Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4610481imm;
        Fri, 18 May 2018 07:54:48 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpoUrvKk5v3+Ey2NYNb6FOEgaS4VXH32QW85DCfZNhz6riKApwpi7amV6I5QDqnfF8Pq//m
X-Received: by 2002:a17:902:268:: with SMTP id 95-v6mr9955075plc.386.1526655288849;
        Fri, 18 May 2018 07:54:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526655288; cv=none;
        d=google.com; s=arc-20160816;
        b=vpYLjGMNIUuaR/VKRIOhoIrgh1LDMLLT3/G51SKhJ+YdY7X9VjEjRsWORUoLLJWOEK
         pwclH2nxxuN+QaftD8WZTyjLaBhakRlrTcfif7BMyc0T4SwWPoYiGU10SLEQdh0Bo9dB
         EfRW3k5DehW5M/kgsrvZSopvw5vWt2IO7R+y/9175x1OqY22EoJiJu5L7Us6tp46jaBs
         ndx6MXDbYHZ5pKzg7syeQmIkNmvaW9Xq25ZibXQKiupt0xYB+iJWMAXJveiwMZyMa/PY
         ZHfJjZnA7OK4zKr0/MLYZui/OPBm2W3KigastYwgvsrR9PnubU9FJJpwCXU8az0Jk3FG
         dXuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :from:references:cc:to:subject:arc-authentication-results;
        bh=q4Pa9JZ8ZvX0rJP3uVkige/28x9aKasGVhGTtKAImmo=;
        b=W2BBlu4HNRGOGntbVazv9CXS/tAg2jIMaqBsaEkkCkM3iwUqZKKy9bxZZ0V+001gCg
         JTYMYRDpJdMNTMdx6kvnYd78u8Oc588ASHb3Qo6bleRgmKM2a4i4F0yqNO1iyu303ztK
         EE7zFygTPYMMD8BY3GgZdnRKvCE3A/V8TxZCtcofNCZ30IY+A2fEPLn+dxasj4lBXafO
         WJkf1ne7fnPQgVX55sy/XatfmDJf/tDGY4LmBE9pRY9+jsnXqDg8QNnpl+lNQYowD9nE
         jnqsZfAZib1iMGCZxHqDvwOAbpy4aj1w4VL94nUbYUnsomWc9QZS/hT60OhvIxuCu7zc
         cYCA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m8-v6si7290895plt.29.2018.05.18.07.54.34;
        Fri, 18 May 2018 07:54:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752128AbeEROwo (ORCPT
        <rfc822;fygvjjghggcfgvhhgsgrguf@gmail.com> + 99 others);
        Fri, 18 May 2018 10:52:44 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41692 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1752060AbeEROwl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 May 2018 10:52:41 -0400
Received: from pps.filterd (m0098421.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4IEnPlL082475
        for <linux-kernel@vger.kernel.org>; Fri, 18 May 2018 10:52:40 -0400
Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2j1xba812f-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Fri, 18 May 2018 10:52:40 -0400
Received: from localhost
        by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <stefanb@linux.vnet.ibm.com>;
        Fri, 18 May 2018 08:52:39 -0600
Received: from b03cxnp07029.gho.boulder.ibm.com (9.17.130.16)
        by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Fri, 18 May 2018 08:52:36 -0600
Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233])
        by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4IEqZII11403698;
        Fri, 18 May 2018 07:52:35 -0700
Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id A39B7136046;
        Fri, 18 May 2018 08:52:35 -0600 (MDT)
Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153])
        by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 018B013603A;
        Fri, 18 May 2018 08:52:34 -0600 (MDT)
Subject: Re: [PATCH] audit: add containerid support for IMA-audit
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Richard Guy Briggs <rgb@redhat.com>
Cc:     containers@lists.linux-foundation.org,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>, paul@paul-moore.com,
        sgrubb@redhat.com
References: <1520257393.10396.291.camel@linux.vnet.ibm.com>
 <20180305135008.po6lheqnmkqqo6q4@madcap2.tricolour.ca>
 <1520259854.10396.313.camel@linux.vnet.ibm.com>
 <20180308112104.z67wohdvjqemy7wy@madcap2.tricolour.ca>
 <efb6c164-febe-67bb-43a9-795476c4902f@linux.vnet.ibm.com>
 <20180517213001.62caslkjwv575xgl@madcap2.tricolour.ca>
 <86df5c2c-9db3-21b9-b91b-30a4f53f9504@linux.vnet.ibm.com>
 <1526647996.3632.164.camel@linux.vnet.ibm.com>
 <ef567d60-42f7-0a87-8597-1ef381e15be0@linux.vnet.ibm.com>
 <1526654395.3632.196.camel@linux.vnet.ibm.com>
From:   Stefan Berger <stefanb@linux.vnet.ibm.com>
Date:   Fri, 18 May 2018 10:52:34 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <1526654395.3632.196.camel@linux.vnet.ibm.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-MW
X-TM-AS-GCONF: 00
x-cbid: 18051814-0028-0000-0000-000009A48071
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00009047; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000261; SDB=6.01034130; UDB=6.00528830; IPR=6.00813258;
 MB=3.00021186; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-18 14:52:38
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18051814-0029-0000-0000-00003AE27A65
Message-Id: <1347e0c5-40c9-34a4-9c54-60bd2917b2d7@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-18_06:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805180163
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 05/18/2018 10:39 AM, Mimi Zohar wrote:
> On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
>> On 05/18/2018 08:53 AM, Mimi Zohar wrote:
> [..]
>
>>>>>> If so, which ones? We could probably refactor the current
>>>>>> integrity_audit_message() and have ima_parse_rule() call into it to get
>>>>>> those fields as well. I suppose adding new fields to it wouldn't be
>>>>>> considered breaking user space?
>>>>> Changing the order of existing fields or inserting fields could break
>>>>> stuff and is strongly discouraged without a good reason, but appending
>>>>> fields is usually the right way to add information.
>>>>>
>>>>> There are exceptions, and in this case, I'd pick the "more standard" of
>>>>> the formats for AUDIT_INTEGRITY_RULE (ima_audit_measurement?) and stick
>>>>> with that, abandoning the other format, renaming the less standard
>>>>> version of the record (ima_parse_rule?) and perhpas adopting that
>>>>> abandonned format for the new record type while using
>>>>> current->audit_context.
>>> This sounds right, other than "type=INTEGRITY_RULE" (1805) for
>>> ima_audit_measurement().  Could we rename type=1805 to be
>> So do we want to change both? I thought that what
>> ima_audit_measurement() produces looks ok but may not have a good name
>> for the 'type'. Now in this case I would not want to 'break user space'.
>> The only change I was going to make was to what ima_parse_rule() produces.
> The only change for now is separating the IMA policy rules from the
> IMA-audit messages.
>
> Richard, when the containerid is appended to the IMA-audit messages,
> would we make the audit type name change then?
>
>>> INTEGRITY_AUDIT or INTEGRITY_IMA_AUDIT?  The new type=1806 audit
>>> message could be named INTEGRITY_RULE or, if that would be confusing,
>>> INTEGRITY_POLICY_RULE.
>> For 1806, as we would use it in ima_parse_rule(), we could change that
>> in your patch to INTEGRITY_POLICY_RULE. IMA_POLICY_RULE may be better
>> for IMA to produce but that's inconsistent then.
> Ok

One other question is whether IMA's audit calls should all adhere to 
CONFIG_INTEGRITY_AUDIT. Most do but those two that currently use 
AUDIT_INTEGRITY_RULE do not. Should that be changed as well?

     Stefan