Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp2059170rwn; Fri, 9 Sep 2022 08:00:52 -0700 (PDT) X-Google-Smtp-Source: AA6agR6ayLbAK7TqJqLRe6hmsmwHXP/HzGZouCRGK/hyLAwwRic9scbAp8ywEsOQNLcRyxqw4+0B X-Received: by 2002:a65:558f:0:b0:434:4ef3:77a7 with SMTP id j15-20020a65558f000000b004344ef377a7mr12564910pgs.27.1662735652572; Fri, 09 Sep 2022 08:00:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662735652; cv=none; d=google.com; s=arc-20160816; b=YszJhkrl73H8zySDOOXZe+/krikv2VAknNhw65sXg1Vq6lG8MmQUUo3MkPBzMwWIE5 sJM3rjdDJIhgaDZ62c7WrO9w/JwCTnwi5Rro51jBJIHP5w9hJsAe8g8IK7paVwzv4EP9 RhsmM/gt3Q45I6v/OEbWNz1UxEywaip8c+expS+O0uM5P+MAaIFq03o+o+BYZDVygOuJ b8fTzRWZIQWv6WjyNTaDc9HknL0+OPFn9PTs7HcPR02UyoxP5w9/WaY86EKSmKenr5X9 SgTjfhX4/3Pk7zdldqgAG87limZtphrQTkIE6WY4zo+8oC7y7mJ8qzFM+MPshIxZeWSj W8zQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=mEJa3J3UUdr9GRdpFl4qp3eJcR5AB7YwgYozMAVokFs=; b=gEFl1vwUWL6ISqAFaYtg182qfyWzsDTW9TU+ftcgvID0cu6CS0BnHmbW3bB4pjAis0 elrOOcxWz6rtjuO6Fgz8Js72ZIlPK6hLndH8M43lp8aoiY5Ajyzl9Y1HD4Q/8T0Bo9f4 F7UKZDn77QCOTOnJQgrEWCSqampLEo0ofGadzuhcvPUV3lqnQWfJIK1cNdzTtRAb2d+A 33lJEmzOeh+auiK6TgzcqsBZKTdaUCWvHMLY9XwrH23todcvAdS/GmBFCFpraHKV0iLx oPLm2R1/zMVnnqAFFPO5F00rNttkyeIUZi6g3OwZh5xXcsjM59FajXVrv0DItJ6De7Bw sF2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UtdJVwIf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l21-20020a170902d35500b0016da773130asi714574plk.221.2022.09.09.08.00.40; Fri, 09 Sep 2022 08:00:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UtdJVwIf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231896AbiIIOi5 (ORCPT + 99 others); Fri, 9 Sep 2022 10:38:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58704 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231759AbiIIOiy (ORCPT ); Fri, 9 Sep 2022 10:38:54 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07BCA12FB86 for ; Fri, 9 Sep 2022 07:38:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662734331; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=mEJa3J3UUdr9GRdpFl4qp3eJcR5AB7YwgYozMAVokFs=; b=UtdJVwIfZy4dgpbr66aWh9hEqVGChU5MWltnkeFcytse+A/k2S0PB+a8wOOFCCaF7acbLq xH7TUWdXASEawdrAmzspj/rLRkG5SCUmm2sr3JD1pyQvEmrDqqvqpmEoMC5Y08b6ZQlaV6 qh0BHZNToLEIimRDCpnEtCr9Hl5C23U= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-307-41-L-xL8OTiqnTy3ibOo-A-1; Fri, 09 Sep 2022 10:38:50 -0400 X-MC-Unique: 41-L-xL8OTiqnTy3ibOo-A-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0C46F1C05EAA; Fri, 9 Sep 2022 14:38:50 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.22.48.5]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AA42C4C819; Fri, 9 Sep 2022 14:38:48 +0000 (UTC) Date: Fri, 9 Sep 2022 10:38:46 -0400 From: Richard Guy Briggs To: Steve Grubb Cc: Jan Kara , Paul Moore , Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org, Eric Paris , Amir Goldstein Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response Message-ID: References: <2254543.ElGaqSPkdT@x2> <20220909110944.yfnuqhsiyw3ekkcn@quack3> <4748798.GXAFRqVoOG@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4748798.GXAFRqVoOG@x2> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-09-09 10:22, Steve Grubb wrote: > On Friday, September 9, 2022 7:09:44 AM EDT Jan Kara wrote: > > Hello Steve! > > > > On Fri 09-09-22 00:03:53, Steve Grubb wrote: > > > On Thursday, September 8, 2022 10:41:44 PM EDT Richard Guy Briggs wrote: > > > > > I'm trying to abide by what was suggested by the fs-devel folks. I > > > > > can > > > > > live with it. But if you want to make something non-generic for all > > > > > users of fanotify, call the new field "trusted". This would decern > > > > > when > > > > > a decision was made because the file was untrusted or access denied > > > > > for > > > > > another reason. > > > > > > > > So, "u32 trusted;" ? How would you like that formatted? > > > > "fan_trust={0|1}" > > > > > > So how does this play out if there is another user? Do they want a num= > > > and trust= if not, then the AUDIT_FANOTIFY record will have multiple > > > formats which is not good. I'd rather suggest something generic that can > > > be interpreted based on who's attached to fanotify. IOW we have a > > > fan_type=0 and then followed by info0= info1= the interpretation of > > > those solely depend on fan_type. If the fan_type does not need both, > > > then any interpretation skips what it doesn't need. If fan_type=1, then > > > it follows what arg0= and arg1= is for that format. But make this pivot > > > on fan_type and not actual names. > > So I think there is some misunderstanding so let me maybe spell out in > > detail how I see things so that we can get on the same page: > > > > It was a requirement from me (and probably Amir) that there is a generic > > way to attach additional info to a response to fanotify permission event. > > This is achieved by defining: > > > > struct fanotify_response_info_header { > > __u8 type; > > __u8 pad; > > __u16 len; > > }; > > > > which is a generic header and kernel can based on 'len' field decide how > > large the response structure is (to safely copy it from userspace) and > > based on 'type' field it can decide who should be the recipient of this > > extra information (or generally what to do with it). So any additional > > info needs to start with this header. > > > > Then there is: > > > > struct fanotify_response_info_audit_rule { > > struct fanotify_response_info_header hdr; > > __u32 audit_rule; > > }; > > > > which properly starts with the header and hdr.type is expected to be > > FAN_RESPONSE_INFO_AUDIT_RULE. What happens after the header with type > > FAN_RESPONSE_INFO_AUDIT_RULE until length hdr.len is fully within *audit* > > subsystem's responsibility. Fanotify code will just pass this as an opaque > > blob to the audit subsystem. > > > > So if you know audit subsystem will also need some other field together > > with 'audit_rule' now is a good time to add it and it doesn't have to be > > useful for anybody else besides audit. If someone else will need other > > information passed along with the response, he will append structure with > > another header with different 'type' field. In principle, there can be > > multiple structures appended to fanotify response like > > > > ... > > > > and fanotify subsystem will just pass them to different receivers based > > on the type in 'hdr' field. > > > > Also if audit needs to pass even more information along with the respose, > > we can define a new 'type' for it. But the 'type' space is not infinite so > > I'd prefer this does not happen too often... > > > > I hope this clears out things a bit. > > Yes. Thank you. > > Richard, add subj_trust and obj_trust. These can be 0|1|2 for no, yes, > unknown. type? bitfield? My gut would say that "0" should be "unset"/"unknown", but that is counterintuitive to the values represented. Or "trust" with sub-fields "subj" and "obj"? > -Steve - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635