Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp718842rwj; Thu, 22 Dec 2022 13:55:05 -0800 (PST) X-Google-Smtp-Source: AMrXdXvk+8xa3nGUy8eI/TEYI2BVu0Sn0VYG3ieaGn42ZCh876WzJgtgMmmu9aMnO4dl1JtloD2s X-Received: by 2002:a05:6402:448a:b0:481:9219:f603 with SMTP id er10-20020a056402448a00b004819219f603mr295147edb.28.1671746104392; Thu, 22 Dec 2022 13:55:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671746104; cv=none; d=google.com; s=arc-20160816; b=NL9uhPjLiYP5aj6C+ut8V5Taerva9INF2cnRY/ZBRgpe9ldwKxUhjGITq9KS/UeAGJ Uo1Wljkdsl/2T8ecVar1YbQZ+Vxa2c4m/JkUv4KbiGrP7BVQy3YSZ4BgMIjI6SSatVd9 +YOHz3zlMlobYhc2SzA8XJC7jtcBlftcmc3m4aRN60PtQZd/zEJQlaB+XwEAhSz8rfe1 r9YbKJebmS3dipsjMkarzKkcko8q0mKrjdUWt00s0q+4ClIclST0z9NWsSma4B8Uv0Fj vcqykKMey0TOV6RQR08W5JQIM2hJqcZyPV5lXK1t2knB3EQjxqbQ2zy4bo47flYdSsjS NtKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DKGYCzvkrRQsG26exGSDsGM12AW8tkADFj8h5RB+A30=; b=EYI/QkFp6+qSwx4uRbwtFqzYeLGZlbcXivJ/ahB/xEnlQJxddVS3DbQNE+NUfC86+x IBmSuxncpXKgm+n0mVUhNSNbg++4tK1qT55B17/F5sNmXHnw+ZJ+1mgyqKj6cE1sbKwo 9gOMUwjRG8+eUpQsaj6+B1PVCsCxN2uBhXRWEe5MA6Ra4GRiSRxBwJbZXWPyb866b1r9 wvUq5Tfx4d37uCCQaEWCH91Ek9TXiJ3B+482WvF7nn/wexkJWQ0bP9nmCFR8CDw9RIhN exzE9AIn7KQ/0D5kbr1oGV6xEDV6l47j20F1jDHxqgw1W7dqZd+M8+nhaKPaWNwcgkx8 pIuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=xA2sAcbv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t2-20020a50d702000000b0046799762e48si1506687edi.437.2022.12.22.13.54.43; Thu, 22 Dec 2022 13:55:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=xA2sAcbv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229754AbiLVVRN (ORCPT + 68 others); Thu, 22 Dec 2022 16:17:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229732AbiLVVRL (ORCPT ); Thu, 22 Dec 2022 16:17:11 -0500 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 826E010FEC for ; Thu, 22 Dec 2022 13:17:10 -0800 (PST) Received: by mail-pf1-x432.google.com with SMTP id n3so2049962pfq.10 for ; Thu, 22 Dec 2022 13:17:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DKGYCzvkrRQsG26exGSDsGM12AW8tkADFj8h5RB+A30=; b=xA2sAcbvHRLRPTNUcWhOU2eTVgIGKrEnm3k5rs25we3/mQswqEnKJE0BAFGpg2kPLM Dn+EN3WwOtSdz1LqYVQHtlzMiwaek22Q1ndUd9meDVwMakC3sKgEbMO0Rc8qgFYrbgtk 4w2iEeXUEjqhaSrsFJcAuejShPMBEUqXlFZ9Kfn/61Me0fPEwNYwlDC6fmLNoUU1VAgz aNA638ly+YP1vGWFb1l37EDPbImpC/e4Vi1aHts4gCQHLljJG37sLlLDYxqYZCqJq/w6 EBu1T8DMU/uOOsK8JeW7wGifHMMCwARYXQq6U9qR4aEosFifxbJqR7YbwEd7Ib/oBOds A1Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DKGYCzvkrRQsG26exGSDsGM12AW8tkADFj8h5RB+A30=; b=0YjejKohptA1EFW6U5biXWrZNBLFS2dPl9NgVNiPBYOXll6yHEYCBTtZ9CmcfVMvnj H4IOyMpRZyUNOt7Liof3+P/LhqDly/2oH0JzKYRiCOPDAxEepDKaxuXhQtX4CfTcbG4G dr62H6hD87Og2vMPhCqNz0LWdHlhlHt+ry//FiWtnfjwocmspc8mrjpkEsYH8tmSTSRF ehLJOhA6XZRUh16QwWpZG4lt+lWYLRm+2krxB6aRc6N/GEmq58ZLzvzXzAYDr1tzBYAX GsrOOkTDAxxPbMxGwM78lStTkdN82mVssoNo4clH76XJgWiGpIMqNYwRzDNCQC2IpZmI iEhQ== X-Gm-Message-State: AFqh2kryn3QYn+RyD2LC5KctXHHrEsDt3UOKO8D1bfZe7mJzf5rXEhv5 73jvMfZclWUBdnAl00lft/9znXP8T0+NIL/pGuKM X-Received: by 2002:aa7:924d:0:b0:577:62a8:f7a1 with SMTP id 13-20020aa7924d000000b0057762a8f7a1mr454916pfp.2.1671743829956; Thu, 22 Dec 2022 13:17:09 -0800 (PST) MIME-Version: 1.0 References: <79fcf72ea442eeede53ed5e6de567f8df8ef7d83.1670606054.git.rgb@redhat.com> In-Reply-To: From: Paul Moore Date: Thu, 22 Dec 2022 16:16:58 -0500 Message-ID: Subject: Re: [PATCH v5 3/3] fanotify,audit: Allow audit to use the full permission event response To: Richard Guy Briggs Cc: Jan Kara , linux-api@vger.kernel.org, Amir Goldstein , LKML , Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, Eric Paris Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 22, 2022 at 3:42 PM Richard Guy Briggs wrote: > On 2022-12-20 18:31, Paul Moore wrote: > > On Mon, Dec 12, 2022 at 9:06 AM Richard Guy Briggs wrote: > > > > > > This patch passes the full response so that the audit function can use all > > > of it. The audit function was updated to log the additional information in > > > the AUDIT_FANOTIFY record. > > > > > > Currently the only type of fanotify info that is defined is an audit > > > rule number, but convert it to hex encoding to future-proof the field. > > > Hex encoding suggested by Paul Moore . > > > > > > Sample records: > > > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_info=3137 subj_trust=3 obj_trust=5 > > > type=FANOTIFY msg=audit(1659730979.839:284): resp=1 fan_type=0 fan_info=3F subj_trust=2 obj_trust=2 > > > > > > Suggested-by: Steve Grubb > > > Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 > > > Signed-off-by: Richard Guy Briggs > > > --- > > > fs/notify/fanotify/fanotify.c | 3 ++- > > > include/linux/audit.h | 9 +++++---- > > > kernel/auditsc.c | 25 ++++++++++++++++++++++--- > > > 3 files changed, 29 insertions(+), 8 deletions(-) > > > > ... > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index d1fb821de104..8d523066d81f 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -64,6 +64,7 @@ > > > #include > > > #include > > > #include // struct open_how > > > +#include > > > > > > #include "audit.h" > > > > > > @@ -2877,10 +2878,28 @@ void __audit_log_kern_module(char *name) > > > context->type = AUDIT_KERN_MODULE; > > > } > > > > > > -void __audit_fanotify(u32 response) > > > +void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar) > > > { > > > - audit_log(audit_context(), GFP_KERNEL, > > > - AUDIT_FANOTIFY, "resp=%u", response); > > > + struct audit_context *ctx = audit_context(); > > > + struct audit_buffer *ab; > > > + char numbuf[12]; > > > + > > > + if (friar->hdr.type == FAN_RESPONSE_INFO_NONE) { > > > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, > > > + "resp=%u fan_type=%u fan_info=3F subj_trust=2 obj_trust=2", > > > + response, FAN_RESPONSE_INFO_NONE); > > > > The fan_info, subj_trust, and obj_trust constant values used here are > > awfully magic-numbery and not the usual sentinel values one might > > expect for a "none" operation, e.g. zeros/INT_MAX/etc. I believe a > > comment here explaining the values would be a good idea. > > Ack. I'll add a comment. I would have preferred zero for default of > unset, but Steve requested 0/1/2 no/yes/unknown. Yeah, if they were zeros I don't think we would need to comment on them as zeros for unset/unknown/invalid is rather common, 2 ... not so much. -- paul-moore.com