On Thursday, April 28, 2022 8:55:33 PM EDT Richard Guy Briggs wrote:
On 2022-04-28 20:44, Richard Guy Briggs wrote:
> The Fanotify API can be used for access control by requesting permission
> event notification. The user space tooling that uses it may have a
> complicated policy that inherently contains additional context for the
> decision. If this information were available in the audit trail, policy
> writers can close the loop on debugging policy. Also, if this additional
> information were available, it would enable the creation of tools that
> can suggest changes to the policy similar to how audit2allow can help
> refine labeled security.
>
> This patch defines 2 additional fields within the response structure
> returned from user space on a permission event. The first field is 16
> bits for the context type. The context type will describe what the
> meaning is of the second field. The audit system will separate the
> pieces and log them individually.
>
> The audit function was updated to log the additional information in the
> AUDIT_FANOTIFY record. The following is an example of the new record
> format:
>
> type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17
It might have been a good idea to tag this as RFC... I have a few
questions:
1. Where did "resp=" come from?
This is an abbreviation for the response field of struct fanotify_response. I
wanted to keep it short to save bytes.
It isn't in the field dictionary. It seems like a needless
duplication of
"res=". If it isn't, maybe it should have a "fan_" namespace
prefix and
become "fan_res="?
At this point it's been interpretted for years.
2. It appears I'm ok changing the "__u32 response" to
"__u16" without
breaking old userspace. Is this true on all arches?
If done carefully. Old user space won't try to use the new capabilities. The
only trick is new user space/old kernel.
3. What should be the action if response contains unknown flags or
types? Is it reasonable to return -EINVAL?
The original patch was designed to allow the response metadata to take on
various different meanings based on new usage. The original patch only defined
a rule order numbering which if something else wanted to send it's own
metadata about a decision, a new patch could layer on top of this without
interfering.
If this is an access decision that is rejected with EINVAL (and assuming
future decisions will also be formed the same way), the whole system is
getting ready to lock up - even though a real answer is in the response.
4. Currently, struct fanotify_response has a fixed size, but if
future
types get defined that have variable buffer sizes, how would that be
communicated or encoded?
I hadn't considered that as it would be too much of a change that I would be
uncomfortable doing. That could be a future evolution if it's ever needed.
-Steve