Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp629714imm; Mon, 21 May 2018 11:31:14 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp/bTCvD0O+VWTmxQt04O/UhOi5gs8Mczq2msXw/rDtYzGD60xWHecFu4dnS5uZE3579WOM X-Received: by 2002:a65:48c9:: with SMTP id o9-v6mr16891501pgs.106.1526927474481; Mon, 21 May 2018 11:31:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526927474; cv=none; d=google.com; s=arc-20160816; b=OpDLPp+D/BCwYvAjK6aovfjd3EmGqLWwPVqo4PdyMXyZ3Q9uUq4852hGBfYVF/VjsO sbh5yK1vffC+niCMEzKw8WQIcxE1aMHdWPm4b0PiZO+vJGPnrlxs0kuf1xsSM1llqwE+ iRbDrRk+gofaHJFRqqALcer0xRBNrzL4JimTgC9GUpkMt5DdjNx7DmiXiCT/hCBdOxBn 5/QmiKEECqb8mUdY84ue5j3ZG4hpoWgHa4qIs3yeEB1UmCyzxMm9sH5j1FLpmt0pBF2b zhzf2tzfMW0zLeRpeFpDoA0I6q0USSsh3jQCmnb4bYJrr5+FMolRpfUjaAEEZX01oIwB Dj+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:arc-authentication-results; bh=pgiEVsmu4rvexYfgq1PQUi6H88AVUvZHcg88PVVKPlU=; b=mDTAiLvoVuZatGxjDRciY9j1Pwb5RVT4wF0SU549C8YwPp4PqFP9q5OJQYgNBliegW jAscO6S72gmhUw36S+++dTn0rWjnpeV0L7upgpho7HNFbJuXovOZVEJyqFAAUY1ATD0s oz26+5UhILUGgP3IGZDrPipM8+dtgUgyBLjRx27UV1QPTPSDUn/vktM16VJGJiCi7i0U hX6lrQ24eNcPLfaRbm8FIvifbivl9zpoC62p4Hi+R9f9cm3rd1SHubNIrZ9NFEYNDQzo 6lich0vt7AehTop3uigX6HgPI9qCM25LeOW8LtjNrQVLDJT6CDotMH3YGfG41vca9fQi Ki4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o16-v6si9316009pgc.603.2018.05.21.11.30.57; Mon, 21 May 2018 11:31:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751177AbeEUSaV (ORCPT + 99 others); Mon, 21 May 2018 14:30:21 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:34868 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750909AbeEUSaS (ORCPT ); Mon, 21 May 2018 14:30:18 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 45365401EF10; Mon, 21 May 2018 18:30:18 +0000 (UTC) Received: from x2.localnet (ovpn-122-110.rdu2.redhat.com [10.10.122.110]) by smtp.corp.redhat.com (Postfix) with ESMTP id BEA4E2026988; Mon, 21 May 2018 18:30:17 +0000 (UTC) From: Steve Grubb To: Stefan Berger Cc: Richard Guy Briggs , Mimi Zohar , containers@lists.linux-foundation.org, Linux-Audit Mailing List , linux-integrity , LKML , paul@paul-moore.com Subject: Re: [PATCH] audit: add containerid support for IMA-audit Date: Mon, 21 May 2018 14:30:18 -0400 Message-ID: <4015765.rtofcNpGHU@x2> Organization: Red Hat In-Reply-To: <21646a72-e782-e33a-9e75-5cc98b241f36@linux.vnet.ibm.com> References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <2397631.78oLu0QVqb@x2> <21646a72-e782-e33a-9e75-5cc98b241f36@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Mon, 21 May 2018 18:30:18 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Mon, 21 May 2018 18:30:18 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Stefan, On Monday, May 21, 2018 1:53:04 PM EDT Stefan Berger wrote: > On 05/21/2018 12:58 PM, Steve Grubb wrote: > > On Thursday, May 17, 2018 10:18:13 AM EDT Stefan Berger wrote: > >>> audit_log_container_info() then releasing the local context. This > >>> version of the record has additional concerns covered here: > >>> https://github.com/linux-audit/audit-kernel/issues/52 > >> > >> Following the discussion there and the concern with breaking user space, > >> how can we split up the AUDIT_INTEGRITY_RULE that is used in > >> ima_audit_measurement() and ima_parse_rule(), without 'breaking user > >> space'? > >> > >> A message produced by ima_parse_rule() looks like this here: > >> > >> type=INTEGRITY_RULE msg=audit(1526566213.870:305): action="dont_measure" > >> fsmagic="0x9fa0" res=1 > > > > Why is action and fsmagic being logged as untrusted strings? Untrusted > > strings are used when an unprivileged user can affect the contents of the > > field such as creating a file with space or special characters in the > > name. > > > > Also, subject and object information is missing. Who loaded this rule? > > > >> in contrast to that an INTEGRITY_PCR record type: > >> > >> type=INTEGRITY_PCR msg=audit(1526566235.193:334): pid=1615 uid=0 auid=0 > >> ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> op="invalid_pcr" cause="open_writers" comm="scp" > >> name="/var/log/audit/audit.log" dev="dm-0" ino=1962625 res=1 > > > > Why is op & cause being logged as an untrusted string? This also has > > incomplete subject information. > > It's calling audit_log_string() in both cases: > > https://elixir.bootlin.com/linux/latest/source/security/integrity/integrity > _audit.c#L48 I see. Looking things over, I see that it seems like it should do the right thing. But the original purpose for this function is here: https://elixir.bootlin.com/linux/latest/source/kernel/audit.c#L1944 This is where it is logging an untrusted string and has to decide to encode it or just place it in quotes. If it has quotes, that means it's an untrusted string but has no control characters in it. I think you want to use audit_log_format() for any string that is trustworthy. As an aside, I wonder why audit_log_string() is in the API when it is a helper to audit_log_untrustedstring() ? Without understanding the rules of untrusted strings, it can't be used correctly without re-inventing audit_log_untrustedstring() by hand. > >> Should some of the fields from INTEGRITY_PCR also appear in > >> INTEGRITY_RULE? If so, which ones? > > > > pid, uid, auid, tty, session, subj, comm, exe, res. <- these are > > required to be searchable > > > >> We could probably refactor the current integrity_audit_message() and > >> have ima_parse_rule() call into it to get those fields as well. I > >> suppose adding new fields to it wouldn't be considered breaking user > >> space? > > > > The audit user space utilities pretty much expects those fields in that > > order for any IMA originating events. You can add things like op or > > cause before > > We will call into audit_log_task, which will put the parameters into > correct order: > > auid uid gid ses subj pid comm exe I'm telling you what the correct order is. :-) A long time ago, the IMA system had audit events with the order I'm mentioning. For example, here's one from a log I collected back in 2013: type=INTEGRITY_PCR msg=audit(1327409021.813:21): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op="add_template_measure" cause="hash_added" comm="init" name="01parse-kernel.sh" dev=rootfs ino=5413 res=0 it was missing "tty" and "exe", but the order is as I mentioned. The expectation is that INTEGRITY events maintain this established order across all events. Thanks, -Steve > https://elixir.bootlin.com/linux/latest/source/kernel/auditsc.c#L2433 > > > that. The reason why you can do that is those additional fields are not > > required to be searchable by common criteria. > > > > -Steve