From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D68AD285C8C for ; Fri, 31 Oct 2025 08:01:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.89.141.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761897709; cv=none; b=DYkthTOmckVx5OyTNQMvyW+RBV76Wx3pjdadWuRiooQE6HxljrLXsvJ8M5rwIgQyNcQMjPxul4v+Li4CU0KTma2kgSRZG2lZY9asMPR+ZZOHJPb7StIy4LgdbtefAzibjSAecZuapbB4ADFglHibD1dhSP+fvBde+nTOhAhe/+E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761897709; c=relaxed/simple; bh=IInPoNmws1rdwXIAe3FmjkR9o9o9vMLnVNh6++y47I0=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=JBCQhrtAAir3wuPuApRvU4m5d7klQ+zS6o7WrBrpzXwv5vzhZ2GhbJvGrEHi+MmBR18hO+z4ftZ4WVMQPn0gT7/9JTD61cmG7j4ZCGuzJymy1YnCNuFp/ykoT/JbycW47LY50Ysl7wbAbBqQU4uV4fN/X3wdNqTWNXP0K1OYlF4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk; spf=none smtp.mailfrom=ftp.linux.org.uk; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b=Ns0KtGiD; arc=none smtp.client-ip=62.89.141.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ftp.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b="Ns0KtGiD" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:Content-Type:MIME-Version: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:In-Reply-To:References; bh=3DM/dnRi4Pb9aakgkXCg1k+a94BMm3RihQal5PYu6eM=; b=Ns0KtGiDeRdbgCeKoDqulTn0S5 ic+7rXLXomGIFVwL03C8eWx+JSomdWFexIjlqO0QaI3M1LG0FCQ00jMvM1PKl5WH0KA6loXbGIpfS q01WOYz1stbyVBv3SjttlUlAhw20gLND3IAHdO3aToVmfshrfc5NN+zXOvvnUTI3V5QO//LhRsFh9 4b13JbMcSRHrhh/kbh5J5r3WLjCj8O+3Kuh262mnmckWqvswTWbNC7Vfk+HVIpLtHqgx2ZFSNqa1w Ve4PWd9OKQuKEnfNlpNy/JAWtXO2QWLFCqt8PIJJRCNxTJAcnz6cEsgQ65L7Hs2o1JGKZ141oL4VY L3wT87xw==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.98.2 #2 (Red Hat Linux)) id 1vEk4v-0000000Gr5p-0MBC; Fri, 31 Oct 2025 08:01:45 +0000 Date: Fri, 31 Oct 2025 08:01:45 +0000 From: Al Viro To: audit@kernel.org Cc: Linus Torvalds , linux-fsdevel@vger.kernel.org, Paul Moore Subject: [RFC] audit reporting (or not reporting) pathnames on early failures in syscalls Message-ID: <20251031080145.GA2441659@ZenIV> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: Al Viro [and now with the right list address - sorry] ----- Forwarded message from Al Viro ----- Date: Fri, 31 Oct 2025 07:58:56 +0000 From: Al Viro To: linux-audit@vger.kernel.org Cc: Linus Torvalds , linux-fsdevel@vger.kernel.org, Paul Moore Subject: [RFC] audit reporting (or not reporting) pathnames on early failures in syscalls FWIW, I've just noticed that a patch in the series I'd been reordering had the following chunk: @@ -1421,20 +1421,16 @@ static int do_sys_openat2(int dfd, const char __user *filename, struct open_how *how) { struct open_flags op; - struct filename *tmp; int err, fd; err = build_open_flags(how, &op); if (unlikely(err)) return err; - tmp = getname(filename); - if (IS_ERR(tmp)) - return PTR_ERR(tmp); - fd = get_unused_fd_flags(how->flags); if (likely(fd >= 0)) { - struct file *f = do_filp_open(dfd, tmp, &op); + struct filename *name __free(putname) = getname(filename); + struct file *f = do_filp_open(dfd, name, &op); if (IS_ERR(f)) { put_unused_fd(fd); fd = PTR_ERR(f); From the VFS or userland POV there's no problem - we would get a different error reported e.g. in case when *both* EMFILE and ENAMETOOLONG would be applicable, but that's perfectly fine. However, from the audit POV it changes behaviour. Consider behaviour of openat2(2). 1. we do sanity checks on the last ('usize') argument. If they fail, we are done. 2. we copy struct open_how from userland ('how' argument). If copyin fails, we are done. 3. we do sanity checks on how->flags, how->resolve and how->mode. If they fail, we are done. 4. we copy the pathname to be opened from userland ('filename' argument). If that fails, or if the pathname is either empty or too long, we are done. 5. we reserve an unused file descriptor. If that fails, we are done. 6. we allocate an empty struct file. If that fails, we are done. 7. we finally get around to the business - finding and opening the damn thing. Which also can fail, of course. We are expected to be able to produce a record of failing syscall. If we fail on step 4, well, the lack of pathname to come with the record is to be expected - we have failed to get it, after all. The same goes for failures on steps 1..3 - we hadn't gotten around to looking at the pathname yet, so there's no pathname to report. What (if anything) makes "insane how->flags" different from "we have too many descriptors opened already"? The contents of the pathname is equally irrelevant in both cases. Yet in the latter case (failure at step 5) the pathname would get reported. Do we need to preserve that behaviour? Because the patch quoted above would change it. It puts the failure to allocate a descriptor into the same situation as failures on steps 1..3. As far as I can see, there are three possible approaches: 1) if the current kernel imports the pathname before some check, that shall always remain that way, no matter what. Audit might be happy, but nobody else would - we'll need to document that constraint and watch out for such regressions. And I'm pretty sure that over the years there had been other such changes that went into mainline unnoticed. 2) reordering is acceptable. Of course, the pathname import must happen before we start using it, but that's the only real constraint. That would mean the least headache for everyone other than audit folks. 3) import the pathnames as early as possible. It would mean a non-trivial amount of churn, but it's at least a definite policy - validity of change depends only on the resulting code, not the comparison with the earlier state, as it would in case (1). From QoI POV it's as nice as audit folks could possibly ask, but it would cause quite a bit of churn to get there. Not impossible to do, but I would rather not go there without a need. Said that, struct filename handling is mostly a decent match to CLASS() machinery, and all required churn wouldn't be hard to fold into conversion to that. My preference would be (2), obviously. However, it really depends upon the kind of requirements audit users have. Note that currently the position of pathname import in the sequence is not documented anywhere, so there's not much audit users can rely upon other than "the current behaviour is such-and-such, let's hope it doesn't change"... ;-/ Comments? ----- End forwarded message -----