On Monday, October 4, 2021 9:27:33 AM EDT Paul Moore wrote: > On Mon, Oct 4, 2021 at 8:40 AM Richard Guy Briggs <[email protected]> wrote: > > On 2021-10-03 19:21, Paul Moore wrote: > > > On Sat, Oct 2, 2021 at 9:16 AM Steve Grubb <[email protected]> wrote: > > > > On Thursday, September 9, 2021 8:58:58 PM EDT Richard Guy Briggs wrote: > > > > > > I spent some time this morning/afternoon playing with the > > > > > > io_uring > > > > > > audit filtering capability and with your audit userspace > > > > > > ghau-iouring-filtering.v1.0 branch it appears to work correctly. > > > > > > Yes, > > > > > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` > > > > > > doesn't > > > > > > map the io_uring ops correctly), but I know you mentioned you > > > > > > have a > > > > > > number of fixes/improvements still as a work-in-progress there so > > > > > > I'm > > > > > > not too concerned. The important part is that the kernel pieces > > > > > > look > > > > > > to be working correctly. > > > > > > > > > > Ok, I have squashed and pushed the audit userspace support for > > > > > iouring: > > > > > > > > > > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa7 > > > > > 58024cb > > > > > 9b8fa93895ae35eea > > > > > https://github.com/linux-audit/audit-userspace/compare/master...rgb > > > > > riggs:g > > > > > > > > > > hak-iouring-filtering.v2.1 There are test rpms for f35 here: > > > > > http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-> > > > > > > > > > fc35/ > > > > > > > > > > userspace v2 changelog: > > > > > - check for watch before adding perm > > > > > - update manpage to include filesystem filter > > > > > - update support for the uring filter list: doc, -U op, op names > > > > > - add support for the AUDIT_URINGOP record type > > > > > - add uringop support to ausearch > > > > > - add uringop support to aureport > > > > > - lots of bug fixes > > > > > > > > > > "auditctl -a uring,always -S ..." will now throw an error and > > > > > require "-U" instead. > > > > > > > > OK, now that the bug fix release is out of the way, let's start > > > > merging this into user space. I think we should start with the code > > > > that let's auditd write the record correctly and then the auditctl > > > > piece that inserts the rule into the kernel. Those should be easy to > > > > merge. > > > > > > > > I see one section of code that mirrors all of the operations in > > > > ioring.h. I thought that Paul only wanted to audit some of the > > > > operations and not all of them. Did that change? Are we really going > > > > to allow auditing reads on ioring?> > > > > Only certain io_uring operations are audited, you can see the patch > > > here in the selinux/next tree (look for the io_op_defs struct changes > > > and the "audit_skip" field): > > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/com > > > mit/?h=next&id=5bd2182d58e9d9c6279b7a8a2f9b41add0e7f9cb> > > I understood that was the default, but that it could be changed by > > userspace configuration? Now that I say this, I realize there is no API > > to do so, but that could be added without breaking anything. > > The approach implemented in the patch currently living in selinux/next > was a carefully arranged compromise with the io_uring devs (see all of > the on-list discussions); it is unlikely to change.
Right. That's what I remember. So, I think that we should comment out the items in the ioring lookup table that are not auditable so that we can provide a meaningful warning to users of auditctl. -Steve -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
