On Sun, Aug 29, 2021 at 11:18 AM Paul Moore <paul(a)paul-moore.com> wrote:
On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> I did set a syscall filter for
> -a exit,always -F arch=b64 -S
io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
> and that yielded some records with a couple of orphans that surprised me
> a bit.
Without looking too closely at the log you sent, you can expect URING
records without an associated SYSCALL record when the uring op is
being processed in the io-wq or sqpoll context. In the io-wq case the
processing is happening after the thread finished the syscall but
before the execution context returns to userspace and in the case of
sqpoll the processing is handled by a separate kernel thread with no
association to a process thread.
I spent some time this morning/afternoon playing with the io_uring
audit filtering capability and with your audit userspace
ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes,
the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't
map the io_uring ops correctly), but I know you mentioned you have a
number of fixes/improvements still as a work-in-progress there so I'm
not too concerned. The important part is that the kernel pieces look
to be working correctly.
As usual, if you notice anything awry while playing with the userspace
changes please let me know.
--
paul moore
www.paul-moore.com