From: Steve Grubb <sgrubb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>,
Richard Guy Briggs <rgb@redhat.com>
Cc: io-uring@vger.kernel.org
Subject: Re: [PATCH v3 2/7] add support for the uring filter list
Date: Fri, 29 Oct 2021 14:39:11 -0400 [thread overview]
Message-ID: <2523658.Lt9SDvczpP@x2> (raw)
In-Reply-To: <20211028195939.3102767-3-rgb@redhat.com>
On Thursday, October 28, 2021 3:59:34 PM EDT Richard Guy Briggs wrote:
> Kernel support to audit io_uring operations filtering was added with
> commit 67daf270cebc ("audit: add filtering for io_uring records"). Add
> support for the "uring" filter list to auditctl.
Might have been good to show what the resulting auditctl command looks like.
I think it would be:
auditctl -a always,io_ring -U open -F uid!=0 -F key=io_ring
But I wonder, why the choice of -U rather than -S? That would make
remembering the syntax easier.
auditctl -a always,io_ring -S open -F uid!=0 -F key=io_ring
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> docs/audit.rules.7 | 19 ++++--
> docs/audit_add_rule_data.3 | 4 ++
> docs/auditctl.8 | 10 ++-
> lib/flagtab.h | 11 ++--
> lib/libaudit.c | 50 ++++++++++++---
> lib/libaudit.h | 7 +++
> lib/lookup_table.c | 20 ++++++
> lib/private.h | 1 +
> src/auditctl-listing.c | 52 ++++++++++------
> src/auditctl.c | 121 ++++++++++++++++++++++++++++++++-----
> 10 files changed, 240 insertions(+), 55 deletions(-)
<snip a whole lot of documentation>
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index 54e276156ef0..3790444f4497 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -86,6 +86,7 @@ static const struct nv_list failure_actions[] =
> int _audit_permadded = 0;
> int _audit_archadded = 0;
> int _audit_syscalladded = 0;
> +int _audit_uringopadded = 0;
> int _audit_exeadded = 0;
> int _audit_filterfsadded = 0;
> unsigned int _audit_elf = 0U;
> @@ -999,6 +1000,26 @@ int audit_rule_syscallbyname_data(struct
> audit_rule_data *rule, return -1;
> }
>
> +int audit_rule_uringopbyname_data(struct audit_rule_data *rule,
> + const char *uringop)
> +{
> + int nr, i;
> +
> + if (!strcmp(uringop, "all")) {
> + for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
> + rule->mask[i] = ~0;
> + return 0;
> + }
> + nr = audit_name_to_uringop(uringop);
> + if (nr < 0) {
> + if (isdigit(uringop[0]))
> + nr = strtol(uringop, NULL, 0);
> + }
> + if (nr >= 0)
> + return audit_rule_syscall_data(rule, nr);
> + return -1;
> +}
> +
> int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
> const char *pair,
> int flags)
> @@ -1044,7 +1065,7 @@ int audit_rule_interfield_comp_data(struct
> audit_rule_data **rulep, return -EAU_COMPVALUNKNOWN;
>
> /* Interfield comparison can only be in exit filter */
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT && flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
>
> // It should always be AUDIT_FIELD_COMPARE
> @@ -1557,7 +1578,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> break;
> case AUDIT_EXIT:
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
> vlen = strlen(v);
> if (isdigit((char)*(v)))
> @@ -1599,7 +1621,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_DIR:
> /* Watch & object filtering is invalid on anything
> * but exit */
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
> if (field == AUDIT_WATCH || field == AUDIT_DIR)
> _audit_permadded = 1;
> @@ -1621,9 +1644,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, _audit_exeadded = 1;
> }
> if (field == AUDIT_FILTERKEY &&
> - !(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded ||
> - _audit_filterfsadded))
> + !(_audit_syscalladded ||
> + _audit_uringopadded ||
> + _audit_permadded ||
> + _audit_exeadded ||
> + _audit_filterfsadded))
> return -EAU_KEYDEP;
> vlen = strlen(v);
> if (field == AUDIT_FILTERKEY &&
> @@ -1712,7 +1737,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> break;
> case AUDIT_FILETYPE:
> - if (!(flags == AUDIT_FILTER_EXIT))
> + if (!(flags == AUDIT_FILTER_EXIT ||
> + flags == AUDIT_FILTER_URING_EXIT))
> return -EAU_EXITONLY;
> rule->values[rule->field_count] =
> audit_name_to_ftype(v);
> @@ -1754,7 +1780,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -EAU_FIELDNOSUPPORT;
> if (flags != AUDIT_FILTER_EXCLUDE &&
> flags != AUDIT_FILTER_USER &&
> - flags != AUDIT_FILTER_EXIT)
> + flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
This is in the session_id code. Looking at the example audit event:
https://listman.redhat.com/archives/linux-audit/2021-September/msg00058.html
session_id is not in the record.
> return -EAU_FIELDNOFILTER;
> // Do positive & negative separate for 32 bit systems
> vlen = strlen(v);
> @@ -1775,7 +1802,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, break;
> case AUDIT_DEVMAJOR...AUDIT_INODE:
^^^ Can you audit by devmajor, devminor, or inode in io_ring?
> case AUDIT_SUCCESS:
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
> /* fallthrough */
> default:
> @@ -1785,7 +1813,9 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -EAU_OPEQNOTEQ;
> }
>
> - if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT))
> + if (field == AUDIT_PPID &&
> + !(flags == AUDIT_FILTER_EXIT ||
> + flags == AUDIT_FILTER_URING_EXIT))
> return -EAU_EXITONLY;
>
> if (!isdigit((char)*(v)))
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index 08b7d22678aa..a73edc677df0 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -341,6 +341,9 @@ extern "C" {
> #ifndef AUDIT_FILTER_EXCLUDE
> #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
> #endif
> +#ifndef AUDIT_FILTER_URING_EXIT
> +#define AUDIT_FILTER_URING_EXIT 0x07 /* filter on exit from io_uring op
*/
> +#endif
> #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
> #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
>
> @@ -612,6 +615,8 @@ extern int audit_name_to_field(const char
> *field); extern const char *audit_field_to_name(int field);
> extern int audit_name_to_syscall(const char *sc, int machine);
> extern const char *audit_syscall_to_name(int sc, int machine);
> +extern int audit_name_to_uringop(const char *uringopop);
> +extern const char *audit_uringop_to_name(int uringop);
> extern int audit_name_to_flag(const char *flag);
> extern const char *audit_flag_to_name(int flag);
> extern int audit_name_to_action(const char *action);
> @@ -706,6 +711,8 @@ extern struct audit_rule_data
> *audit_rule_create_data(void); extern void audit_rule_init_data(struct
> audit_rule_data *rule);
> extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
> const char *scall);
> +extern int audit_rule_uringopbyname_data(struct audit_rule_data *rule,
> + const char *uringop);
> /* Note that the following function takes a **, where
> audit_rule_fieldpair() * takes just a *. That structure may need to be
> reallocated as a result of * adding new fields */
> diff --git a/lib/lookup_table.c b/lib/lookup_table.c
> index 23678a4d142e..ca619fba930d 100644
> --- a/lib/lookup_table.c
> +++ b/lib/lookup_table.c
> @@ -142,6 +142,18 @@ int audit_name_to_syscall(const char *sc, int machine)
> return -1;
> }
>
> +int audit_name_to_uringop(const char *uringop)
> +{
> + int res = -1, found = 0;
> +
> +#ifndef NO_TABLES
> + //found = uringop_s2i(uringop, &res);
Why are we creating commented out function calls? It seems like this belongs
in another patch and not here. But let's save everyone some iterations and
overlook that.
Review complete...
-Steve
> +#endif
> + if (found)
> + return res;
> + return -1;
> +}
> +
> const char *audit_syscall_to_name(int sc, int machine)
> {
> #ifndef NO_TABLES
> @@ -172,6 +184,14 @@ const char *audit_syscall_to_name(int sc, int machine)
> return NULL;
> }
>
> +const char *audit_uringop_to_name(int uringop)
> +{
> +#ifndef NO_TABLES
> + //return uringop_i2s(uringop);
> +#endif
> + return NULL;
> +}
> +
> int audit_name_to_flag(const char *flag)
> {
> int res;
> diff --git a/lib/private.h b/lib/private.h
> index c3a7364fcfb8..b0d3fa4109c5 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -135,6 +135,7 @@ AUDIT_HIDDEN_END
> extern int _audit_permadded;
> extern int _audit_archadded;
> extern int _audit_syscalladded;
> +extern int _audit_uringopadded;
> extern int _audit_exeadded;
> extern int _audit_filterfsadded;
> extern unsigned int _audit_elf;
> diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
> index a5d6bc2b046f..3d80906ffd24 100644
> --- a/src/auditctl-listing.c
> +++ b/src/auditctl-listing.c
> @@ -137,15 +137,22 @@ static int print_syscall(const struct audit_rule_data
> *r, unsigned int *sc) int all = 1;
> unsigned int i;
> int machine = audit_detect_machine();
> -
> - /* Rules on the following filters do not take a syscall */
> - if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
> - ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
> - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
> - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_FS))
> + int uring = 0;
> +
> + /* Rules on the following filters do not take a syscall (or uringop)
*/
> + switch (r->flags & AUDIT_FILTER_MASK) {
> + case AUDIT_FILTER_USER:
> + case AUDIT_FILTER_TASK:
> + case AUDIT_FILTER_EXCLUDE:
> + case AUDIT_FILTER_FS:
> return 0;
> + break;
> + case AUDIT_FILTER_URING_EXIT:
> + uring = 1;
> + break;
> + }
>
> - /* See if its all or specific syscalls */
> + /* See if its all or specific syscalls/uringops */
> for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
> if (r->mask[i] != (uint32_t)~0) {
> all = 0;
> @@ -154,21 +161,32 @@ static int print_syscall(const struct audit_rule_data
> *r, unsigned int *sc) }
>
> if (all) {
> - printf(" -S all");
> + if (uring)
> + printf(" -U all");
> + else
> + printf(" -S all");
> count = i;
> } else for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) {
> int word = AUDIT_WORD(i);
> int bit = AUDIT_BIT(i);
> if (r->mask[word] & bit) {
> const char *ptr;
> - if (_audit_elf)
> - machine = audit_elf_to_machine(_audit_elf);
> - if (machine < 0)
> - ptr = NULL;
> - else
> - ptr = audit_syscall_to_name(i, machine);
> +
> + if (uring)
> + ptr = audit_uringop_to_name(i);
> + else {
> + if (_audit_elf)
> + machine =
audit_elf_to_machine(_audit_elf);
> + if (machine < 0)
> + ptr = NULL;
> + else
> + ptr = audit_syscall_to_name(i, machine);
> + }
> if (!count)
> - printf(" -S ");
> + if (uring)
> + printf(" -U ");
> + else
> + printf(" -S ");
> if (ptr)
> printf("%s%s", !count ? "" : ",", ptr);
> else
> @@ -297,7 +315,7 @@ static void print_rule(const struct audit_rule_data *r)
> int mach = -1, watch = is_watch(r);
> unsigned long long a0 = 0, a1 = 0;
>
> - if (!watch) { /* This is syscall auditing */
> + if (!watch) { /* This is syscall or uring auditing */
> printf("-a %s,%s",
> audit_action_to_name((int)r->action),
> audit_flag_to_name(r->flags));
> @@ -310,7 +328,7 @@ static void print_rule(const struct audit_rule_data *r)
> mach = print_arch(r->values[i], op);
> }
> }
> - // And last do the syscalls
> + // And last do the syscalls/uringops
> count = print_syscall(r, &sc);
> }
>
> diff --git a/src/auditctl.c b/src/auditctl.c
> index f9bfc2a247d2..74df4f17f887 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -76,6 +76,7 @@ static int reset_vars(void)
> {
> list_requested = 0;
> _audit_syscalladded = 0;
> + _audit_uringopadded = 0;
> _audit_permadded = 0;
> _audit_archadded = 0;
> _audit_exeadded = 0;
> @@ -110,7 +111,7 @@ static void usage(void)
> " -C f=f Compare collected fields if
> available:\n" " Field name,
> operator(=,!=), field name\n" " -d <l,a>
> Delete rule from <l>ist with <a>ction\n" - "
> l=task,exit,user,exclude,filesystem\n" + "
> l=task,exit,user,exclude,filesystem,uring\n" "
> a=never,always\n"
> " -D Delete all rules and
> watches\n" " -e [0..2] Set enabled flag\n"
> @@ -132,6 +133,7 @@ static void usage(void)
> " -S syscall Build rule: syscall name or
> number\n" " --signal <signal> Send the specified signal
> to the daemon\n" " -t Trim directory
> watches\n" + " -U uringop Build rule: uring
> op name or number\n" " -v Version\n"
> " -w <path> Insert watch at <path>\n"
> " -W <path> Remove watch at <path>\n"
> @@ -164,6 +166,8 @@ static int lookup_filter(const char *str, int *filter)
> exclude = 1;
> } else if (strcmp(str, "filesystem") == 0)
> *filter = AUDIT_FILTER_FS;
> + else if (strcmp(str, "uring") == 0)
> + *filter = AUDIT_FILTER_URING_EXIT;
> else
> return 2;
> return 0;
> @@ -541,6 +545,36 @@ static int parse_syscall(const char *optarg)
> return audit_rule_syscallbyname_data(rule_new, optarg);
> }
>
> +static int parse_uringop(const char *optarg)
> +{
> + int retval = 0;
> + char *saved;
> +
> + if (strchr(optarg, ',')) {
> + char *ptr, *tmp = strdup(optarg);
> + if (tmp == NULL)
> + return -1;
> + ptr = strtok_r(tmp, ",", &saved);
> + while (ptr) {
> + retval = audit_rule_uringopbyname_data(rule_new, ptr);
> + if (retval != 0) {
> + if (retval == -1) {
> + audit_msg(LOG_ERR,
> + "Uring op name unknown: %s",
> + ptr);
> + retval = -3; // error reported
> + }
> + break;
> + }
> + ptr = strtok_r(NULL, ",", &saved);
> + }
> + free(tmp);
> + return retval;
> + }
> +
> + return audit_rule_uringopbyname_data(rule_new, optarg);
> +}
> +
> static struct option long_opts[] =
> {
> #if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
> @@ -576,7 +610,7 @@ static int setopt(int count, int lineno, char *vars[])
> keylen = AUDIT_MAX_KEY_LEN;
>
> while ((retval >= 0) && (c = getopt_long(count, vars,
> - "hicslDvtC:e:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:",
> + "hicslDvtC:e:f:r:b:a:A:d:S:U:F:m:R:w:W:k:p:q:",
> long_opts, &lidx)) != EOF) {
> int flags = AUDIT_FILTER_UNSET;
> rc = 10; // Init to something impossible to see if unused.
> @@ -715,9 +749,10 @@ static int setopt(int count, int lineno, char *vars[])
> retval = -1;
> break;
> case 'a':
> - if (strstr(optarg, "task") && _audit_syscalladded) {
> + if (strstr(optarg, "task") && (_audit_syscalladded ||
> + _audit_uringopadded)) {
> audit_msg(LOG_ERR,
> - "Syscall auditing requested for task list");
> + "Syscall or uring op auditing requested for task
list");
> retval = -1;
> } else {
> rc = audit_rule_setup(optarg, &add, &action);
> @@ -739,9 +774,10 @@ static int setopt(int count, int lineno, char *vars[])
> }
> break;
> case 'A':
> - if (strstr(optarg, "task") && _audit_syscalladded) {
> - audit_msg(LOG_ERR,
> - "Error: syscall auditing requested for task list");
> + if (strstr(optarg, "task") && (_audit_syscalladded ||
> + _audit_uringopadded)) {
> + audit_msg(LOG_ERR,
> + "Syscall or uring op auditing requested for task
list");
> retval = -1;
> } else {
> rc = audit_rule_setup(optarg, &add, &action);
> @@ -809,6 +845,10 @@ static int setopt(int count, int lineno, char *vars[])
> audit_msg(LOG_ERR,
> "Error: syscall auditing cannot be put on exclude list");
> return -1;
> + } else if (((add | del) & AUDIT_FILTER_MASK) ==
AUDIT_FILTER_URING_EXIT)
> { + audit_msg(LOG_ERR,
> + "Error: syscall auditing cannot be put on uringop list");
> + return -1;
> } else {
> if (unknown_arch) {
> int machine;
> @@ -853,14 +893,63 @@ static int setopt(int count, int lineno, char
> *vars[]) break;
> }}
> break;
> + case 'U':
> + /* Do some checking to make sure that we are not adding a
> + * uring op rule to a list that does not make sense. */
> + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK)) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing being added to task list");
> + return -1;
> + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER)) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing being added to user list");
> + return -1;
> + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_FS || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_FS)) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing being added to filesystem
list");
> + return -1;
> + } else if (exclude) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing cannot be put on exclude list");
> + return -1;
> + } else if (((add | del) & AUDIT_FILTER_MASK) ==
AUDIT_FILTER_EXIT) {
> + audit_msg(LOG_ERR,
> + "Error: uringop auditing cannot be put on syscall list");
> + return -1;
> + }
> + rc = parse_uringop(optarg);
> + switch (rc)
> + {
> + case 0:
> + _audit_uringopadded = 1;
> + break;
> + case -1:
> + audit_msg(LOG_ERR, "Uring op name unknown: %s",
> + optarg);
> + retval = -1;
> + break;
> + case -3: // Error reported - do nothing here
> + retval = -1;
> + break;
> + }
> + break;
> case 'F':
> if (add != AUDIT_FILTER_UNSET)
> flags = add & AUDIT_FILTER_MASK;
> else if (del != AUDIT_FILTER_UNSET)
> flags = del & AUDIT_FILTER_MASK;
> - // if the field is arch & there is a -t option...we
> + // if the field is arch & there is a -t option...we
> // can allow it
> - else if ((optind >= count) || (strstr(optarg, "arch=") ==
NULL)
> + else if ((optind >= count) || (strstr(optarg, "arch=") == NULL
&&
> _audit_uringopadded != 1)
> || (strcmp(vars[optind], "-t") != 0)) {
>
> audit_msg(LOG_ERR, "List must be given before field");
> retval = -1;
> @@ -989,12 +1078,12 @@ static int setopt(int count, int lineno, char
> *vars[]) }
> break;
> case 'k':
> - if (!(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded ||
> + if (!(_audit_syscalladded || _audit_uringopadded ||
> + _audit_permadded || _audit_exeadded ||
> _audit_filterfsadded) ||
> (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> audit_msg(LOG_ERR,
> - "key option needs a watch or syscall given prior to it");
> + "key option needs a watch, syscall or uring op given prior
to it");
> retval = -1;
> break;
> } else if (!optarg) {
> @@ -1031,7 +1120,7 @@ process_keys:
> retval = audit_setup_perms(rule_new, optarg);
> break;
> case 'q':
> - if (_audit_syscalladded) {
> + if (_audit_syscalladded || _audit_uringopadded) {
> audit_msg(LOG_ERR,
> "Syscall auditing requested for make equivalent");
> retval = -1;
> @@ -1466,7 +1555,7 @@ int main(int argc, char *argv[])
> static int handle_request(int status)
> {
> if (status == 0) {
> - if (_audit_syscalladded) {
> + if (_audit_syscalladded || _audit_uringopadded) {
> audit_msg(LOG_ERR, "Error - no list specified");
> return -1;
> }
> @@ -1478,7 +1567,7 @@ static int handle_request(int status)
> if (add != AUDIT_FILTER_UNSET) {
> // if !task add syscall any if not specified
> if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
> - _audit_syscalladded != 1) {
> + (_audit_syscalladded != 1 &&
_audit_uringopadded != 1)) {
> audit_rule_syscallbyname_data(
> rule_new, "all");
> }
> @@ -1502,7 +1591,7 @@ static int handle_request(int status)
> }
> else if (del != AUDIT_FILTER_UNSET) {
> if ((del & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
> - _audit_syscalladded != 1) {
> + (_audit_syscalladded != 1 &&
_audit_uringopadded != 1)) {
> audit_rule_syscallbyname_data(
> rule_new, "all");
> }
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>,
Richard Guy Briggs <rgb@redhat.com>
Cc: io-uring@vger.kernel.org
Subject: Re: [PATCH v3 2/7] add support for the uring filter list
Date: Fri, 29 Oct 2021 14:39:11 -0400 [thread overview]
Message-ID: <2523658.Lt9SDvczpP@x2> (raw)
In-Reply-To: <20211028195939.3102767-3-rgb@redhat.com>
On Thursday, October 28, 2021 3:59:34 PM EDT Richard Guy Briggs wrote:
> Kernel support to audit io_uring operations filtering was added with
> commit 67daf270cebc ("audit: add filtering for io_uring records"). Add
> support for the "uring" filter list to auditctl.
Might have been good to show what the resulting auditctl command looks like.
I think it would be:
auditctl -a always,io_ring -U open -F uid!=0 -F key=io_ring
But I wonder, why the choice of -U rather than -S? That would make
remembering the syntax easier.
auditctl -a always,io_ring -S open -F uid!=0 -F key=io_ring
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> docs/audit.rules.7 | 19 ++++--
> docs/audit_add_rule_data.3 | 4 ++
> docs/auditctl.8 | 10 ++-
> lib/flagtab.h | 11 ++--
> lib/libaudit.c | 50 ++++++++++++---
> lib/libaudit.h | 7 +++
> lib/lookup_table.c | 20 ++++++
> lib/private.h | 1 +
> src/auditctl-listing.c | 52 ++++++++++------
> src/auditctl.c | 121 ++++++++++++++++++++++++++++++++-----
> 10 files changed, 240 insertions(+), 55 deletions(-)
<snip a whole lot of documentation>
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index 54e276156ef0..3790444f4497 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -86,6 +86,7 @@ static const struct nv_list failure_actions[] =
> int _audit_permadded = 0;
> int _audit_archadded = 0;
> int _audit_syscalladded = 0;
> +int _audit_uringopadded = 0;
> int _audit_exeadded = 0;
> int _audit_filterfsadded = 0;
> unsigned int _audit_elf = 0U;
> @@ -999,6 +1000,26 @@ int audit_rule_syscallbyname_data(struct
> audit_rule_data *rule, return -1;
> }
>
> +int audit_rule_uringopbyname_data(struct audit_rule_data *rule,
> + const char *uringop)
> +{
> + int nr, i;
> +
> + if (!strcmp(uringop, "all")) {
> + for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
> + rule->mask[i] = ~0;
> + return 0;
> + }
> + nr = audit_name_to_uringop(uringop);
> + if (nr < 0) {
> + if (isdigit(uringop[0]))
> + nr = strtol(uringop, NULL, 0);
> + }
> + if (nr >= 0)
> + return audit_rule_syscall_data(rule, nr);
> + return -1;
> +}
> +
> int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
> const char *pair,
> int flags)
> @@ -1044,7 +1065,7 @@ int audit_rule_interfield_comp_data(struct
> audit_rule_data **rulep, return -EAU_COMPVALUNKNOWN;
>
> /* Interfield comparison can only be in exit filter */
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT && flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
>
> // It should always be AUDIT_FIELD_COMPARE
> @@ -1557,7 +1578,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> break;
> case AUDIT_EXIT:
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
> vlen = strlen(v);
> if (isdigit((char)*(v)))
> @@ -1599,7 +1621,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_DIR:
> /* Watch & object filtering is invalid on anything
> * but exit */
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
> if (field == AUDIT_WATCH || field == AUDIT_DIR)
> _audit_permadded = 1;
> @@ -1621,9 +1644,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, _audit_exeadded = 1;
> }
> if (field == AUDIT_FILTERKEY &&
> - !(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded ||
> - _audit_filterfsadded))
> + !(_audit_syscalladded ||
> + _audit_uringopadded ||
> + _audit_permadded ||
> + _audit_exeadded ||
> + _audit_filterfsadded))
> return -EAU_KEYDEP;
> vlen = strlen(v);
> if (field == AUDIT_FILTERKEY &&
> @@ -1712,7 +1737,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> break;
> case AUDIT_FILETYPE:
> - if (!(flags == AUDIT_FILTER_EXIT))
> + if (!(flags == AUDIT_FILTER_EXIT ||
> + flags == AUDIT_FILTER_URING_EXIT))
> return -EAU_EXITONLY;
> rule->values[rule->field_count] =
> audit_name_to_ftype(v);
> @@ -1754,7 +1780,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -EAU_FIELDNOSUPPORT;
> if (flags != AUDIT_FILTER_EXCLUDE &&
> flags != AUDIT_FILTER_USER &&
> - flags != AUDIT_FILTER_EXIT)
> + flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
This is in the session_id code. Looking at the example audit event:
https://listman.redhat.com/archives/linux-audit/2021-September/msg00058.html
session_id is not in the record.
> return -EAU_FIELDNOFILTER;
> // Do positive & negative separate for 32 bit systems
> vlen = strlen(v);
> @@ -1775,7 +1802,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, break;
> case AUDIT_DEVMAJOR...AUDIT_INODE:
^^^ Can you audit by devmajor, devminor, or inode in io_ring?
> case AUDIT_SUCCESS:
> - if (flags != AUDIT_FILTER_EXIT)
> + if (flags != AUDIT_FILTER_EXIT &&
> + flags != AUDIT_FILTER_URING_EXIT)
> return -EAU_EXITONLY;
> /* fallthrough */
> default:
> @@ -1785,7 +1813,9 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, return -EAU_OPEQNOTEQ;
> }
>
> - if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT))
> + if (field == AUDIT_PPID &&
> + !(flags == AUDIT_FILTER_EXIT ||
> + flags == AUDIT_FILTER_URING_EXIT))
> return -EAU_EXITONLY;
>
> if (!isdigit((char)*(v)))
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index 08b7d22678aa..a73edc677df0 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -341,6 +341,9 @@ extern "C" {
> #ifndef AUDIT_FILTER_EXCLUDE
> #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
> #endif
> +#ifndef AUDIT_FILTER_URING_EXIT
> +#define AUDIT_FILTER_URING_EXIT 0x07 /* filter on exit from io_uring op
*/
> +#endif
> #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
> #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
>
> @@ -612,6 +615,8 @@ extern int audit_name_to_field(const char
> *field); extern const char *audit_field_to_name(int field);
> extern int audit_name_to_syscall(const char *sc, int machine);
> extern const char *audit_syscall_to_name(int sc, int machine);
> +extern int audit_name_to_uringop(const char *uringopop);
> +extern const char *audit_uringop_to_name(int uringop);
> extern int audit_name_to_flag(const char *flag);
> extern const char *audit_flag_to_name(int flag);
> extern int audit_name_to_action(const char *action);
> @@ -706,6 +711,8 @@ extern struct audit_rule_data
> *audit_rule_create_data(void); extern void audit_rule_init_data(struct
> audit_rule_data *rule);
> extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
> const char *scall);
> +extern int audit_rule_uringopbyname_data(struct audit_rule_data *rule,
> + const char *uringop);
> /* Note that the following function takes a **, where
> audit_rule_fieldpair() * takes just a *. That structure may need to be
> reallocated as a result of * adding new fields */
> diff --git a/lib/lookup_table.c b/lib/lookup_table.c
> index 23678a4d142e..ca619fba930d 100644
> --- a/lib/lookup_table.c
> +++ b/lib/lookup_table.c
> @@ -142,6 +142,18 @@ int audit_name_to_syscall(const char *sc, int machine)
> return -1;
> }
>
> +int audit_name_to_uringop(const char *uringop)
> +{
> + int res = -1, found = 0;
> +
> +#ifndef NO_TABLES
> + //found = uringop_s2i(uringop, &res);
Why are we creating commented out function calls? It seems like this belongs
in another patch and not here. But let's save everyone some iterations and
overlook that.
Review complete...
-Steve
> +#endif
> + if (found)
> + return res;
> + return -1;
> +}
> +
> const char *audit_syscall_to_name(int sc, int machine)
> {
> #ifndef NO_TABLES
> @@ -172,6 +184,14 @@ const char *audit_syscall_to_name(int sc, int machine)
> return NULL;
> }
>
> +const char *audit_uringop_to_name(int uringop)
> +{
> +#ifndef NO_TABLES
> + //return uringop_i2s(uringop);
> +#endif
> + return NULL;
> +}
> +
> int audit_name_to_flag(const char *flag)
> {
> int res;
> diff --git a/lib/private.h b/lib/private.h
> index c3a7364fcfb8..b0d3fa4109c5 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -135,6 +135,7 @@ AUDIT_HIDDEN_END
> extern int _audit_permadded;
> extern int _audit_archadded;
> extern int _audit_syscalladded;
> +extern int _audit_uringopadded;
> extern int _audit_exeadded;
> extern int _audit_filterfsadded;
> extern unsigned int _audit_elf;
> diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
> index a5d6bc2b046f..3d80906ffd24 100644
> --- a/src/auditctl-listing.c
> +++ b/src/auditctl-listing.c
> @@ -137,15 +137,22 @@ static int print_syscall(const struct audit_rule_data
> *r, unsigned int *sc) int all = 1;
> unsigned int i;
> int machine = audit_detect_machine();
> -
> - /* Rules on the following filters do not take a syscall */
> - if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
> - ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
> - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
> - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_FS))
> + int uring = 0;
> +
> + /* Rules on the following filters do not take a syscall (or uringop)
*/
> + switch (r->flags & AUDIT_FILTER_MASK) {
> + case AUDIT_FILTER_USER:
> + case AUDIT_FILTER_TASK:
> + case AUDIT_FILTER_EXCLUDE:
> + case AUDIT_FILTER_FS:
> return 0;
> + break;
> + case AUDIT_FILTER_URING_EXIT:
> + uring = 1;
> + break;
> + }
>
> - /* See if its all or specific syscalls */
> + /* See if its all or specific syscalls/uringops */
> for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
> if (r->mask[i] != (uint32_t)~0) {
> all = 0;
> @@ -154,21 +161,32 @@ static int print_syscall(const struct audit_rule_data
> *r, unsigned int *sc) }
>
> if (all) {
> - printf(" -S all");
> + if (uring)
> + printf(" -U all");
> + else
> + printf(" -S all");
> count = i;
> } else for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) {
> int word = AUDIT_WORD(i);
> int bit = AUDIT_BIT(i);
> if (r->mask[word] & bit) {
> const char *ptr;
> - if (_audit_elf)
> - machine = audit_elf_to_machine(_audit_elf);
> - if (machine < 0)
> - ptr = NULL;
> - else
> - ptr = audit_syscall_to_name(i, machine);
> +
> + if (uring)
> + ptr = audit_uringop_to_name(i);
> + else {
> + if (_audit_elf)
> + machine =
audit_elf_to_machine(_audit_elf);
> + if (machine < 0)
> + ptr = NULL;
> + else
> + ptr = audit_syscall_to_name(i, machine);
> + }
> if (!count)
> - printf(" -S ");
> + if (uring)
> + printf(" -U ");
> + else
> + printf(" -S ");
> if (ptr)
> printf("%s%s", !count ? "" : ",", ptr);
> else
> @@ -297,7 +315,7 @@ static void print_rule(const struct audit_rule_data *r)
> int mach = -1, watch = is_watch(r);
> unsigned long long a0 = 0, a1 = 0;
>
> - if (!watch) { /* This is syscall auditing */
> + if (!watch) { /* This is syscall or uring auditing */
> printf("-a %s,%s",
> audit_action_to_name((int)r->action),
> audit_flag_to_name(r->flags));
> @@ -310,7 +328,7 @@ static void print_rule(const struct audit_rule_data *r)
> mach = print_arch(r->values[i], op);
> }
> }
> - // And last do the syscalls
> + // And last do the syscalls/uringops
> count = print_syscall(r, &sc);
> }
>
> diff --git a/src/auditctl.c b/src/auditctl.c
> index f9bfc2a247d2..74df4f17f887 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -76,6 +76,7 @@ static int reset_vars(void)
> {
> list_requested = 0;
> _audit_syscalladded = 0;
> + _audit_uringopadded = 0;
> _audit_permadded = 0;
> _audit_archadded = 0;
> _audit_exeadded = 0;
> @@ -110,7 +111,7 @@ static void usage(void)
> " -C f=f Compare collected fields if
> available:\n" " Field name,
> operator(=,!=), field name\n" " -d <l,a>
> Delete rule from <l>ist with <a>ction\n" - "
> l=task,exit,user,exclude,filesystem\n" + "
> l=task,exit,user,exclude,filesystem,uring\n" "
> a=never,always\n"
> " -D Delete all rules and
> watches\n" " -e [0..2] Set enabled flag\n"
> @@ -132,6 +133,7 @@ static void usage(void)
> " -S syscall Build rule: syscall name or
> number\n" " --signal <signal> Send the specified signal
> to the daemon\n" " -t Trim directory
> watches\n" + " -U uringop Build rule: uring
> op name or number\n" " -v Version\n"
> " -w <path> Insert watch at <path>\n"
> " -W <path> Remove watch at <path>\n"
> @@ -164,6 +166,8 @@ static int lookup_filter(const char *str, int *filter)
> exclude = 1;
> } else if (strcmp(str, "filesystem") == 0)
> *filter = AUDIT_FILTER_FS;
> + else if (strcmp(str, "uring") == 0)
> + *filter = AUDIT_FILTER_URING_EXIT;
> else
> return 2;
> return 0;
> @@ -541,6 +545,36 @@ static int parse_syscall(const char *optarg)
> return audit_rule_syscallbyname_data(rule_new, optarg);
> }
>
> +static int parse_uringop(const char *optarg)
> +{
> + int retval = 0;
> + char *saved;
> +
> + if (strchr(optarg, ',')) {
> + char *ptr, *tmp = strdup(optarg);
> + if (tmp == NULL)
> + return -1;
> + ptr = strtok_r(tmp, ",", &saved);
> + while (ptr) {
> + retval = audit_rule_uringopbyname_data(rule_new, ptr);
> + if (retval != 0) {
> + if (retval == -1) {
> + audit_msg(LOG_ERR,
> + "Uring op name unknown: %s",
> + ptr);
> + retval = -3; // error reported
> + }
> + break;
> + }
> + ptr = strtok_r(NULL, ",", &saved);
> + }
> + free(tmp);
> + return retval;
> + }
> +
> + return audit_rule_uringopbyname_data(rule_new, optarg);
> +}
> +
> static struct option long_opts[] =
> {
> #if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
> @@ -576,7 +610,7 @@ static int setopt(int count, int lineno, char *vars[])
> keylen = AUDIT_MAX_KEY_LEN;
>
> while ((retval >= 0) && (c = getopt_long(count, vars,
> - "hicslDvtC:e:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:",
> + "hicslDvtC:e:f:r:b:a:A:d:S:U:F:m:R:w:W:k:p:q:",
> long_opts, &lidx)) != EOF) {
> int flags = AUDIT_FILTER_UNSET;
> rc = 10; // Init to something impossible to see if unused.
> @@ -715,9 +749,10 @@ static int setopt(int count, int lineno, char *vars[])
> retval = -1;
> break;
> case 'a':
> - if (strstr(optarg, "task") && _audit_syscalladded) {
> + if (strstr(optarg, "task") && (_audit_syscalladded ||
> + _audit_uringopadded)) {
> audit_msg(LOG_ERR,
> - "Syscall auditing requested for task list");
> + "Syscall or uring op auditing requested for task
list");
> retval = -1;
> } else {
> rc = audit_rule_setup(optarg, &add, &action);
> @@ -739,9 +774,10 @@ static int setopt(int count, int lineno, char *vars[])
> }
> break;
> case 'A':
> - if (strstr(optarg, "task") && _audit_syscalladded) {
> - audit_msg(LOG_ERR,
> - "Error: syscall auditing requested for task list");
> + if (strstr(optarg, "task") && (_audit_syscalladded ||
> + _audit_uringopadded)) {
> + audit_msg(LOG_ERR,
> + "Syscall or uring op auditing requested for task
list");
> retval = -1;
> } else {
> rc = audit_rule_setup(optarg, &add, &action);
> @@ -809,6 +845,10 @@ static int setopt(int count, int lineno, char *vars[])
> audit_msg(LOG_ERR,
> "Error: syscall auditing cannot be put on exclude list");
> return -1;
> + } else if (((add | del) & AUDIT_FILTER_MASK) ==
AUDIT_FILTER_URING_EXIT)
> { + audit_msg(LOG_ERR,
> + "Error: syscall auditing cannot be put on uringop list");
> + return -1;
> } else {
> if (unknown_arch) {
> int machine;
> @@ -853,14 +893,63 @@ static int setopt(int count, int lineno, char
> *vars[]) break;
> }}
> break;
> + case 'U':
> + /* Do some checking to make sure that we are not adding a
> + * uring op rule to a list that does not make sense. */
> + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK)) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing being added to task list");
> + return -1;
> + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER)) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing being added to user list");
> + return -1;
> + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_FS || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_FS)) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing being added to filesystem
list");
> + return -1;
> + } else if (exclude) {
> + audit_msg(LOG_ERR,
> + "Error: uring op auditing cannot be put on exclude list");
> + return -1;
> + } else if (((add | del) & AUDIT_FILTER_MASK) ==
AUDIT_FILTER_EXIT) {
> + audit_msg(LOG_ERR,
> + "Error: uringop auditing cannot be put on syscall list");
> + return -1;
> + }
> + rc = parse_uringop(optarg);
> + switch (rc)
> + {
> + case 0:
> + _audit_uringopadded = 1;
> + break;
> + case -1:
> + audit_msg(LOG_ERR, "Uring op name unknown: %s",
> + optarg);
> + retval = -1;
> + break;
> + case -3: // Error reported - do nothing here
> + retval = -1;
> + break;
> + }
> + break;
> case 'F':
> if (add != AUDIT_FILTER_UNSET)
> flags = add & AUDIT_FILTER_MASK;
> else if (del != AUDIT_FILTER_UNSET)
> flags = del & AUDIT_FILTER_MASK;
> - // if the field is arch & there is a -t option...we
> + // if the field is arch & there is a -t option...we
> // can allow it
> - else if ((optind >= count) || (strstr(optarg, "arch=") ==
NULL)
> + else if ((optind >= count) || (strstr(optarg, "arch=") == NULL
&&
> _audit_uringopadded != 1)
> || (strcmp(vars[optind], "-t") != 0)) {
>
> audit_msg(LOG_ERR, "List must be given before field");
> retval = -1;
> @@ -989,12 +1078,12 @@ static int setopt(int count, int lineno, char
> *vars[]) }
> break;
> case 'k':
> - if (!(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded ||
> + if (!(_audit_syscalladded || _audit_uringopadded ||
> + _audit_permadded || _audit_exeadded ||
> _audit_filterfsadded) ||
> (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> audit_msg(LOG_ERR,
> - "key option needs a watch or syscall given prior to it");
> + "key option needs a watch, syscall or uring op given prior
to it");
> retval = -1;
> break;
> } else if (!optarg) {
> @@ -1031,7 +1120,7 @@ process_keys:
> retval = audit_setup_perms(rule_new, optarg);
> break;
> case 'q':
> - if (_audit_syscalladded) {
> + if (_audit_syscalladded || _audit_uringopadded) {
> audit_msg(LOG_ERR,
> "Syscall auditing requested for make equivalent");
> retval = -1;
> @@ -1466,7 +1555,7 @@ int main(int argc, char *argv[])
> static int handle_request(int status)
> {
> if (status == 0) {
> - if (_audit_syscalladded) {
> + if (_audit_syscalladded || _audit_uringopadded) {
> audit_msg(LOG_ERR, "Error - no list specified");
> return -1;
> }
> @@ -1478,7 +1567,7 @@ static int handle_request(int status)
> if (add != AUDIT_FILTER_UNSET) {
> // if !task add syscall any if not specified
> if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
> - _audit_syscalladded != 1) {
> + (_audit_syscalladded != 1 &&
_audit_uringopadded != 1)) {
> audit_rule_syscallbyname_data(
> rule_new, "all");
> }
> @@ -1502,7 +1591,7 @@ static int handle_request(int status)
> }
> else if (del != AUDIT_FILTER_UNSET) {
> if ((del & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
> - _audit_syscalladded != 1) {
> + (_audit_syscalladded != 1 &&
_audit_uringopadded != 1)) {
> audit_rule_syscallbyname_data(
> rule_new, "all");
> }
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-10-29 18:39 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-28 19:59 [PATCH v3 0/7] Add uringop support Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 1/7] add basic support for the AUDIT_URINGOP record type Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-28 21:19 ` Steve Grubb
2021-10-28 21:19 ` Steve Grubb
2021-10-28 19:59 ` [PATCH v3 2/7] add support for the uring filter list Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-29 18:39 ` Steve Grubb [this message]
2021-10-29 18:39 ` Steve Grubb
2021-11-01 15:05 ` Richard Guy Briggs
2021-11-01 15:05 ` Richard Guy Briggs
2021-11-01 15:58 ` Steve Grubb
2021-11-01 15:58 ` Steve Grubb
2021-11-02 16:32 ` Richard Guy Briggs
2021-11-02 16:32 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 3/7] add support for uringop names Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 4/7] add field support for the AUDIT_URINGOP record type Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 5/7] add ausearch --uringop option Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 6/7] add aureport " Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 7/7] add iouring support to the normalizer Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2523658.Lt9SDvczpP@x2 \
--to=sgrubb@redhat.com \
--cc=io-uring@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.