lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Yw/efLafvmimtCDq@madcap2.tricolour.ca>
Date:   Wed, 31 Aug 2022 18:19:40 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Steve Grubb <sgrubb@...hat.com>
Cc:     Paul Moore <paul@...l-moore.com>,
        Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org, Eric Paris <eparis@...isplace.org>,
        Jan Kara <jack@...e.cz>, Amir Goldstein <amir73il@...il.com>
Subject: Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full
 permission event response

On 2022-08-31 17:25, Steve Grubb wrote:
> On Wednesday, August 31, 2022 5:07:25 PM EDT Richard Guy Briggs wrote:
> > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > > index 433418d73584..f000fec52360 100644
> > > > --- a/kernel/auditsc.c
> > > > +++ b/kernel/auditsc.c
> > > > @@ -64,6 +64,7 @@
> > > > #include <uapi/linux/limits.h>
> > > > #include <uapi/linux/netfilter/nf_tables.h>
> > > > #include <uapi/linux/openat2.h> // struct open_how
> > > > +#include <uapi/linux/fanotify.h>
> > > > 
> > > > #include "audit.h"
> > > > 
> > > > @@ -2899,10 +2900,34 @@ void __audit_log_kern_module(char *name)
> > > > context->type = AUDIT_KERN_MODULE;
> > > > }
> > > > 
> > > > -void __audit_fanotify(u32 response)
> > > > +void __audit_fanotify(u32 response, size_t len, char *buf)
> > > > {
> > > > -       audit_log(audit_context(), GFP_KERNEL,
> > > > -               AUDIT_FANOTIFY, "resp=%u", response);
> > > > +       struct fanotify_response_info_audit_rule *friar;
> > > > +       size_t c = len;
> > > > +       char *ib = buf;
> > > > +
> > > > +       if (!(len && buf)) {
> > > > +               audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
> > > > +                         "resp=%u fan_type=0 fan_info=?", response);
> > > > +               return;
> > > > +       }
> > > > +       while (c >= sizeof(struct fanotify_response_info_header)) {
> > > > +               friar = (struct fanotify_response_info_audit_rule
> > > > *)buf;
> > > 
> > > Since the only use of this at the moment is the
> > > fanotify_response_info_rule, why not pass the
> > > fanotify_response_info_rule struct directly into this function?  We
> > > can always change it if we need to in the future without affecting
> > > userspace, and it would simplify the code.
> > 
> > Steve, would it make any sense for there to be more than one
> > FAN_RESPONSE_INFO_AUDIT_RULE header in a message?  Could there be more
> > than one rule that contributes to a notify reason?  If not, would it be
> > reasonable to return -EINVAL if there is more than one?
> 
> I don't see a reason for sending more than one header. What is more probable 
> is the need to send additional data in that header. I was thinking of maybe 
> bit mapping it in the rule number. But I'd suggest padding the struct just in 
> case it needs expanding some day.

This doesn't exactly answer my question about multiple rules
contributing to one decision.

The need for more as yet undefined information sounds like a good reason
to define a new header if that happens.

At this point, is it reasonable to throw an error if more than one RULE
header appears in a message?  The way I had coded this last patchset was
to allow for more than one RULE header and each one would get its own
record in the event.

How many rules total are likely to exist?

> -Steev

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ