Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4610481imm; Fri, 18 May 2018 07:54:48 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpoUrvKk5v3+Ey2NYNb6FOEgaS4VXH32QW85DCfZNhz6riKApwpi7amV6I5QDqnfF8Pq//m X-Received: by 2002:a17:902:268:: with SMTP id 95-v6mr9955075plc.386.1526655288849; Fri, 18 May 2018 07:54:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526655288; cv=none; d=google.com; s=arc-20160816; b=vpYLjGMNIUuaR/VKRIOhoIrgh1LDMLLT3/G51SKhJ+YdY7X9VjEjRsWORUoLLJWOEK pwclH2nxxuN+QaftD8WZTyjLaBhakRlrTcfif7BMyc0T4SwWPoYiGU10SLEQdh0Bo9dB EfRW3k5DehW5M/kgsrvZSopvw5vWt2IO7R+y/9175x1OqY22EoJiJu5L7Us6tp46jaBs ndx6MXDbYHZ5pKzg7syeQmIkNmvaW9Xq25ZibXQKiupt0xYB+iJWMAXJveiwMZyMa/PY ZHfJjZnA7OK4zKr0/MLYZui/OPBm2W3KigastYwgvsrR9PnubU9FJJpwCXU8az0Jk3FG dXuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject:arc-authentication-results; bh=q4Pa9JZ8ZvX0rJP3uVkige/28x9aKasGVhGTtKAImmo=; b=W2BBlu4HNRGOGntbVazv9CXS/tAg2jIMaqBsaEkkCkM3iwUqZKKy9bxZZ0V+001gCg JTYMYRDpJdMNTMdx6kvnYd78u8Oc588ASHb3Qo6bleRgmKM2a4i4F0yqNO1iyu303ztK EE7zFygTPYMMD8BY3GgZdnRKvCE3A/V8TxZCtcofNCZ30IY+A2fEPLn+dxasj4lBXafO WJkf1ne7fnPQgVX55sy/XatfmDJf/tDGY4LmBE9pRY9+jsnXqDg8QNnpl+lNQYowD9nE jnqsZfAZib1iMGCZxHqDvwOAbpy4aj1w4VL94nUbYUnsomWc9QZS/hT60OhvIxuCu7zc cYCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m8-v6si7290895plt.29.2018.05.18.07.54.34; Fri, 18 May 2018 07:54:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752128AbeEROwo (ORCPT + 99 others); Fri, 18 May 2018 10:52:44 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41692 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752060AbeEROwl (ORCPT ); Fri, 18 May 2018 10:52:41 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4IEnPlL082475 for ; Fri, 18 May 2018 10:52:40 -0400 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 2j1xba812f-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 18 May 2018 10:52:40 -0400 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 18 May 2018 08:52:39 -0600 Received: from b03cxnp07029.gho.boulder.ibm.com (9.17.130.16) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 18 May 2018 08:52:36 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4IEqZII11403698; Fri, 18 May 2018 07:52:35 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A39B7136046; Fri, 18 May 2018 08:52:35 -0600 (MDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 018B013603A; Fri, 18 May 2018 08:52:34 -0600 (MDT) Subject: Re: [PATCH] audit: add containerid support for IMA-audit To: Mimi Zohar , Richard Guy Briggs Cc: containers@lists.linux-foundation.org, Linux-Audit Mailing List , linux-integrity , LKML , paul@paul-moore.com, sgrubb@redhat.com References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <20180305135008.po6lheqnmkqqo6q4@madcap2.tricolour.ca> <1520259854.10396.313.camel@linux.vnet.ibm.com> <20180308112104.z67wohdvjqemy7wy@madcap2.tricolour.ca> <20180517213001.62caslkjwv575xgl@madcap2.tricolour.ca> <86df5c2c-9db3-21b9-b91b-30a4f53f9504@linux.vnet.ibm.com> <1526647996.3632.164.camel@linux.vnet.ibm.com> <1526654395.3632.196.camel@linux.vnet.ibm.com> From: Stefan Berger Date: Fri, 18 May 2018 10:52:34 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <1526654395.3632.196.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-MW X-TM-AS-GCONF: 00 x-cbid: 18051814-0028-0000-0000-000009A48071 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009047; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000261; SDB=6.01034130; UDB=6.00528830; IPR=6.00813258; MB=3.00021186; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-18 14:52:38 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051814-0029-0000-0000-00003AE27A65 Message-Id: <1347e0c5-40c9-34a4-9c54-60bd2917b2d7@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-18_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805180163 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/18/2018 10:39 AM, Mimi Zohar wrote: > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote: >> On 05/18/2018 08:53 AM, Mimi Zohar wrote: > [..] > >>>>>> If so, which ones? We could probably refactor the current >>>>>> integrity_audit_message() and have ima_parse_rule() call into it to get >>>>>> those fields as well. I suppose adding new fields to it wouldn't be >>>>>> considered breaking user space? >>>>> Changing the order of existing fields or inserting fields could break >>>>> stuff and is strongly discouraged without a good reason, but appending >>>>> fields is usually the right way to add information. >>>>> >>>>> There are exceptions, and in this case, I'd pick the "more standard" of >>>>> the formats for AUDIT_INTEGRITY_RULE (ima_audit_measurement?) and stick >>>>> with that, abandoning the other format, renaming the less standard >>>>> version of the record (ima_parse_rule?) and perhpas adopting that >>>>> abandonned format for the new record type while using >>>>> current->audit_context. >>> This sounds right, other than "type=INTEGRITY_RULE" (1805) for >>> ima_audit_measurement().  Could we rename type=1805 to be >> So do we want to change both? I thought that what >> ima_audit_measurement() produces looks ok but may not have a good name >> for the 'type'. Now in this case I would not want to 'break user space'. >> The only change I was going to make was to what ima_parse_rule() produces. > The only change for now is separating the IMA policy rules from the > IMA-audit messages. > > Richard, when the containerid is appended to the IMA-audit messages, > would we make the audit type name change then? > >>> INTEGRITY_AUDIT or INTEGRITY_IMA_AUDIT?  The new type=1806 audit >>> message could be named INTEGRITY_RULE or, if that would be confusing, >>> INTEGRITY_POLICY_RULE. >> For 1806, as we would use it in ima_parse_rule(), we could change that >> in your patch to INTEGRITY_POLICY_RULE. IMA_POLICY_RULE may be better >> for IMA to produce but that's inconsistent then. > Ok One other question is whether IMA's audit calls should all adhere to CONFIG_INTEGRITY_AUDIT. Most do but those two that currently use AUDIT_INTEGRITY_RULE do not. Should that be changed as well?     Stefan