[RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
paul at paul-moore.com
Wed Sep 1 19:21:06 UTC 2021
On Sun, Aug 29, 2021 at 11:18 AM Paul Moore <paul at paul-moore.com> wrote:
> On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs <rgb at redhat.com> wrote:
> > I did set a syscall filter for
> > -a exit,always -F arch=b64 -S io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
> > and that yielded some records with a couple of orphans that surprised me
> > a bit.
> Without looking too closely at the log you sent, you can expect URING
> records without an associated SYSCALL record when the uring op is
> being processed in the io-wq or sqpoll context. In the io-wq case the
> processing is happening after the thread finished the syscall but
> before the execution context returns to userspace and in the case of
> sqpoll the processing is handled by a separate kernel thread with no
> association to a process thread.
I spent some time this morning/afternoon playing with the io_uring
audit filtering capability and with your audit userspace
ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes,
the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't
map the io_uring ops correctly), but I know you mentioned you have a
number of fixes/improvements still as a work-in-progress there so I'm
not too concerned. The important part is that the kernel pieces look
to be working correctly.
As usual, if you notice anything awry while playing with the userspace
changes please let me know.
More information about the Linux-security-module-archive