From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E19CC433F5 for ; Wed, 9 Feb 2022 04:09:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347305AbiBIEJg (ORCPT ); Tue, 8 Feb 2022 23:09:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347390AbiBIDoU (ORCPT ); Tue, 8 Feb 2022 22:44:20 -0500 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0EFBC06174F; Tue, 8 Feb 2022 19:44:16 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5A33A210E8; Wed, 9 Feb 2022 03:44:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1644378255; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/cdzcXATInTTzE2SJ6+3y5cgkVoGHTC4gzNOh7oP0Z4=; b=j/X2z605NxlDQ4m7NJyLOw51/VyZ1uhBeSl6SZrjgMQYC1XlYkfo1kPu8mEknx5H86En32 au45VCmpCxHR6P847+3cx8YRtojXLGxXAi69zpQx45/IZWQHsMHragZE10XXg644TbfFhV t6KUbSBBye/EPgahtqzlw+1FFR07ETo= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 171DD1332F; Wed, 9 Feb 2022 03:44:13 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 7USBOY04A2LfPQAAMHmgww (envelope-from ); Wed, 09 Feb 2022 03:44:13 +0000 Message-ID: Date: Tue, 8 Feb 2022 22:44:12 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Content-Language: en-US To: Richard Guy Briggs , Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org Cc: Paul Moore , Eric Paris , Steve Grubb , Alexander Viro , Eric Paris , Tony Jones References: From: Jeff Mahoney Subject: Re: [PATCH v4 2/3] audit: add support for the openat2 syscall In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Richard - On 5/19/21 16:00, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- [...] > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include > #include > #include > +#include > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > default: > return 0; > } ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. I'm getting oopses, like so: BUG: unable to handle page fault for address: 00007fff961bbe70 #PF: supervisor read access in kernel mode #PF: error_code(0x0001) - permissions violation PGD 8000000132291067 P4D 8000000132291067 PUD 132174067 PMD 132bb1067 PTE 800000013be02867 Oops: 0001 [#1] PREEMPT SMP PTI CPU: 1 PID: 4525 Comm: a.out Kdump: loaded Not tainted 5.16.4-1-default #1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220 Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05 0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00 83 e0 03 0f be 80 c5 5e 45 86 41 21 c5 eb c7 4d 85 e4 0f RSP: 0018:ffffb096403cbe08 EFLAGS: 00010246 RAX: 00007fff961bbe70 RBX: 0000000000000001 RCX: 000000000000001f RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e RBP: ffff9cb784a85020 R08: ffff9cb78775c380 R09: ffff9cb790ad9eb8 R10: 0000000040000020 R11: ffff9cb783f7b410 R12: ffff9cb78486dc00 R13: 000000000000000f R14: 00000000000001b5 R15: ffff9cb78775c380 FS: 00007ff21fca9740(0000) GS:ffff9cb7ffd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff961bbe70 CR3: 0000000121264002 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: audit_filter_syscall+0xb0/0x100 ? do_sys_openat2+0x81/0x160 __audit_syscall_exit+0x69/0xf0 syscall_exit_to_user_mode_prepare+0x14d/0x180 syscall_exit_to_user_mode+0x9/0x40 do_syscall_64+0x69/0x80 ? syscall_exit_to_user_mode+0x18/0x40 ? do_syscall_64+0x69/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff21fdd195d Where the faulting address matches the open_how address printed with the following test using a "-w /var/tmp/testfile -k openat2-oops" audit rule. #include #include #include #include #include long openat2(int dirfd, const char *pathname, struct open_how *how, size_t size) { return syscall(SYS_openat2, dirfd, pathname, how, size); } int main(void) { struct open_how how = { .flags = O_RDONLY|O_DIRECTORY, }; int fd; fprintf(stderr, "&how = %p\n", &how); fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct open_how)); perror("openat2"); } $ mkdir /var/tmp/testfile $ ./a.out &how = 0x7fff961bbe70 -Jeff -- Jeff Mahoney Director, SUSE Labs Data & Performance From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 92139C433EF for ; Wed, 9 Feb 2022 13:28:35 +0000 (UTC) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-118-6C8xOl6xOdiiYsnA66cxoA-1; Wed, 09 Feb 2022 08:28:32 -0500 X-MC-Unique: 6C8xOl6xOdiiYsnA66cxoA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 758D184B9A8; Wed, 9 Feb 2022 13:28:29 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 698CC6F94C; Wed, 9 Feb 2022 13:28:28 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2B04C4BB7C; Wed, 9 Feb 2022 13:28:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 2193iLpH024326 for ; Tue, 8 Feb 2022 22:44:21 -0500 Received: by smtp.corp.redhat.com (Postfix) id 36FF5492D1A; Wed, 9 Feb 2022 03:44:21 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 32C37492D18 for ; Wed, 9 Feb 2022 03:44:21 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 18C1C85A5BC for ; Wed, 9 Feb 2022 03:44:21 +0000 (UTC) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-349-4-BzkxjgO_2brCXiDTxCpQ-1; Tue, 08 Feb 2022 22:44:17 -0500 X-MC-Unique: 4-BzkxjgO_2brCXiDTxCpQ-1 Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5A33A210E8; Wed, 9 Feb 2022 03:44:15 +0000 (UTC) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 171DD1332F; Wed, 9 Feb 2022 03:44:13 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 7USBOY04A2LfPQAAMHmgww (envelope-from ); Wed, 09 Feb 2022 03:44:13 +0000 Message-ID: Date: Tue, 8 Feb 2022 22:44:12 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 To: Richard Guy Briggs , Linux-Audit Mailing List , LKML , linux-fsdevel@vger.kernel.org References: From: Jeff Mahoney Subject: Re: [PATCH v4 2/3] audit: add support for the openat2 syscall In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Wed, 09 Feb 2022 08:28:24 -0500 Cc: Tony Jones , Eric Paris , Alexander Viro , Eric Paris X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Richard - On 5/19/21 16:00, Richard Guy Briggs wrote: > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > ("open: introduce openat2(2) syscall") > > Add the openat2(2) syscall to the audit syscall classifier. > > Link: https://github.com/linux-audit/audit-kernel/issues/67 > Signed-off-by: Richard Guy Briggs > Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git.rgb@redhat.com > --- [...] > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index d775ea16505b..3f59ab209dfd 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -76,6 +76,7 @@ > #include > #include > #include > +#include > > #include "audit.h" > > @@ -196,6 +197,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case AUDITSC_EXECVE: > return mask & AUDIT_PERM_EXEC; > + case AUDITSC_OPENAT2: > + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); > default: > return 0; > } ctx->argv[2] holds a userspace pointer and can't be dereferenced like this. I'm getting oopses, like so: BUG: unable to handle page fault for address: 00007fff961bbe70 #PF: supervisor read access in kernel mode #PF: error_code(0x0001) - permissions violation PGD 8000000132291067 P4D 8000000132291067 PUD 132174067 PMD 132bb1067 PTE 800000013be02867 Oops: 0001 [#1] PREEMPT SMP PTI CPU: 1 PID: 4525 Comm: a.out Kdump: loaded Not tainted 5.16.4-1-default #1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220 Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05 0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00 83 e0 03 0f be 80 c5 5e 45 86 41 21 c5 eb c7 4d 85 e4 0f RSP: 0018:ffffb096403cbe08 EFLAGS: 00010246 RAX: 00007fff961bbe70 RBX: 0000000000000001 RCX: 000000000000001f RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e RBP: ffff9cb784a85020 R08: ffff9cb78775c380 R09: ffff9cb790ad9eb8 R10: 0000000040000020 R11: ffff9cb783f7b410 R12: ffff9cb78486dc00 R13: 000000000000000f R14: 00000000000001b5 R15: ffff9cb78775c380 FS: 00007ff21fca9740(0000) GS:ffff9cb7ffd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff961bbe70 CR3: 0000000121264002 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: audit_filter_syscall+0xb0/0x100 ? do_sys_openat2+0x81/0x160 __audit_syscall_exit+0x69/0xf0 syscall_exit_to_user_mode_prepare+0x14d/0x180 syscall_exit_to_user_mode+0x9/0x40 do_syscall_64+0x69/0x80 ? syscall_exit_to_user_mode+0x18/0x40 ? do_syscall_64+0x69/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff21fdd195d Where the faulting address matches the open_how address printed with the following test using a "-w /var/tmp/testfile -k openat2-oops" audit rule. #include #include #include #include #include long openat2(int dirfd, const char *pathname, struct open_how *how, size_t size) { return syscall(SYS_openat2, dirfd, pathname, how, size); } int main(void) { struct open_how how = { .flags = O_RDONLY|O_DIRECTORY, }; int fd; fprintf(stderr, "&how = %p\n", &how); fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct open_how)); perror("openat2"); } $ mkdir /var/tmp/testfile $ ./a.out &how = 0x7fff961bbe70 -Jeff -- Jeff Mahoney Director, SUSE Labs Data & Performance -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit