On 2021-09-01 15:21, Paul Moore wrote: > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > I did set a syscall filter for > > > -a exit,always -F arch=b64 -S io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall > > > and that yielded some records with a couple of orphans that surprised me > > > a bit. > > > > Without looking too closely at the log you sent, you can expect URING > > records without an associated SYSCALL record when the uring op is > > being processed in the io-wq or sqpoll context. In the io-wq case the > > processing is happening after the thread finished the syscall but > > before the execution context returns to userspace and in the case of > > sqpoll the processing is handled by a separate kernel thread with no > > association to a process thread. > > I spent some time this morning/afternoon playing with the io_uring > audit filtering capability and with your audit userspace > ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes, > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't > map the io_uring ops correctly), but I know you mentioned you have a > number of fixes/improvements still as a work-in-progress there so I'm > not too concerned. The important part is that the kernel pieces look > to be working correctly. Ok, I have squashed and pushed the audit userspace support for iouring: https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb9b8fa93895ae35eea https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghak-iouring-filtering.v2.1 There are test rpms for f35 here: http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/ userspace v2 changelog: - check for watch before adding perm - update manpage to include filesystem filter - update support for the uring filter list: doc, -U op, op names - add support for the AUDIT_URINGOP record type - add uringop support to ausearch - add uringop support to aureport - lots of bug fixes "auditctl -a uring,always -S ..." will now throw an error and require "-U" instead. > As usual, if you notice anything awry while playing with the userspace > changes please let me know. Same for userspace... I think I already see one mapping uring op names in ausearch... > paul moore - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
