[RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring

Paul Moore paul at paul-moore.com
Sun Oct 3 23:21:38 UTC 2021


On Sat, Oct 2, 2021 at 9:16 AM Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> Since this is a chat to discuss merging the user space piece, I trimmed the
> recipients down to the audit community.

Good idea.

> On Thursday, September 9, 2021 8:58:58 PM EDT Richard Guy Briggs wrote:
> > > I spent some time this morning/afternoon playing with the io_uring
> > > audit filtering capability and with your audit userspace
> > > ghau-iouring-filtering.v1.0 branch it appears to work correctly.  Yes,
> > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't
> > > map the io_uring ops correctly), but I know you mentioned you have a
> > > number of fixes/improvements still as a work-in-progress there so I'm
> > > not too concerned.  The important part is that the kernel pieces look
> > > to be working correctly.
> >
> > Ok, I have squashed and pushed the audit userspace support for iouring:
> >
> > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb
> > 9b8fa93895ae35eea
> > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:g
> > hak-iouring-filtering.v2.1 There are test rpms for f35 here:
> >         http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/
> >
> > userspace v2 changelog:
> > - check for watch before adding perm
> > - update manpage to include filesystem filter
> > - update support for the uring filter list: doc, -U op, op names
> > - add support for the AUDIT_URINGOP record type
> > - add uringop support to ausearch
> > - add uringop support to aureport
> > - lots of bug fixes
> >
> > "auditctl -a uring,always -S ..." will now throw an error and require
> > "-U" instead.
>
> OK, now that the bug fix release is out of the way, let's start merging this
> into user space. I think we should start with the code that let's auditd
> write the record correctly and then the auditctl piece that inserts the rule
> into the kernel. Those should be easy to merge.
>
> I see one section of code that mirrors all of the operations in ioring.h. I
> thought that Paul only wanted to audit some of the operations and not all of
> them. Did that change? Are we really going to allow auditing reads on ioring?

Only certain io_uring operations are audited, you can see the patch
here in the selinux/next tree (look for the io_op_defs struct changes
and the "audit_skip" field):

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=5bd2182d58e9d9c6279b7a8a2f9b41add0e7f9cb

-- 
paul moore
www.paul-moore.com




More information about the Linux-audit mailing list