search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

RFE: support filtering by openat2(2) oflags #141

Open cgzones opened 2 years ago

cgzones commented 2 years ago

For open(2) and openat(2) one can filter by the flags used (e.g. O_CREAT):

-a always,exit -F -S openat,open_by_handle_at -F a2&0100 -F key=creation
-a always,exit -F -S open -F a1&0100 -F key=creation

Please support filtering on the openat2 how structure flags, e.g.:

-a always,exit -F -S openat2 -F oflags&0100 -F key=creation

(Forwarded from https://github.com/linux-audit/audit-userspace/issues/282)

pcmoore commented 2 years ago

While the openat(2) open_how:flags field is a 64-bit integer (the openat(2) flags field is 32-bits), the same flags are used across both:

This field specifies the file creation and file status flags to use when opening the file. All of the O_* flags defined for openat(2) are valid openat2() flag values.

Adding support for this is likely a matter of adding some syscall specific code to peek into the open_how struct and inspect the flags field. Of course some case will be needed to ensure that we avoid a TOCTOU issue, and the ugliness of that may mean this isn't something we can easily address. Further investigation is needed.

rgbriggs commented 1 year ago

See also https://github.com/linux-audit/audit-userspace/issues/282#issuecomment-1263892532