Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp537923imm; Mon, 21 May 2018 10:01:04 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoe3VKM941lycWz3+Zk1RcxEcIbecqGdCd/JZikWQx5rwtIsMACgoqvp3VUNOcmvs89D3Cr X-Received: by 2002:a62:991:: with SMTP id 17-v6mr20900709pfj.34.1526922064145; Mon, 21 May 2018 10:01:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526922064; cv=none; d=google.com; s=arc-20160816; b=euh6j444KL493zzD+RmJ99OVNajQMXLx5VJuQp2GwOqa4hEykpz+fHgMsMxfUzIAq/ Wb+C8Xb5IwIFmnBUZ8pA36JXV4nRGoMphZgvOCGYeypyKB7uZhGuncfl2z5DbC6frxVT lGCqSrxa6ZWfnJQiSSZ7hbEdtSTNfrfWUh4RR/rpdIoUeG4QZ3AfcFkjAyZfTP5rS0jc xFhsvIxjEnaS3nDp+7ZJ1yY+YwFx01alw0mB6cinhQ/ERhrc3MFUq6xkJhyS4CqC0j21 St6GfOvhHM6QUZRFULoUquRA1FJlufYrYb9x6Ky9sdTjtWILaRGHpDwUicmCWTez4Dhr pyew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:arc-authentication-results; bh=NNvcRa5/Yxvc9/7DQla+8/bHWU0fHf5GN+jcfqzU0lY=; b=Q2sdO4aal5pJzqaXhlTi3YkI+fg6qfWqUF2Sdqdd88zrwPOq19YEC6eXyCLGe+TYGy 6stFtdNswivsbuGO8k55zCkAx1hB6QcGVqfVwTYlh0dMd8ZK094eFA+hfRF0eaP+N5YR j5tY1PjCFSTYRbbIBlsEasYLBINolStM6TcHPGkwDV9wYNxsUtRmrK/U+WBbQts1c9zc j00vaxig41ihEIySYFLdKRGDKwaf3GC74dSTcWjEVWiVJJtgreFmxTtH+RtzaCAIbxKg zYNMNPgHV7tYOjPOVeAYdL+va4AH9ELTPQpwFOGri1N1ENPjRXCUAI955VENc5n1stWq q+BA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u10-v6si13906646pfh.145.2018.05.21.10.00.48; Mon, 21 May 2018 10:01:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753291AbeEUQ6a (ORCPT + 99 others); Mon, 21 May 2018 12:58:30 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:60888 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753077AbeEUQ62 (ORCPT ); Mon, 21 May 2018 12:58:28 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6B892401EF01; Mon, 21 May 2018 16:58:28 +0000 (UTC) Received: from x2.localnet (ovpn-122-110.rdu2.redhat.com [10.10.122.110]) by smtp.corp.redhat.com (Postfix) with ESMTP id DA3902023582; Mon, 21 May 2018 16:58:27 +0000 (UTC) From: Steve Grubb To: Stefan Berger Cc: Richard Guy Briggs , Mimi Zohar , containers@lists.linux-foundation.org, Linux-Audit Mailing List , linux-integrity , LKML , paul@paul-moore.com Subject: Re: [PATCH] audit: add containerid support for IMA-audit Date: Mon, 21 May 2018 12:58:28 -0400 Message-ID: <2397631.78oLu0QVqb@x2> Organization: Red Hat In-Reply-To: References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <20180308112104.z67wohdvjqemy7wy@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Mon, 21 May 2018 16:58:28 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Mon, 21 May 2018 16:58:28 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, May 17, 2018 10:18:13 AM EDT Stefan Berger wrote: > > audit_log_container_info() then releasing the local context. This > > version of the record has additional concerns covered here: > > https://github.com/linux-audit/audit-kernel/issues/52 > > Following the discussion there and the concern with breaking user space, > how can we split up the AUDIT_INTEGRITY_RULE that is used in > ima_audit_measurement() and ima_parse_rule(), without 'breaking user > space'? > > A message produced by ima_parse_rule() looks like this here: > > type=INTEGRITY_RULE msg=audit(1526566213.870:305): action="dont_measure" > fsmagic="0x9fa0" res=1 Why is action and fsmagic being logged as untrusted strings? Untrusted strings are used when an unprivileged user can affect the contents of the field such as creating a file with space or special characters in the name. Also, subject and object information is missing. Who loaded this rule? > in contrast to that an INTEGRITY_PCR record type: > > type=INTEGRITY_PCR msg=audit(1526566235.193:334): pid=1615 uid=0 auid=0 > ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > op="invalid_pcr" cause="open_writers" comm="scp" > name="/var/log/audit/audit.log" dev="dm-0" ino=1962625 res=1 Why is op & cause being logged as an untrusted string? This also has incomplete subject information. > Should some of the fields from INTEGRITY_PCR also appear in > INTEGRITY_RULE? If so, which ones? pid, uid, auid, tty, session, subj, comm, exe, res. <- these are required to be searchable > We could probably refactor the current integrity_audit_message() and have > ima_parse_rule() call into it to get those fields as well. I suppose adding > new fields to it wouldn't be considered breaking user space? The audit user space utilities pretty much expects those fields in that order for any IMA originating events. You can add things like op or cause before that. The reason why you can do that is those additional fields are not required to be searchable by common criteria. -Steve