Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp592700imm; Mon, 21 May 2018 10:53:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp7VHZqWxrLS8LkSLUCwZnS1YCz6aFjDElp06OCnXWE/PIQXjPLFUm1rtO4TzeiODBfoR1d X-Received: by 2002:a63:a44a:: with SMTP id c10-v6mr16521320pgp.147.1526925219447; Mon, 21 May 2018 10:53:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526925219; cv=none; d=google.com; s=arc-20160816; b=fnUYF2nwfQ22yFTh57VpiFC3VPxkcI/MWIurGIq/81RPauLIuFY/lhgvV1SSkePBE0 +uwPKD/54L9Agn54t0HFEBoSA0yVlZCrswk1DK1G9xFcDexpFTIqzZdzIZ5HBNVVWPEZ NF9uh5/byTK7JIw8M0UTa12GxpbrHTb8LShIqFJfMGln/PymmSmoYAqEUB4hlxF70ZnY xnqNn5tfMkhT3GOqFlmej8Satai3zMPJzaSmr0TCCEMPOVS3we1bymeweYsdDAiubsKm 4NwWI3anbCCdr0fw/MR8+HjUkzGSlM5JUgqLcMVjNZR6K/TnjdydW8lmkhB/MDrNFJ8i 1QWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject:arc-authentication-results; bh=MjqwolGcij4AtoFARQl25OdbCkdA56m3YdxTVrt/eaU=; b=K44/mjEFeaWErTQnWy0nVpFMMw64i3xviKT7p4J39ovw2NQJ/F3lPM9jKyN2p3QaeA +DrD3Wo+y15nrMviZUCv34vUOXfuRtCV6xE9EZOSZIInumBrHO5w1CfvU4C8qBP5MMgX wRVCGOjEEkANjKnEdwudIB3K3X0p0DVWX75z7QWx9ilor2RW4lK6ROtDygSV9So6NlVk oKq5uwFnnZbob714+50UYGAMVRCqbJUTpS1Dry05VeU/J82zMrUuf1lQ+0ccU11hBtAf cK6as38Ct2HJLXUbmIrc8uzcC9F7SMDOeenHYHwqNDZUPDCetylcNkbRczoVXMgyrZE2 RUgw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b7-v6si11498644pgq.585.2018.05.21.10.53.23; Mon, 21 May 2018 10:53:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753438AbeEURxN (ORCPT + 99 others); Mon, 21 May 2018 13:53:13 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47294 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753411AbeEURxK (ORCPT ); Mon, 21 May 2018 13:53:10 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4LHnCAD082228 for ; Mon, 21 May 2018 13:53:10 -0400 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0b-001b2d01.pphosted.com with ESMTP id 2j42nc0k8a-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 21 May 2018 13:53:09 -0400 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 21 May 2018 11:53:08 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 21 May 2018 11:53:06 -0600 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4LHr5BC8192304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 21 May 2018 10:53:05 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 47416C604A; Mon, 21 May 2018 11:53:05 -0600 (MDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 9748AC6037; Mon, 21 May 2018 11:53:04 -0600 (MDT) Subject: Re: [PATCH] audit: add containerid support for IMA-audit To: Steve Grubb Cc: Richard Guy Briggs , Mimi Zohar , containers@lists.linux-foundation.org, Linux-Audit Mailing List , linux-integrity , LKML , paul@paul-moore.com References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <20180308112104.z67wohdvjqemy7wy@madcap2.tricolour.ca> <2397631.78oLu0QVqb@x2> From: Stefan Berger Date: Mon, 21 May 2018 13:53:04 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <2397631.78oLu0QVqb@x2> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-MW X-TM-AS-GCONF: 00 x-cbid: 18052117-0024-0000-0000-00001873B7C0 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009061; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000261; SDB=6.01035630; UDB=6.00529726; IPR=6.00814758; MB=3.00021227; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-21 17:53:08 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18052117-0025-0000-0000-00005015F922 Message-Id: <21646a72-e782-e33a-9e75-5cc98b241f36@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-21_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805210211 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/21/2018 12:58 PM, Steve Grubb wrote: > On Thursday, May 17, 2018 10:18:13 AM EDT Stefan Berger wrote: >>> audit_log_container_info() then releasing the local context. This >>> version of the record has additional concerns covered here: >>> https://github.com/linux-audit/audit-kernel/issues/52 >> Following the discussion there and the concern with breaking user space, >> how can we split up the AUDIT_INTEGRITY_RULE that is used in >> ima_audit_measurement() and ima_parse_rule(), without 'breaking user >> space'? >> >> A message produced by ima_parse_rule() looks like this here: >> >> type=INTEGRITY_RULE msg=audit(1526566213.870:305): action="dont_measure" >> fsmagic="0x9fa0" res=1 > Why is action and fsmagic being logged as untrusted strings? Untrusted > strings are used when an unprivileged user can affect the contents of the > field such as creating a file with space or special characters in the name. > > Also, subject and object information is missing. Who loaded this rule? > >> in contrast to that an INTEGRITY_PCR record type: >> >> type=INTEGRITY_PCR msg=audit(1526566235.193:334): pid=1615 uid=0 auid=0 >> ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> op="invalid_pcr" cause="open_writers" comm="scp" >> name="/var/log/audit/audit.log" dev="dm-0" ino=1962625 res=1 > Why is op & cause being logged as an untrusted string? This also has > incomplete subject information. It's calling audit_log_string() in both cases: https://elixir.bootlin.com/linux/latest/source/security/integrity/integrity_audit.c#L48 > >> Should some of the fields from INTEGRITY_PCR also appear in >> INTEGRITY_RULE? If so, which ones? > pid, uid, auid, tty, session, subj, comm, exe, res. <- these are required to > be searchable > >> We could probably refactor the current integrity_audit_message() and have >> ima_parse_rule() call into it to get those fields as well. I suppose adding >> new fields to it wouldn't be considered breaking user space? > The audit user space utilities pretty much expects those fields in that order > for any IMA originating events. You can add things like op or cause before We will call into audit_log_task, which will put the parameters into correct order: auid uid gid ses subj pid comm exe https://elixir.bootlin.com/linux/latest/source/kernel/auditsc.c#L2433 > that. The reason why you can do that is those additional fields are not > required to be searchable by common criteria. > > -Steve > >