Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2473863imm;
        Wed, 16 May 2018 13:29:47 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp/tORM9yCzTL+QmKhz72Zt3Z4HvCTVbtKYYMATxlg2oy0eDDzYFd1u0tiPODItOwNEvd5U
X-Received: by 2002:a17:902:8c95:: with SMTP id t21-v6mr2329442plo.306.1526502587490;
        Wed, 16 May 2018 13:29:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526502587; cv=none;
        d=google.com; s=arc-20160816;
        b=oVJUwd8b+x5Ed1eKQX7ff4q4YhnVRGqI7OgtlxLJ1R0jjoKhQr16kYBWYj8tOsut02
         j8ArR0LEVXPcH93RddYaPqeLsHGZrL6cBikIw0zdMfGVpL1FuCIPQiWs5chdJn+adxIL
         MkSkswlimiYkQ+lt7wlBkL2BLbGAtVAJKSoS1a8fQgAbghqD0ssWSWfaPYsY6eVn3lQr
         L2Em8Q1eQxNJLaEymVhZeR1uWbcIOsW3Nir83eK+FCuhydU3SI4UzDDgqSO2nCpE/NgK
         DyN6+rTrSektlJJLPOLwMROV+yTeToDgBZTHNl7Erg2pamn59iJYZWL3KVOv/Kz+VXAq
         hROw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :from:references:cc:to:subject:arc-authentication-results;
        bh=s6t/SngpW7NNAhoTLDVpbkUP78S3Ll8L7B9AkAEhCFc=;
        b=cS79ZCnk2g5Fa8mqeVgAPaCwlgvIPB6h2mboMuqn0cTYu6UzQMJ36VXVANzozjneRB
         qgS9ubUry82UlB0wHh4XOd6IgCvqNK497IgfAUGTAhE21EwyRv7diOjwGSBN4mxDkm/5
         knvhKK8h27VOVF8UYQlQdX42sEL8Yg8jjfxXbXfHrY6qbFPsImx+jtjDd+V69GfhMKEL
         GpTnOMrZyTp2kVJQZv2ir7i6N/VES8d4lPt1kCSHmH9f6g4SuU20qsFZHCrV4Qi9JuvL
         g+PgEt4IWCO7RJn4cJu6YqsVM+5urNR1ECYf8aD0M3vfQO2n9sX3gJ16WCUhRsBYXHVx
         y1Bg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k14-v6si2715246pgs.418.2018.05.16.13.29.32;
        Wed, 16 May 2018 13:29:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751695AbeEPU3C (ORCPT <rfc822;justmaker@gmail.com> + 99 others);
        Wed, 16 May 2018 16:29:02 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54236 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1751478AbeEPU3A (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 May 2018 16:29:00 -0400
Received: from pps.filterd (m0098420.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4GKOElH132185
        for <linux-kernel@vger.kernel.org>; Wed, 16 May 2018 16:29:00 -0400
Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2j0t93m4a8-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Wed, 16 May 2018 16:28:59 -0400
Received: from localhost
        by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <stefanb@linux.vnet.ibm.com>;
        Wed, 16 May 2018 14:28:59 -0600
Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18)
        by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Wed, 16 May 2018 14:28:54 -0600
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
        by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4GKSsno12255610;
        Wed, 16 May 2018 13:28:54 -0700
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 435DE7803F;
        Wed, 16 May 2018 14:28:54 -0600 (MDT)
Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153])
        by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 5B28D78037;
        Wed, 16 May 2018 14:28:45 -0600 (MDT)
Subject: Re: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from
 "audit" actions
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-integrity@vger.kernel.org,
        containers@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Cc:     serge@hallyn.com, sunyuqiong1988@gmail.com, david.safford@ge.com,
        mkayaalp@cs.binghamton.edu, James.Bottomley@HansenPartnership.com,
        ebiederm@xmission.com, john.johansen@canonical.com
References: <20180511144230.75384-1-stefanb@linux.vnet.ibm.com>
 <20180511144230.75384-4-stefanb@linux.vnet.ibm.com>
 <1526391655.3937.151.camel@linux.vnet.ibm.com>
From:   Stefan Berger <stefanb@linux.vnet.ibm.com>
Date:   Wed, 16 May 2018 16:28:43 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <1526391655.3937.151.camel@linux.vnet.ibm.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-MW
X-TM-AS-GCONF: 00
x-cbid: 18051620-0012-0000-0000-00001640194C
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00009036; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000260; SDB=6.01033282; UDB=6.00528322; IPR=6.00812413;
 MB=3.00021149; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-16 20:28:57
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18051620-0013-0000-0000-000052CC0363
Message-Id: <2496f165-67f7-304d-08a0-ea8eedd3c3d4@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-16_10:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805160201
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 05/15/2018 09:40 AM, Mimi Zohar wrote:
> Hi Stefan,
>
> On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
>> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
>>
>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
>> the IMA "audit" policy action.  This patch defines AUDIT_INTEGRITY_POLICY
>> to reflect the IMA policy rules.
>>
>> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> We do need to separate out auditing the IMA policy rules from the
> "IMA-audit" messages.  Based on the IMA policy rule aspect of the
> discussions [1],  I would really appreciate if you could work with
> Richard and Steve on the new IMA policy rule audit format.
Is your patch below still valid for splitting it up into 'two distinct 
audit record types' ?

>
> This change can be upstreamed independently of either the IMA
> namespacing or the audit containerid patch sets.  The sooner we make
> this change and upstream it, the better.
>
> [1] https://www.redhat.com/archives/linux-audit/2018-March/msg00092.html
>
> thanks,
>
> Mimi
>
>> ---
>>   include/uapi/linux/audit.h          | 3 ++-
>>   security/integrity/ima/ima_policy.c | 2 +-
>>   2 files changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 4e61a9e05132..8966e7ff1c4c 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -146,7 +146,8 @@
>>   #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
>>   #define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
>>   #define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
>> -#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
>> +#define AUDIT_INTEGRITY_RULE	    1805 /* IMA "audit" action policy msgs  */
>> +#define AUDIT_INTEGRITY_POLICY	    1806 /* IMA policy rules */
>>
>>   #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 915f5572c6ff..3a1412db02a3 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -619,7 +619,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>>   	bool uid_token;
>>   	int result = 0;
>>
>> -	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
>> +	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_POLICY);
>>
>>   	entry->uid = INVALID_UID;
>>   	entry->fowner = INVALID_UID;