From: Richard Guy Briggs <[email protected]>
To: Linux-Audit Mailing List <[email protected]>
Cc: [email protected], Steve Grubb <[email protected]>,
Richard Guy Briggs <[email protected]>
Subject: [PATCH v3 5/7] add ausearch --uringop option
Date: Thu, 28 Oct 2021 15:59:37 -0400 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
Signed-off-by: Richard Guy Briggs <[email protected]>
---
docs/ausearch.8 | 3 +
src/ausearch-common.h | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-lookup.c | 25 +++++++++
src/ausearch-lookup.h | 1 +
src/ausearch-match.c | 6 +-
src/ausearch-options.c | 36 +++++++++++-
src/ausearch-parse.c | 123 +++++++++++++++++++++++++++++++++++++++--
src/ausearch-report.c | 21 ++++++-
10 files changed, 211 insertions(+), 8 deletions(-)
diff --git a/docs/ausearch.8 b/docs/ausearch.8
index dbd6beadeda4..e99911009053 100644
--- a/docs/ausearch.8
+++ b/docs/ausearch.8
@@ -130,6 +130,9 @@ Output is completely unformatted. This is useful for extracting records to a fil
.BR \-sc ,\ \-\-syscall \ \fIsyscall-name-or-value\fP
Search for an event matching the given \fIsyscall\fP. You may either give the numeric syscall value or the syscall name. If you give the syscall name, it will use the syscall table for the machine that you are using.
.TP
+.BR \-uo ,\ \-\-uringop \ \fIuringop-name-or-value\fP
+Search for an event matching the given \fIuring operation\fP. You may either give the numeric uring operation value or the uring operation name.
+.TP
.BR \-se ,\ \-\-context \ \fISE-Linux-context-string\fP
Search for event with either \fIscontext\fP/subject or \fItcontext\fP/object matching the string.
.TP
diff --git a/src/ausearch-common.h b/src/ausearch-common.h
index 3040547afe95..f20e8570ce9b 100644
--- a/src/ausearch-common.h
+++ b/src/ausearch-common.h
@@ -56,6 +56,7 @@ extern const char *event_filename;
extern const char *event_hostname;
extern const char *event_terminal;
extern int event_syscall;
+extern int event_uringop;
extern int event_machine;
extern const char *event_exe;
extern int event_ua, event_ga;
diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c
index ef5503c34fd9..98d446009865 100644
--- a/src/ausearch-llist.c
+++ b/src/ausearch-llist.c
@@ -59,6 +59,7 @@ void list_create(llist *l)
l->s.acct = NULL;
l->s.arch = 0;
l->s.syscall = 0;
+ l->s.uringop = 0;
l->s.session_id = -2;
l->s.uuid = NULL;
l->s.vmname = NULL;
@@ -210,6 +211,7 @@ void list_clear(llist* l)
l->s.acct = NULL;
l->s.arch = 0;
l->s.syscall = 0;
+ l->s.uringop = 0;
l->s.session_id = -2;
free(l->s.uuid);
l->s.uuid = NULL;
diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h
index 56a2e7da4934..4ef60a0c93e5 100644
--- a/src/ausearch-llist.h
+++ b/src/ausearch-llist.h
@@ -55,6 +55,7 @@ typedef struct
success_t success; // success flag, 1 = yes, 0 = no, -1 = unset
int arch; // arch
int syscall; // syscall
+ int uringop; // io_uring operation code
uint32_t session_id; // Login session id
long long exit; // Syscall exit code
int exit_is_set; // Syscall exit code is valid
diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c
index dd58c36ad8bd..fdf036eccf37 100644
--- a/src/ausearch-lookup.c
+++ b/src/ausearch-lookup.c
@@ -109,6 +109,31 @@ const char *aulookup_syscall(llist *l, char *buf, size_t size)
return buf;
}
+const char *aulookup_uringop(llist *l, char *buf, size_t size)
+{
+ const char *uringop;
+
+ if (report_format <= RPT_DEFAULT) {
+ snprintf(buf, size, "%d", l->s.uringop);
+ return buf;
+ }
+
+ uringop = _auparse_lookup_interpretation("uringop");
+ if (uringop) {
+ snprintf(buf, size, "%s", uringop);
+ free((void *)uringop);
+ return buf;
+ }
+
+ uringop = audit_uringop_to_name(l->s.uringop);
+ if (uringop) {
+ snprintf(buf, size, "%s", uringop);
+ return buf;
+ }
+ snprintf(buf, size, "%d", l->s.uringop);
+ return buf;
+}
+
// See include/linux/net.h
static struct nv_pair socktab[] = {
{SYS_SOCKET, "socket"},
diff --git a/src/ausearch-lookup.h b/src/ausearch-lookup.h
index d1c670147ecd..7f6a793738eb 100644
--- a/src/ausearch-lookup.h
+++ b/src/ausearch-lookup.h
@@ -35,6 +35,7 @@
const char *aulookup_result(avc_t result);
const char *aulookup_success(int s);
const char *aulookup_syscall(llist *l, char *buf, size_t size);
+const char *aulookup_uringop(llist *l, char *buf, size_t size);
const char *aulookup_uid(uid_t uid, char *buf, size_t size);
void aulookup_destroy_uid_list(void);
char *unescape(const char *buf);
diff --git a/src/ausearch-match.c b/src/ausearch-match.c
index 61a11d30a09b..ca3e56e2f4b5 100644
--- a/src/ausearch-match.c
+++ b/src/ausearch-match.c
@@ -45,7 +45,8 @@ static void load_interpretations(const llist *l)
return;
// If there is only 1 record load it, or load just the syscall one
- if ((l->cnt == 1) || (l->head && l->head->type == AUDIT_SYSCALL))
+ if ((l->cnt == 1) || (l->head && l->head->type == AUDIT_SYSCALL) ||
+ (l->head && l->head->type == AUDIT_URINGOP))
ausearch_load_interpretations(l->head);
}
@@ -110,6 +111,9 @@ int match(llist *l)
if ((event_syscall != -1) &&
(event_syscall != l->s.syscall))
return 0;
+ if ((event_uringop != -1) &&
+ (event_uringop != l->s.uringop))
+ return 0;
if ((event_session_id != -2) &&
(event_session_id != l->s.session_id))
return 0;
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index a57de79b183b..ab9748f9f95e 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -56,7 +56,7 @@ auparse_esc_t escape_mode = AUPARSE_ESC_TTY;
int event_exact_match = 0;
uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
-int event_syscall = -1, event_machine = -1;
+int event_syscall = -1, event_machine = -1, event_uringop = -1;
int event_ua = 0, event_ga = 0, event_se = 0;
int just_one = 0;
uint32_t event_session_id = -2;
@@ -93,7 +93,8 @@ S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_FORMAT,
-S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_EXTRA_OBJ2, S_ESCAPE, S_EOE_TMO };
+S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_EXTRA_OBJ2, S_ESCAPE, S_EOE_TMO,
+S_URINGOP };
static struct nv_pair optiontab[] = {
{ S_EVENT, "-a" },
@@ -148,6 +149,8 @@ static struct nv_pair optiontab[] = {
{ S_RAW, "--raw" },
{ S_SYSCALL, "-sc" },
{ S_SYSCALL, "--syscall" },
+ { S_URINGOP, "-uo" },
+ { S_URINGOP, "--uringop" },
{ S_CONTEXT, "-se" },
{ S_CONTEXT, "--context" },
{ S_SESSION, "--session" },
@@ -239,6 +242,7 @@ static void usage(void)
"\t-ue,--uid-effective <effective User id> search based on Effective\n\t\t\t\t\tuser id\n"
"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
"\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n"
+ "\t-uo,--uringop <SysCall name>\tsearch based on syscall name or number\n"
"\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n"
"\t\t\t\t\tmachine with the given UUID.\n"
"\t-v,--version\t\t\tversion\n"
@@ -826,6 +830,34 @@ int check_params(int count, char *vars[])
}
c++;
break;
+ case S_URINGOP:
+ if (!optarg) {
+ fprintf(stderr,
+ "Argument is required for %s\n",
+ vars[c]);
+ retval = -1;
+ break;
+ }
+ if (isdigit(optarg[0])) {
+ errno = 0;
+ event_uringop = (int)strtoul(optarg, NULL, 10);
+ if (errno) {
+ fprintf(stderr,
+ "Uring operation numeric conversion error (%s) for %s\n",
+ strerror(errno), optarg);
+ retval = -1;
+ }
+ } else {
+ event_uringop = audit_name_to_uringop(optarg);
+ if (event_uringop == -1) {
+ fprintf(stderr,
+ "Uring operation %s not found\n",
+ optarg);
+ retval = -1;
+ }
+ }
+ c++;
+ break;
case S_CONTEXT:
if (!optarg) {
fprintf(stderr,
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 39fb7cf51be0..4c6b3c954178 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -46,6 +46,7 @@ static const char key_sep[2] = { AUDIT_KEY_SEPARATOR, 0 };
static int parse_task_info(lnode *n, search_items *s);
static int parse_syscall(lnode *n, search_items *s);
+static int parse_uringop(lnode *n, search_items *s);
static int parse_dir(const lnode *n, search_items *s);
static int common_path_parser(search_items *s, char *path);
static int avc_parse_path(const lnode *n, search_items *s);
@@ -94,6 +95,9 @@ int extract_search_items(llist *l)
case AUDIT_SYSCALL:
ret = parse_syscall(n, s);
break;
+ case AUDIT_URINGOP:
+ ret = parse_uringop(n, s);
+ break;
case AUDIT_CWD:
ret = parse_dir(n, s);
break;
@@ -384,7 +388,7 @@ try_again:
*term = ' ';
}
- if (event_terminal) {
+ if (event_terminal && !s->uringop) {
// dont do this search unless needed
str = strstr(term, "tty=");
if (str) {
@@ -416,7 +420,7 @@ try_again:
}
}
- if (event_comm) {
+ if (event_comm && !s->uringop) {
// dont do this search unless needed
str = strstr(term, "comm=");
if (str) {
@@ -439,7 +443,7 @@ try_again:
} else
return 38;
}
- if (event_exe) {
+ if (event_exe && !s->uringop) {
// dont do this search unless needed
str = strstr(n->message, "exe=");
if (str) {
@@ -480,7 +484,7 @@ try_again:
}
}
// success
- if (event_success != S_UNSET) {
+ if (event_success != S_UNSET && !s->uringop) {
if (term == NULL)
term = n->message;
str = strstr(term, "res=");
@@ -602,6 +606,117 @@ static int parse_syscall(lnode *n, search_items *s)
return 13;
*term = ' ';
+ ret = parse_task_info(n, s);
+ if (ret)
+ return ret;
+
+ if (event_key) {
+ str = strstr(term, "key=");
+ if (str) {
+ if (!s->key) {
+ //create
+ s->key = malloc(sizeof(slist));
+ if (s->key == NULL)
+ return 43;
+ slist_create(s->key);
+ }
+ str += 4;
+ if (*str == '"') {
+ str++;
+ term = strchr(str, '"');
+ if (term == NULL)
+ return 44;
+ *term = 0;
+ if (s->key) {
+ // append
+ snode sn;
+ sn.str = strdup(str);
+ sn.key = NULL;
+ sn.hits = 1;
+ slist_append(s->key, &sn);
+ }
+ *term = '"';
+ } else {
+ if (s->key) {
+ char *saved;
+ char *keyptr = unescape(str);
+ if (keyptr == NULL)
+ return 45;
+ char *kptr = strtok_r(keyptr,
+ key_sep, &saved);
+ while (kptr) {
+ snode sn;
+ // append
+ sn.str = strdup(kptr);
+ sn.key = NULL;
+ sn.hits = 1;
+ slist_append(s->key, &sn);
+ kptr = strtok_r(NULL,
+ key_sep, &saved);
+ }
+ free(keyptr);
+
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+static int parse_uringop(lnode *n, search_items *s)
+{
+ char *ptr, *str, *term;
+ extern int event_machine;
+ int ret;
+
+ term = n->message;
+ // get uring_op
+ str = strstr(term, "uring_op=");
+ if (str == NULL)
+ return 4;
+ ptr = str + 9;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 5;
+ *term = 0;
+ errno = 0;
+ s->uringop = (int)strtoul(ptr, NULL, 10);
+ if (errno)
+ return 6;
+ *term = ' ';
+ // get success
+ if (event_success != S_UNSET) {
+ str = strstr(term, "success=");
+ if (str) { // exit_group does not set success !?!
+ ptr = str + 8;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 7;
+ *term = 0;
+ if (strcmp(ptr, "yes") == 0)
+ s->success = S_SUCCESS;
+ else
+ s->success = S_FAILED;
+ *term = ' ';
+ }
+ }
+ // get exit
+ if (event_exit_is_set) {
+ str = strstr(term, "exit=");
+ if (str == NULL)
+ return 8;
+ ptr = str + 5;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 9;
+ *term = 0;
+ errno = 0;
+ s->exit = strtoll(ptr, NULL, 0);
+ if (errno)
+ return 10;
+ s->exit_is_set = 1;
+ *term = ' ';
+ }
ret = parse_task_info(n, s);
if (ret)
return ret;
diff --git a/src/ausearch-report.c b/src/ausearch-report.c
index 9f91f9c864e0..733852e5c9e3 100644
--- a/src/ausearch-report.c
+++ b/src/ausearch-report.c
@@ -52,6 +52,7 @@ extern time_t lol_get_eoe_timeout(void);
/* The machine based on elf type */
static unsigned long machine = -1;
static int cur_syscall = -1;
+static int cur_uringop = -1;
/* The first syscall argument */
static unsigned long long a0, a1;
@@ -185,6 +186,7 @@ static void output_interpreted_record(const lnode *n, const event *e)
// Reset these because each record could be different
machine = -1;
cur_syscall = -1;
+ cur_uringop = -1;
/* Check and see if we start with a node
* If we do, and there is a space in the line
@@ -368,8 +370,25 @@ static void report_interpret(char *name, char *val, int comma, int rtype)
cur_syscall = ival;
}
id.syscall = cur_syscall;
- } else
+ id.uringop = 0;
+ } else if (rtype == AUDIT_URINGOP) {
+ if (cur_uringop < 0 && *name == 'u' &&
+ strcmp(name, "uringop") == 0) {
+ unsigned long ival;
+ errno = 0;
+ ival = strtoul(val, NULL, 10);
+ if (errno) {
+ printf("uring op conversion error(%s) ", val);
+ return;
+ }
+ cur_uringop = ival;
+ }
+ id.uringop = cur_uringop;
id.syscall = 0;
+ } else {
+ id.syscall = 0;
+ id.uringop = 0;
+ }
id.machine = machine;
id.a0 = a0;
id.a1 = a1;
--
2.27.0
next prev parent reply other threads:[~2021-10-28 20:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-28 19:59 [PATCH v3 0/7] Add uringop support Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 1/7] add basic support for the AUDIT_URINGOP record type Richard Guy Briggs
2021-10-28 21:19 ` Steve Grubb
2021-10-28 19:59 ` [PATCH v3 2/7] add support for the uring filter list Richard Guy Briggs
2021-10-29 18:39 ` Steve Grubb
2021-11-01 15:05 ` Richard Guy Briggs
2021-11-01 15:58 ` Steve Grubb
2021-11-02 16:32 ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 3/7] add support for uringop names Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 4/7] add field support for the AUDIT_URINGOP record type Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs [this message]
2021-10-28 19:59 ` [PATCH v3 6/7] add aureport --uringop option Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 7/7] add iouring support to the normalizer Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox