Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp1794156rwn; Fri, 9 Sep 2022 04:18:06 -0700 (PDT) X-Google-Smtp-Source: AA6agR41LIpIe5iHdWHRCrUky2nDhCquk+pIE41wCMabX64K2ASinkW8NkLJItPi4pDUfM39MW/x X-Received: by 2002:a63:1e11:0:b0:41c:d233:31f8 with SMTP id e17-20020a631e11000000b0041cd23331f8mr11755704pge.228.1662722286159; Fri, 09 Sep 2022 04:18:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662722286; cv=none; d=google.com; s=arc-20160816; b=dlSBQKEBeYtLP7fPU1++OsLu1MBEXiHcenV9fkMxIFYKQc6DLqiJDHUTdMxZ5ROIk7 rxHZZj1X67+QBIERiYn6SBrU1Dfcu7Y0O9jwtTki4XT0IjnbYFwqYoJFSx8fA3smW+Ep cz6Y0ohJeHff89SRCHbxjdV7HkclWGndk1Xvk4P/nvC4QlyJblO+NrzC8FEa+Phbqj2m zk4ooOUHeQgDWrC/Y7LPLFptqXuyhUhDZBqEj9LDN7zm+vRS6xbbSosCsyT4JKok4sg5 t1HZEOi7CansP7Rd/1KlnHiRh9Ac0QSHOm51dWSsyXaH6LFy96D+B+iHA4ojSKGZrQL6 fg5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=jc0d4GvYAZFGV+o/z8IImilKpYEBIOuhp0/HsQ8mNfY=; b=jtysBvFDU/1MRabrMCuiqtArZr6kpqaYy6Hp5EJtWGQUY9YecShRSlv8bUI6fkNB8d Vp6544TQJo0C4D7dufeWAQriS9hXgv6bYygiznMl9zNXoeiSEGe/U5BXNjH/UfgDMefG lQPWLX45cxqwws0fpxL3Ux3f58ynuBb9286a1uVuPvKecPCsiUW/zARRRmB5WH/r4+pj E/bW+gaVUZrM5PHpCKGByxHZjzuDzJlnj5MHfbj25IdHh1vA+JohtJIPyiijgfBj0MMv IGOSds0yIV2YdQYx3NtCe5Dhi74zKd2lt6CSWsdJoHcb1EtEVevg/dm7jxBJlsQT+Q7A tLjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=OtZDXLRA; dkim=neutral (no key) header.i=@suse.cz header.b=qLZIFqvo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g8-20020a170902740800b001768876fc87si250533pll.362.2022.09.09.04.17.53; Fri, 09 Sep 2022 04:18:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=OtZDXLRA; dkim=neutral (no key) header.i=@suse.cz header.b=qLZIFqvo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229902AbiIILJv (ORCPT + 99 others); Fri, 9 Sep 2022 07:09:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229970AbiIILJs (ORCPT ); Fri, 9 Sep 2022 07:09:48 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C26A4E84A; Fri, 9 Sep 2022 04:09:46 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 8F1292288F; Fri, 9 Sep 2022 11:09:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1662721785; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jc0d4GvYAZFGV+o/z8IImilKpYEBIOuhp0/HsQ8mNfY=; b=OtZDXLRAx8/3DXs7hJJ/D+PJQ5qqbdbUBgJFXYVCoDY6wzHrg9HPmkWGDZ3u8QSE4ssn1t aQJ3dwkChQWmRaVP3iVCjGMSQ+Qjuh2kZmPvpXTL+w6TkKocroeX9T2c8mw7XgsgXXWPuF SsizCCQDo5hZu0ObFUvkdyU0v2XG2Tw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1662721785; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jc0d4GvYAZFGV+o/z8IImilKpYEBIOuhp0/HsQ8mNfY=; b=qLZIFqvob0RnArjNrWkgvQBYJkD6KS6Ck8NjN9xQqOOYzPiVWqkAL7HDJdoARbJoBJgYMB OqAeq1tj2qeUT8Cg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 80D84139D5; Fri, 9 Sep 2022 11:09:45 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id BdpvH/keG2MCCwAAMHmgww (envelope-from ); Fri, 09 Sep 2022 11:09:45 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id DDADFA0684; Fri, 9 Sep 2022 13:09:44 +0200 (CEST) Date: Fri, 9 Sep 2022 13:09:44 +0200 From: Jan Kara To: Steve Grubb Cc: Richard Guy Briggs , Paul Moore , Jan Kara , Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Amir Goldstein Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response Message-ID: <20220909110944.yfnuqhsiyw3ekkcn@quack3> References: <2254258.ElGaqSPkdT@x2> <2254543.ElGaqSPkdT@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2254543.ElGaqSPkdT@x2> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Steve! On Fri 09-09-22 00:03:53, Steve Grubb wrote: > On Thursday, September 8, 2022 10:41:44 PM EDT Richard Guy Briggs wrote: > > > I'm trying to abide by what was suggested by the fs-devel folks. I can > > > live with it. But if you want to make something non-generic for all > > > users of fanotify, call the new field "trusted". This would decern when > > > a decision was made because the file was untrusted or access denied for > > > another reason. > > > > So, "u32 trusted;" ? How would you like that formatted? > > "fan_trust={0|1}" > > So how does this play out if there is another user? Do they want a num= and > trust= if not, then the AUDIT_FANOTIFY record will have multiple formats > which is not good. I'd rather suggest something generic that can be > interpreted based on who's attached to fanotify. IOW we have a fan_type=0 and > then followed by info0= info1= the interpretation of those solely depend on > fan_type. If the fan_type does not need both, then any interpretation skips > what it doesn't need. If fan_type=1, then it follows what arg0= and arg1= is > for that format. But make this pivot on fan_type and not actual names. So I think there is some misunderstanding so let me maybe spell out in detail how I see things so that we can get on the same page: It was a requirement from me (and probably Amir) that there is a generic way to attach additional info to a response to fanotify permission event. This is achieved by defining: struct fanotify_response_info_header { __u8 type; __u8 pad; __u16 len; }; which is a generic header and kernel can based on 'len' field decide how large the response structure is (to safely copy it from userspace) and based on 'type' field it can decide who should be the recipient of this extra information (or generally what to do with it). So any additional info needs to start with this header. Then there is: struct fanotify_response_info_audit_rule { struct fanotify_response_info_header hdr; __u32 audit_rule; }; which properly starts with the header and hdr.type is expected to be FAN_RESPONSE_INFO_AUDIT_RULE. What happens after the header with type FAN_RESPONSE_INFO_AUDIT_RULE until length hdr.len is fully within *audit* subsystem's responsibility. Fanotify code will just pass this as an opaque blob to the audit subsystem. So if you know audit subsystem will also need some other field together with 'audit_rule' now is a good time to add it and it doesn't have to be useful for anybody else besides audit. If someone else will need other information passed along with the response, he will append structure with another header with different 'type' field. In principle, there can be multiple structures appended to fanotify response like ... and fanotify subsystem will just pass them to different receivers based on the type in 'hdr' field. Also if audit needs to pass even more information along with the respose, we can define a new 'type' for it. But the 'type' space is not infinite so I'd prefer this does not happen too often... I hope this clears out things a bit. Honza -- Jan Kara SUSE Labs, CR