From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Audit <linux-audit@redhat.com>, Jan Kara <jack@suse.cz>,
Paul Moore <pmoore@redhat.com>
Subject: Re: [PATCH 1/1] audit: Record fanotify access control decisions
Date: Wed, 06 Sep 2017 10:20:23 -0400 [thread overview]
Message-ID: <4026060.qc8vSC1Gny@x2> (raw)
In-Reply-To: <20170906032449.GG29957@madcap2.tricolour.ca>
On Tuesday, September 5, 2017 11:24:49 PM EDT Richard Guy Briggs wrote:
> On 2017-09-05 14:32, Steve Grubb wrote:
> > The fanotify interface allows user space daemons to make access
> >
> > control decisions. Under common criteria requirements, we need to
> > optionally record decisions based on policy. This patch adds a bit mask,
> > FAN_AUDIT, that a user space daemon can 'or' into the response decision
> > which will tell the kernel that it made a decision and record it.
> >
> > It would be used something like this in user space code:
> > response.response = FAN_DENY | FAN_AUDIT;
> > write(fd, &response, sizeof(struct fanotify_response));
> >
> > When the syscall ends, the audit system will record the decision as a
> > AUDIT_FANOTIFY auxiliary record to denote that the reason this event
> > occurred is the result of an access control decision from fanotify
> > rather than DAC or MAC policy.
> >
> > A sample event looks like this:
> >
> > type=PATH msg=audit(1504310584.332:290): item=0 name="./evil-ls"
> > inode=1319561 dev=fc:03 mode=0100755 ouid=1000 ogid=1000 rdev=00:00
> > obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL
> > type=CWD msg=audit(1504310584.332:290): cwd="/home/sgrubb"
> > type=SYSCALL msg=audit(1504310584.332:290): arch=c000003e syscall=2
> > success=no exit=-1 a0=32cb3fca90 a1=0 a2=43 a3=8 items=1 ppid=901
> > pid=959 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="bash"
> > exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:
> > s0-s0:c0.c1023 key=(null)
> > type=FANOTIFY msg=audit(1504310584.332:290): resp=2
> >
> > Signed-off-by: sgrubb <sgrubb@redhat.com>
>
> In the AUDIT_FANOTIFY record, there is a new field "resp". Should this
> not conform to the existing field types "res" or "result"?
The values used by fanotify are either 1 & 2 rather than 0 & 1. So, it would
need record specific translation. It's easier to just pick a new field name
and key off of that.
-Steve
> Other than that,
> Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
>
> > ---
> >
> > fs/notify/fanotify/fanotify.c | 8 +++++++-
> > fs/notify/fanotify/fanotify_user.c | 2 +-
> > include/linux/audit.h | 7 +++++++
> > include/uapi/linux/audit.h | 1 +
> > include/uapi/linux/fanotify.h | 2 ++
> > kernel/auditsc.c | 6 ++++++
> > 6 files changed, 24 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
> > index 2fa99ae..1968d21 100644
> > --- a/fs/notify/fanotify/fanotify.c
> > +++ b/fs/notify/fanotify/fanotify.c
> > @@ -9,6 +9,7 @@
> >
> > #include <linux/sched/user.h>
> > #include <linux/types.h>
> > #include <linux/wait.h>
> >
> > +#include <linux/audit.h>
> >
> > #include "fanotify.h"
> >
> > @@ -78,7 +79,7 @@ static int fanotify_get_response(struct fsnotify_group
> > *group,>
> > fsnotify_finish_user_wait(iter_info);
> >
> > out:
> > /* userspace responded, convert to something usable */
> >
> > - switch (event->response) {
> > + switch (event->response & ~FAN_AUDIT) {
> >
> > case FAN_ALLOW:
> > ret = 0;
> > break;
> >
> > @@ -86,6 +87,11 @@ static int fanotify_get_response(struct fsnotify_group
> > *group,>
> > default:
> > ret = -EPERM;
> >
> > }
> >
> > +
> > + /* Check if the response should be audited */
> > + if (event->response & FAN_AUDIT)
> > + audit_fanotify(event->response & ~FAN_AUDIT);
> > +
> >
> > event->response = 0;
> >
> > pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
> >
> > diff --git a/fs/notify/fanotify/fanotify_user.c
> > b/fs/notify/fanotify/fanotify_user.c index 907a481..b983b5c 100644
> > --- a/fs/notify/fanotify/fanotify_user.c
> > +++ b/fs/notify/fanotify/fanotify_user.c
> > @@ -179,7 +179,7 @@ static int process_access_response(struct
> > fsnotify_group *group,>
> > * userspace can send a valid response or we will clean it up after the
> > * timeout
> > */
> >
> > - switch (response) {
> > + switch (response & ~FAN_AUDIT) {
> >
> > case FAN_ALLOW:
> >
> > case FAN_DENY:
> > break;
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 2150bdc..bf55732 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm
> > *bprm,>
> > extern void __audit_log_capset(const struct cred *new, const struct cred
> > *old); extern void __audit_mmap_fd(int fd, int flags);
> > extern void __audit_log_kern_module(char *name);
> >
> > +extern void __audit_fanotify(unsigned int response);
> >
> > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > {
> >
> > @@ -456,6 +457,12 @@ static inline void audit_log_kern_module(char *name)
> >
> > __audit_log_kern_module(name);
> >
> > }
> >
> > +static inline void audit_fanotify(unsigned int response)
> > +{
> > + if (!audit_dummy_context())
> > + __audit_fanotify(response);
> > +}
> > +
> >
> > extern int audit_n_rules;
> > extern int audit_signals;
> > #else /* CONFIG_AUDITSYSCALL */
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 0714a66..221f8b7 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -112,6 +112,7 @@
> >
> > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> > #define AUDIT_REPLACE 1329 /* Replace auditd if this packet
unanswerd */
> > #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
> >
> > +#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
> >
> > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> >
> > diff --git a/include/uapi/linux/fanotify.h b/include/uapi/linux/fanotify.h
> > index 030508d..5681e44 100644
> > --- a/include/uapi/linux/fanotify.h
> > +++ b/include/uapi/linux/fanotify.h
> > @@ -99,6 +99,8 @@ struct fanotify_response {
> >
> > /* Legit userspace responses to a _PERM event */
> > #define FAN_ALLOW 0x01
> > #define FAN_DENY 0x02
> >
> > +#define FAN_AUDIT 0x80 /* Bit mask to create audit record for result */
> > +
> >
> > /* No fd set in event */
> > #define FAN_NOFD -1
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 3260ba2..1725f73 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2390,6 +2390,12 @@ void __audit_log_kern_module(char *name)
> >
> > context->type = AUDIT_KERN_MODULE;
> >
> > }
> >
> > +void __audit_fanotify(unsigned int response)
> > +{
> > + audit_log(current->audit_context, GFP_ATOMIC,
> > + AUDIT_FANOTIFY, "resp=%u", response);
> > +}
> > +
> >
> > static void audit_log_task(struct audit_buffer *ab)
> > {
> >
> > kuid_t auid, uid;
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2017-09-06 14:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-05 18:32 [PATCH 1/1] audit: Record fanotify access control decisions Steve Grubb
2017-09-05 19:28 ` Paul Moore
2017-09-06 3:24 ` Richard Guy Briggs
2017-09-06 14:20 ` Steve Grubb [this message]
2017-09-06 15:57 ` Richard Guy Briggs
2017-09-06 9:18 ` Jan Kara
[not found] ` <20170906091822.GB27916-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2017-09-06 11:11 ` Amir Goldstein
2017-09-06 11:11 ` Amir Goldstein
2017-09-06 14:48 ` Steve Grubb
2017-09-06 14:35 ` Steve Grubb
2017-09-06 14:35 ` Steve Grubb
2017-09-06 16:48 ` Jan Kara
[not found] ` <20170906164821.GA10018-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2017-09-06 17:34 ` Steve Grubb
2017-09-06 17:34 ` Steve Grubb
2017-09-07 10:18 ` Jan Kara
2017-09-07 15:47 ` Steve Grubb
2017-09-08 10:55 ` Jan Kara
2017-09-20 22:47 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4026060.qc8vSC1Gny@x2 \
--to=sgrubb@redhat.com \
--cc=jack@suse.cz \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.