Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2537225imm;
        Wed, 16 May 2018 14:42:19 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp/68waGbgBvjEjc1usaBuedQDLcKtRLAv0Cdk4srCmZa59ATiaoXgRqHtvHd9TmuFvF9lc
X-Received: by 2002:a63:7b0d:: with SMTP id w13-v6mr2034176pgc.221.1526506939542;
        Wed, 16 May 2018 14:42:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526506939; cv=none;
        d=google.com; s=arc-20160816;
        b=taon67jKFfPkDWjZZuXkN8YGuxMJLbKlRn/836FmkqAvI9nha1XTabRWzm1QcfvNwt
         0W97CrSIh6pL8zL3wBfrcsLVEq4so4zNJoM14e6Va1utGAfQTUYiJ/8iq0WA+IvPt/WB
         5OWYB9dT+u5vD4MTABYZtElL/1ktuburuBDRHYWGq2hBsAPaSVvNAHHBrCD1kjHVWg/b
         Z3DvSVVbhkPED/KWaU5i+Rq8d4f/ROnRqdfJK3BIoCGxDMTcNeBl3uI/bQnc+0WWyl/u
         moG7+EwAWtFndup8wBchsFbv/vYgwNSM2xmnWiD4wOJBLj1+EDtvzZh+VClfnk1SYe47
         tkyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=wWfWibzR++a+ZkzmgtzEW24E7cFfptbhxhF10XCUoas=;
        b=onQGlqfSsnhdkTpX5nQoaW6rSJ8FSpefdPaHzai0Dqaw+MrkQ7OmQvcCnsw76U4QlQ
         ynTRxmDp0e/oVHEtYL6GYY1kI5DdL+/v6dDtmOR+wljLrp3W9D/6c9Rj+1wwpmB8eZ+V
         FL+gR5a5DEcvOAcB4vQ5xmyZ0sN/yHJ9KjhmdWnuUz0d0K/2rV8dp3LMEUPNbYFd857z
         qvprMJuzSxz8sgVMKq6kXCXlvZauOgOzobS3X32IwqggfP0S2we2xqyI6CHUbaKIYdpb
         7WZ40jyE8q0fSiMd2SJHEudAjWyghuk7f/boxK53tIL0uEqxTUV5HFMDlUd/WF/zh4Vf
         aguA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p68-v6si2712014pga.141.2018.05.16.14.42.04;
        Wed, 16 May 2018 14:42:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752154AbeEPVko (ORCPT <rfc822;justmaker@gmail.com> + 99 others);
        Wed, 16 May 2018 17:40:44 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45124 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1750953AbeEPVkm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 May 2018 17:40:42 -0400
Received: from pps.filterd (m0098414.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4GLdDse099756
        for <linux-kernel@vger.kernel.org>; Wed, 16 May 2018 17:40:41 -0400
Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2j0s2q9ygg-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Wed, 16 May 2018 17:40:41 -0400
Received: from localhost
        by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Wed, 16 May 2018 22:40:39 +0100
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Wed, 16 May 2018 22:40:34 +0100
Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4GLeXGE2752920;
        Wed, 16 May 2018 21:40:33 GMT
Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 9D9FD5204C;
        Wed, 16 May 2018 21:30:41 +0100 (BST)
Received: from dhcp-9-2-50-74.watson.ibm.com (unknown [9.2.50.74])
        by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 2231A52047;
        Wed, 16 May 2018 21:30:40 +0100 (BST)
Subject: Re: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules
 from "audit" actions
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>,
        linux-integrity@vger.kernel.org,
        containers@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Cc:     serge@hallyn.com, sunyuqiong1988@gmail.com, david.safford@ge.com,
        mkayaalp@cs.binghamton.edu, James.Bottomley@HansenPartnership.com,
        ebiederm@xmission.com, john.johansen@canonical.com,
        Richard Guy Briggs <rgb@redhat.com>,
        Steve Grubb <sgrubb@redhat.com>
Date:   Wed, 16 May 2018 17:40:31 -0400
In-Reply-To: <2496f165-67f7-304d-08a0-ea8eedd3c3d4@linux.vnet.ibm.com>
References: <20180511144230.75384-1-stefanb@linux.vnet.ibm.com>
         <20180511144230.75384-4-stefanb@linux.vnet.ibm.com>
         <1526391655.3937.151.camel@linux.vnet.ibm.com>
         <2496f165-67f7-304d-08a0-ea8eedd3c3d4@linux.vnet.ibm.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18051621-0008-0000-0000-000004F73E3E
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18051621-0009-0000-0000-00001E8BAF81
Message-Id: <1526506831.3254.13.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-16_10:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805160212
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-05-16 at 16:28 -0400, Stefan Berger wrote:
> On 05/15/2018 09:40 AM, Mimi Zohar wrote:
> > Hi Stefan,
> >
> > On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >>
> >> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
> >> the IMA "audit" policy action.  This patch defines AUDIT_INTEGRITY_POLICY
> >> to reflect the IMA policy rules.
> >>
> >> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > We do need to separate out auditing the IMA policy rules from the
> > "IMA-audit" messages.  Based on the IMA policy rule aspect of the
> > discussions [1],  I would really appreciate if you could work with
> > Richard and Steve on the new IMA policy rule audit format.

> Is your patch below still valid for splitting it up into 'two distinct 
> audit record types' ?

We need to separate the IMA policy audit rules from the IMA-audit
messages.  As we're changing the audit numbers, we need to take into
account Richard's and Steve's comments about the IMA policy record
format at the same time.

This patch is incomplete and needs to address their comments.

Mimi

> >
> > This change can be upstreamed independently of either the IMA
> > namespacing or the audit containerid patch sets.  The sooner we make
> > this change and upstream it, the better.
> >
> > [1] https://www.redhat.com/archives/linux-audit/2018-March/msg00092.html
> >
> > thanks,
> >
> > Mimi
> >
> >> ---
> >>   include/uapi/linux/audit.h          | 3 ++-
> >>   security/integrity/ima/ima_policy.c | 2 +-
> >>   2 files changed, 3 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> >> index 4e61a9e05132..8966e7ff1c4c 100644
> >> --- a/include/uapi/linux/audit.h
> >> +++ b/include/uapi/linux/audit.h
> >> @@ -146,7 +146,8 @@
> >>   #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
> >>   #define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
> >>   #define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
> >> -#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
> >> +#define AUDIT_INTEGRITY_RULE	    1805 /* IMA "audit" action policy msgs  */
> >> +#define AUDIT_INTEGRITY_POLICY	    1806 /* IMA policy rules */
> >>
> >>   #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
> >>
> >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> >> index 915f5572c6ff..3a1412db02a3 100644
> >> --- a/security/integrity/ima/ima_policy.c
> >> +++ b/security/integrity/ima/ima_policy.c
> >> @@ -619,7 +619,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> >>   	bool uid_token;
> >>   	int result = 0;
> >>
> >> -	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
> >> +	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_POLICY);
> >>
> >>   	entry->uid = INVALID_UID;
> >>   	entry->fowner = INVALID_UID;
> 
>