Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2021-09-01 15:21, Paul Moore wrote:
> On Sun, Aug 29, 2021 at 11:18 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > > I did set a syscall filter for
> > >         -a exit,always -F arch=b64 -S io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
> > > and that yielded some records with a couple of orphans that surprised me
> > > a bit.
> >
> > Without looking too closely at the log you sent, you can expect URING
> > records without an associated SYSCALL record when the uring op is
> > being processed in the io-wq or sqpoll context.  In the io-wq case the
> > processing is happening after the thread finished the syscall but
> > before the execution context returns to userspace and in the case of
> > sqpoll the processing is handled by a separate kernel thread with no
> > association to a process thread.
> 
> I spent some time this morning/afternoon playing with the io_uring
> audit filtering capability and with your audit userspace
> ghau-iouring-filtering.v1.0 branch it appears to work correctly.  Yes,
> the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't
> map the io_uring ops correctly), but I know you mentioned you have a
> number of fixes/improvements still as a work-in-progress there so I'm
> not too concerned.  The important part is that the kernel pieces look
> to be working correctly.

Ok, I have squashed and pushed the audit userspace support for iouring:
	https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb9b8fa93895ae35eea
	https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghak-iouring-filtering.v2.1
There are test rpms for f35 here:
	http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/

userspace v2 changelog:
- check for watch before adding perm
- update manpage to include filesystem filter
- update support for the uring filter list: doc, -U op, op names
- add support for the AUDIT_URINGOP record type
- add uringop support to ausearch
- add uringop support to aureport
- lots of bug fixes

"auditctl -a uring,always -S ..." will now throw an error and require
"-U" instead.

> As usual, if you notice anything awry while playing with the userspace
> changes please let me know.

Same for userspace...  I think I already see one mapping uring op names
in ausearch...

> paul moore

- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux