The need for more as yet undefined information sounds like a good reason > > > > to define a new header if that happens. > > > > > > It's much better to pad the struct so that the size doesn't change. > > > > > > > At this point, is it reasonable to throw an error if more than one RULE > > > > header appears in a message? > > > > > > It is a write syscall. I'd silently discard everything else and document that > > > in the man pages. But the fanotify maintainers should really weigh in on > > > this. > > > > > > > The way I had coded this last patchset was to allow for more than one RULE > > > > header and each one would get its own record in the event. > > > > > > I do not forsee a need for this. > > > > > > > How many rules total are likely to exist? > > > > > > Could be a thousand. But I already know some missing information we'd like to > > > return to user space in an audit event, so the bit mapping on the rule number > > > might happen. I'd suggest padding one u32 for future use. > > > > A better way to handle an expansion like that would be to have a > > length/version field at the top of the struct that could be used to > > determine the size and layout of the struct. > > We already do have the 'type' and 'len' fields in > struct fanotify_response_info_header. So if audit needs to pass more > information, we can define a new 'type' and either make it replace the > current struct fanotify_response_info_audit_rule or make it expand the > information in it. At least this is how we handle similar situation when > fanotify wants to report some new bits of information to userspace. Perfect, I didn't know that was an option from the fanotify side; I agree that's the right approach. > That being said if audit wants to have u32 pad in its struct > fanotify_response_info_audit_rule for future "optional" expansion I'm not > strictly opposed to that but I don't think it is a good idea. Yes, I'm not a fan of padding out this way, especially when we have better options. > Ultimately I guess I'll leave it upto audit subsystem what it wants to have > in its struct fanotify_response_info_audit_rule because for fanotify > subsystem, it is just an opaque blob it is passing. In that case, let's stick with leveraging the type/len fields in the fanotify_response_info_header struct, that should give us all the flexibility we need. Richard and Steve, it sounds like Steve is already aware of additional information that he wants to send via the fanotify_response_info_audit_rule struct, please include that in the next revision of this patchset. I don't want to get this merged and then soon after have to hack in additional info. -- paul-moore.com