Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756819AbcDECyy (ORCPT ); Mon, 4 Apr 2016 22:54:54 -0400 Received: from mail-yw0-f181.google.com ([209.85.161.181]:34380 "EHLO mail-yw0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752204AbcDECyw (ORCPT ); Mon, 4 Apr 2016 22:54:52 -0400 From: Paul Moore To: Greg KH CC: , wmealing , , Date: Mon, 04 Apr 2016 22:54:56 -0400 Message-ID: <153e4582800.2832.85c95baa4474aabc7814e68940a78392@paul-moore.com> In-Reply-To: <20160404215041.GB26580@kroah.com> References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <20160404125626.GB6197@kroah.com> <1712342.QWWAT5XPGs@sifl> <20160404215041.GB26580@kroah.com> User-Agent: AquaMail/1.6.1.5 (build: 26000005) Subject: Re: [RFC] Create an audit record of USB specific details MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2603 Lines: 58 On April 4, 2016 6:17:23 PM Greg KH wrote: > On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote: >> On Monday, April 04, 2016 05:56:26 AM Greg KH wrote: >> > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote: >> > > From: Wade Mealing >> > > >> > > Gday, >> > > >> > > I'm looking to create an audit trail for when devices are added or removed >> > > from the system. >> > >> > Then please do it in userspace, as I suggested before, that way you >> > catch all types of devices, not just USB ones. >> >> Audit has some odd requirements placed on it by some of its users. I think >> most notable in this particular case is the need to take specific actions, >> including panicking the system, when audit records can't be sent to userspace >> and are "lost". Granted, it's an odd requirement, definitely not the >> norm/default configuration, but supporting weird stuff like this has allowed >> Linux to be used on some pretty interesting systems that wouldn't have been >> possible otherwise. Looking quickly at some of the kobject/uvent code, it >> doesn't appear that the uevent/netlink channel has this capability. > > Are you sure you can loose netlink messages? If you do, you know you > lost them, so isn't that good enough? Last I checked netlink didn't have a provision for panicking the system, so no :) >> It also just noticed that it looks like userspace can send fake uevent >> messages; > > That's how your machine boots properly :) Yes, it looks like that is how the initial devices are handled, right? Allowing something like that is probably okay for a variety of reasons, but I expect users would want to restrict access beyond this single trusted process. The good news is that I think you should be able to do that with a combination of DAC and MAC. >> I haven't looked at it closely enough yet, but that may be a concern >> for users which restrict/subdivide root using a LSM ... although it is >> possible that the LSM policy could help here. I'm thinking aloud a bit right >> now, but for SELinux the netlink controls aren't very granular and sysfs can >> be tricky so I can't say for certain about blocking fake events from userspace >> using LSMs/SELinux. > > uevents are not tied into LSMs from what I can tell, so I don't > understand wht you are talking about here, sorry. Perhaps I'm mistaken, but uevents are sent to userspace via netlink which does have LSM controls. There also appears to be a file I/O mechanism via sysfs which also has LSM controls. -- paul moore www.paul-moore.com