From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0CDFC47082 for ; Wed, 26 May 2021 15:49:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 98FEC613D4 for ; Wed, 26 May 2021 15:49:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232537AbhEZPvV (ORCPT ); Wed, 26 May 2021 11:51:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233352AbhEZPvM (ORCPT ); Wed, 26 May 2021 11:51:12 -0400 Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DBF5C061574 for ; Wed, 26 May 2021 08:49:29 -0700 (PDT) Received: by mail-ed1-x536.google.com with SMTP id w12so2146207edx.1 for ; Wed, 26 May 2021 08:49:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nametag.social; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hLvM0qZWdxlY7ci8mQoY0tiiY+8Mcy4oEt5BU4lJ9+k=; b=ggzK6VZhCRLTfWGjQrehiYwZ40mLNPjUpPXzYM3fAeBQPdZa8+CYKZvUBvdcSjODtY mvIVJ1vndejpV9VgryvmHn+T0d26E2VFQyfIVL3qP7lEqiN+aDcBCzkEtaiRdFyJhrsR puSF/5bx+BmzVnFfGPeVMFPbkcyjliw90/8cJBcFUO8DKNJsNGJsPRvwkViF0KFVez78 tq0ff/Q5pX86sPp3t6Lc1vmZ2PsOjEISwanl5mLhptQAmNc5JkhosHpCQGDhvpUdLJ6i auNnJvr0TbO1RGGf/lr8KlaIAj5yG70+sSrjfpO9g1P63hWkvLYodX7pdF3ByP2OP6gi p+Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hLvM0qZWdxlY7ci8mQoY0tiiY+8Mcy4oEt5BU4lJ9+k=; b=aawwJM2CCmI7ksP5zZhc864J+Dzyt3UyMHs/d3w3gSW2mUkXJpDwopFZA55wNVfL31 iF9r2tjs/gOMEaDGoBE0AH3ZETGz53+034ycHnbKLmjsAiWFl+HetY04soKh4RL+cfMS udsXn0L4LsIuLlLbiSNUzKvGrfMf9YdlpXFjhO95eaWnNRmEKsPVl3Z2zZhG1tZn5Nxb /+ywCUluVo5EZTuC10CQA5zP3AIOJKsKWc+BmwMFXplTzTuJsvF9Z+uA1b4YxtYIqar/ NJkLj+Ftp2Ex5TM+dLu/lYYzyJNwzHmmFSWDZx4OzPLPOpWFPRHMKQIEGPk4zzWJj6gA 43sA== X-Gm-Message-State: AOAM530Z18ZVg1EN/s6bHW74bPb4HVwtJL4wIelJPt8oV1+/IJUSyz9I WRmBTHvWFilT9I0yH3rWHJ2ipJWtwpbep8YiAi7uSw== X-Google-Smtp-Source: ABdhPJzmgIJFBTXLdZvOp6D/+i59vYx4OZSxpIJQjeaRsrMNn5z0yDJEgqvwU+7tOeA0PSsmkvfxgCH0X7UOQIaFBqg= X-Received: by 2002:aa7:d3c8:: with SMTP id o8mr38038619edr.181.1622044167887; Wed, 26 May 2021 08:49:27 -0700 (PDT) MIME-Version: 1.0 References: <162163367115.8379.8459012634106035341.stgit@sifl> <162163379461.8379.9691291608621179559.stgit@sifl> <162219f9-7844-0c78-388f-9b5c06557d06@gmail.com> <8943629d-3c69-3529-ca79-d7f8e2c60c16@kernel.dk> <0a668302-b170-31ce-1651-ddf45f63d02a@gmail.com> <18823c99-7d65-0e6f-d508-a487f1b4b9e7@samba.org> In-Reply-To: <18823c99-7d65-0e6f-d508-a487f1b4b9e7@samba.org> From: Victor Stewart Date: Wed, 26 May 2021 11:49:16 -0400 Message-ID: Subject: Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring To: Stefan Metzmacher Cc: Paul Moore , Pavel Begunkov , Jens Axboe , linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, io-uring , linux-fsdevel@vger.kernel.org, Kumar Kartikeya Dwivedi , Alexander Viro Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org > I'm wondering why it's not enough to have the native auditing just to happen. > > E.g. all (I have checked RECVMSG,SENDMSG,SEND and CONNECT) socket related io_uring opcodes > already go via security_socket_{recvmsg,sendmsg,connect}() > > IORING_OP_OPENAT* goes via do_filp_open() which is in common with the open[at[2]]() syscalls > and should also trigger audit_inode() and security_file_open(). > > So why is there anything special needed for io_uring (now that the native worker threads are used)? > > Is there really any io_uring opcode that bypasses the security checks the corresponding native syscall > would do? If so, I think that should just be fixed... stefan's points crossed my mind as well. but assuming iouring buy-in is required, from a design perspective, rather than inserting these audit conditionals in the hotpath, wouldn't a layering model work better? aka enabling auditing changes the function entry point into io_uring and passes operations through an auditing layer, then back to the main entry point. then there is no cost to audit disabled code, and you just force audit to pay whatever double processing cost that entails. V