On Sun, Aug 29, 2021 at 11:18 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > I did set a syscall filter for > > -a exit,always -F arch=b64 -S io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall > > and that yielded some records with a couple of orphans that surprised me > > a bit. > > Without looking too closely at the log you sent, you can expect URING > records without an associated SYSCALL record when the uring op is > being processed in the io-wq or sqpoll context. In the io-wq case the > processing is happening after the thread finished the syscall but > before the execution context returns to userspace and in the case of > sqpoll the processing is handled by a separate kernel thread with no > association to a process thread. I spent some time this morning/afternoon playing with the io_uring audit filtering capability and with your audit userspace ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes, the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't map the io_uring ops correctly), but I know you mentioned you have a number of fixes/improvements still as a work-in-progress there so I'm not too concerned. The important part is that the kernel pieces look to be working correctly. As usual, if you notice anything awry while playing with the userspace changes please let me know. -- paul moore www.paul-moore.com
