audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

RFE: support filtering by openat2(2) oflags

Open cgzones opened this issue 3 years ago • 2 comments

For open(2) and openat(2) one can filter by the flags used (e.g. O_CREAT):

-a always,exit -F -S openat,open_by_handle_at -F a2&0100 -F key=creation
-a always,exit -F -S open -F a1&0100 -F key=creation

Please support filtering on the openat2 how structure flags, e.g.:

-a always,exit -F -S openat2 -F oflags&0100 -F key=creation

(Forwarded from https://github.com/linux-audit/audit-userspace/issues/282)

cgzones avatar Sep 27 '22 15:09 cgzones

While the openat(2) open_how:flags field is a 64-bit integer (the openat(2) flags field is 32-bits), the same flags are used across both:

This field specifies the file creation and file status flags to use when opening the file. All of the O_* flags defined for openat(2) are valid openat2() flag values.

  • https://man7.org/linux/man-pages/man2/openat2.2.html

Adding support for this is likely a matter of adding some syscall specific code to peek into the open_how struct and inspect the flags field. Of course some case will be needed to ensure that we avoid a TOCTOU issue, and the ugliness of that may mean this isn't something we can easily address. Further investigation is needed.

pcmoore avatar Sep 27 '22 16:09 pcmoore

See also https://github.com/linux-audit/audit-userspace/issues/282#issuecomment-1263892532

rgbriggs avatar Dec 09 '22 20:12 rgbriggs