From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>,
linux-audit@redhat.com, CGEL <cgel.zte@gmail.com>
Cc: kbuild-all@lists.01.org, Zeal Robot <zealci@zte.com.cn>,
linux-kernel@vger.kernel.org, eparis@redhat.com,
dai.shixin@zte.com.cn, Yang Yang <yang.yang29@zte.com.cn>,
linux-audit@redhat.com, ink@jurassic.park.msu.ru,
huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn,
mattst88@gmail.com
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid
Date: Fri, 01 Apr 2022 09:39:38 -0400 [thread overview]
Message-ID: <2777189.mvXUDI8C0e@x2> (raw)
In-Reply-To: <62465bf3.1c69fb81.d5424.365e@mx.google.com>
On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > syscalls, I would consider that a bug which should be fixed.
> > >
> > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > be forcible or be a rule that can be configure? I think configure is
> > > better.
> >
> > It isn't clear to me exactly what you are asking, but I would expect
> > the existing audit syscall filtering mechanism to work regardless if
> > the syscall is valid or not.
>
> Thanks, I try to make it more clear. We found that auditctl would only
> set rule with syscall number (>=0 && <2047). So if userspace using
> syscall whose number is (<0 || >=2047), there seems no meaning for
> kernel audit to handle it, since this kind of syscall will never hit
> any audit rule(this rule could not be set by auditctl).
This limit is imposed by:
/usr/include/linux/audit.h
struct audit_rule_data {
...
__u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
Where #define AUDIT_BITMASK_SIZE 64
So, 64 * 32 = 2048
-Steve
> By the way it's a little strange for auditctl(using libaudit.c) to limit
> syscall number (>=0 && <2047)(see audit_rule_syscall_data()), especially
> we know NR_syscalls is the real limit in kernel, you can see how other
> kernel code to the similar thing in ftrace_syscall_enter():
>
> static void ftrace_syscall_enter(void *data, struct pt_regs
> *regs, long id)
> {
> ...
> syscall_nr = trace_get_syscall_nr(current, regs);
> if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
> return;
> ...
> }
>
> Thanks.
>
> > Beware that there are some limitations
> > to the audit syscall filter, which are unfortunately baked into the
> > current design/implementation, which may affect this to some extent.
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid
Date: Fri, 01 Apr 2022 09:39:38 -0400 [thread overview]
Message-ID: <2777189.mvXUDI8C0e@x2> (raw)
In-Reply-To: <62465bf3.1c69fb81.d5424.365e@mx.google.com>
[-- Attachment #1: Type: text/plain, Size: 2232 bytes --]
On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > syscalls, I would consider that a bug which should be fixed.
> > >
> > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > be forcible or be a rule that can be configure? I think configure is
> > > better.
> >
> > It isn't clear to me exactly what you are asking, but I would expect
> > the existing audit syscall filtering mechanism to work regardless if
> > the syscall is valid or not.
>
> Thanks, I try to make it more clear. We found that auditctl would only
> set rule with syscall number (>=0 && <2047). So if userspace using
> syscall whose number is (<0 || >=2047), there seems no meaning for
> kernel audit to handle it, since this kind of syscall will never hit
> any audit rule(this rule could not be set by auditctl).
This limit is imposed by:
/usr/include/linux/audit.h
struct audit_rule_data {
...
__u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
Where #define AUDIT_BITMASK_SIZE 64
So, 64 * 32 = 2048
-Steve
> By the way it's a little strange for auditctl(using libaudit.c) to limit
> syscall number (>=0 && <2047)(see audit_rule_syscall_data()), especially
> we know NR_syscalls is the real limit in kernel, you can see how other
> kernel code to the similar thing in ftrace_syscall_enter():
>
> static void ftrace_syscall_enter(void *data, struct pt_regs
> *regs, long id)
> {
> ...
> syscall_nr = trace_get_syscall_nr(current, regs);
> if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
> return;
> ...
> }
>
> Thanks.
>
> > Beware that there are some limitations
> > to the audit syscall filter, which are unfortunately baked into the
> > current design/implementation, which may affect this to some extent.
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>,
linux-audit@redhat.com, CGEL <cgel.zte@gmail.com>
Cc: kbuild-all@lists.01.org, Zeal Robot <zealci@zte.com.cn>,
linux-kernel@vger.kernel.org, eparis@redhat.com,
dai.shixin@zte.com.cn, Yang Yang <yang.yang29@zte.com.cn>,
linux-audit@redhat.com, ink@jurassic.park.msu.ru,
huang.junhua@zte.com.cn, guo.xiaofeng@zte.com.cn,
mattst88@gmail.com
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid
Date: Fri, 01 Apr 2022 09:39:38 -0400 [thread overview]
Message-ID: <2777189.mvXUDI8C0e@x2> (raw)
In-Reply-To: <62465bf3.1c69fb81.d5424.365e@mx.google.com>
On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > syscalls, I would consider that a bug which should be fixed.
> > >
> > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > be forcible or be a rule that can be configure? I think configure is
> > > better.
> >
> > It isn't clear to me exactly what you are asking, but I would expect
> > the existing audit syscall filtering mechanism to work regardless if
> > the syscall is valid or not.
>
> Thanks, I try to make it more clear. We found that auditctl would only
> set rule with syscall number (>=0 && <2047). So if userspace using
> syscall whose number is (<0 || >=2047), there seems no meaning for
> kernel audit to handle it, since this kind of syscall will never hit
> any audit rule(this rule could not be set by auditctl).
This limit is imposed by:
/usr/include/linux/audit.h
struct audit_rule_data {
...
__u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
Where #define AUDIT_BITMASK_SIZE 64
So, 64 * 32 = 2048
-Steve
> By the way it's a little strange for auditctl(using libaudit.c) to limit
> syscall number (>=0 && <2047)(see audit_rule_syscall_data()), especially
> we know NR_syscalls is the real limit in kernel, you can see how other
> kernel code to the similar thing in ftrace_syscall_enter():
>
> static void ftrace_syscall_enter(void *data, struct pt_regs
> *regs, long id)
> {
> ...
> syscall_nr = trace_get_syscall_nr(current, regs);
> if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
> return;
> ...
> }
>
> Thanks.
>
> > Beware that there are some limitations
> > to the audit syscall filter, which are unfortunately baked into the
> > current design/implementation, which may affect this to some extent.
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-04-01 13:39 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-26 9:46 [PATCH] audit: do a quick exit when syscall number is invalid cgel.zte
2022-03-26 9:46 ` cgel.zte
2022-03-26 20:55 ` kernel test robot
2022-03-26 20:55 ` kernel test robot
2022-03-29 1:48 ` CGEL
2022-03-29 1:48 ` CGEL
2022-03-29 1:48 ` CGEL
2022-03-29 2:19 ` Enzo Matsumiya
2022-03-29 2:19 ` Enzo Matsumiya
2022-03-29 2:19 ` Enzo Matsumiya
2022-03-29 3:06 ` Paul Moore
2022-03-29 3:06 ` Paul Moore
2022-03-29 3:06 ` Paul Moore
2022-03-29 3:22 ` CGEL
2022-03-29 3:22 ` CGEL
2022-03-29 3:22 ` CGEL
2022-03-29 13:11 ` Paul Moore
2022-03-29 13:11 ` Paul Moore
2022-03-29 13:11 ` Paul Moore
2022-03-30 5:59 ` CGEL
2022-03-30 5:59 ` CGEL
2022-03-30 5:59 ` CGEL
2022-03-30 14:48 ` Paul Moore
2022-03-30 14:48 ` Paul Moore
2022-03-30 14:48 ` Paul Moore
2022-03-31 2:29 ` CGEL
2022-03-31 2:29 ` CGEL
2022-03-31 2:29 ` CGEL
2022-03-31 14:16 ` Paul Moore
2022-03-31 14:16 ` Paul Moore
2022-03-31 14:16 ` Paul Moore
2022-04-01 1:57 ` CGEL
2022-04-01 1:57 ` CGEL
2022-04-01 1:57 ` CGEL
2022-04-01 13:39 ` Steve Grubb [this message]
2022-04-01 13:39 ` Steve Grubb
2022-04-01 13:39 ` Steve Grubb
2022-04-01 14:16 ` Paul Moore
2022-04-01 14:16 ` Paul Moore
2022-04-01 14:16 ` Paul Moore
2022-04-02 8:06 ` CGEL
2022-04-02 8:06 ` CGEL
2022-04-02 8:06 ` CGEL
2022-04-02 15:07 ` Paul Moore
2022-04-02 15:07 ` Paul Moore
2022-04-02 15:07 ` Paul Moore
2022-04-04 15:58 ` Richard Guy Briggs
2022-04-04 15:58 ` Richard Guy Briggs
2022-04-04 15:58 ` Richard Guy Briggs
2022-04-06 1:19 ` CGEL
2022-04-06 1:19 ` CGEL
2022-04-06 1:19 ` CGEL
2022-04-06 16:49 ` Richard Guy Briggs
2022-04-06 16:49 ` Richard Guy Briggs
2022-04-06 16:49 ` Richard Guy Briggs
2022-04-07 2:36 ` CGEL
2022-04-07 2:36 ` CGEL
2022-04-07 2:36 ` CGEL
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2777189.mvXUDI8C0e@x2 \
--to=sgrubb@redhat.com \
--cc=cgel.zte@gmail.com \
--cc=dai.shixin@zte.com.cn \
--cc=eparis@redhat.com \
--cc=guo.xiaofeng@zte.com.cn \
--cc=huang.junhua@zte.com.cn \
--cc=ink@jurassic.park.msu.ru \
--cc=kbuild-all@lists.01.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=paul@paul-moore.com \
--cc=yang.yang29@zte.com.cn \
--cc=zealci@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.