Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3833254imm; Tue, 29 May 2018 14:49:41 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLV337lXDRxrY1ICrsMGrikPT5lnaB1po+Fhjl53Es/5yQfAn7XosdZknpKLrr24gpdbu+v X-Received: by 2002:a62:303:: with SMTP id 3-v6mr109908pfd.255.1527630581652; Tue, 29 May 2018 14:49:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527630581; cv=none; d=google.com; s=arc-20160816; b=oatk/ZIgb3kOhjzqAAOkBu9VZXdhl9B0WmWkqcqCCBh1Mqd9x9HHEWoRhCsNPaATRI gn4Gux5csGDa3UHniOghs274zfCubWnMpVdutkeiey6IlzZAzs+lksW8xoJad4wCmvC5 7yhutoBs9do64PWEXdCflcFQM6DXHBc5ainHiUAGX/jLJf30la2DZ/yicO3hmsfRrqdQ eNbMXjT94NdUZ4jt/rJQAttZUMlk4VRTmepQ+3eRdSlRpaWvKo0UPw9+6i0GqDWxo3nv DUmkqEaRGU2q0w/1dvZTr2pNykvWSXIHilxjwzOdjaIYjRS2C/ZkEnoss+W7uehpTR7t gGmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=FtN56+dVrDd/4OwbLbJSnMDhKx/ce+buitxGxmaiJ8o=; b=GJR8+3GmicTNt1MJ6+i25wrp4jPsk9cI98g/AEr8TCxFAa1D9PZOhaOZyZ0qJnmKgQ UGDHq4qge921uDT87EU44QtgEI/3i4tuUcWONY1L+IIVCpVJbC4VWMXKl4GKNCDEGywL 6qkLsszb50sjyCk/YZdkk8B300PqbRq42d4CyVNwGtXiTAdDwfiqA8nsSWTO/FIjzlZC 7aMXTVyxDk90p8neYgn1ctenbupEsr5wRvq7Tgyy3DOTmi+FjB8rttg7WsLAzE+6t7/1 cLTszqqZ3ODznoGgo2k5BLMq4tniX+/tMLWnug04/x2N7ZUEZ3EaJczs315zeAP6BU4L L3bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=X47ZIeJg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b12-v6si33583464plk.327.2018.05.29.14.49.25; Tue, 29 May 2018 14:49:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=X47ZIeJg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967234AbeE2VsA (ORCPT + 99 others); Tue, 29 May 2018 17:48:00 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:45532 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966504AbeE2Vr5 (ORCPT ); Tue, 29 May 2018 17:47:57 -0400 Received: by mail-lf0-f68.google.com with SMTP id n3-v6so1053351lfe.12 for ; Tue, 29 May 2018 14:47:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FtN56+dVrDd/4OwbLbJSnMDhKx/ce+buitxGxmaiJ8o=; b=X47ZIeJgKndBxfsOrnh/RiokTCqIzEkdavHb+qYBpBnFx60GX3rwcP/cJtSnki/YuM g5crlEpE6NAtb94mnimx/N5Qzp/1BEMOA37C5mW3UoLz7MTnxJTi7yi/98x7isT6pe+S PYWuq9O3T+CuAMcuSiIo0CUsnpXUOhQ7AEP5g+Jog6/ktXgcuYV4wGyenq2XM9Mipfk0 OpBWJrRvoJ3qrPXgqi8pSKJAOfeTSRDnEZYv/wA9f06OXEz3DAduc36qWXKVKGFxbRDK cmzCPUCMEwhsx1OPrvrWBzx2pad+7UdgvrHATuZG7+ABM4NllqisxK8YHK7lawU/T7e3 adSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FtN56+dVrDd/4OwbLbJSnMDhKx/ce+buitxGxmaiJ8o=; b=VdxK7YdOn5EnD1VruqoLXqcamEvIsV+yd0Qbs60B5igM190UYXn2Z03OvzUOXpUWou Q6DJH0vDpNu8HEROREesFZEDrGZDtbk/S9j37PW38FAiSG/roIMR4vnjNmELXvcgfr9B PkMqSjk4xlYSEy88b1LSD/Cu4Ug+l5px1TB3x4WLf3hFd2vS6K7gxdNs4FppL/wsT0pK FXhE9BjNSapGEUesIO1vIX5LxjG+LU18CTIvCenD6bbRDelOndmGoXxLvYeKQetGQHPF w6U1W5Iio02L3k+rATsSszj0PEH3DlxARXGnxhCOtlVzm36xyCUXeuSiykXkp3OnU97q ccaQ== X-Gm-Message-State: ALKqPwcpv5fROBxAkXyZABc1YXZpgOjjGTmLsrnnLtFm942bzw5Nb9Eu N4+vmg5HlCWqhzmilC49yYhHzV/aU1oyDKt6fi9d X-Received: by 2002:a19:1204:: with SMTP id h4-v6mr85463lfi.12.1527630476049; Tue, 29 May 2018 14:47:56 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Tue, 29 May 2018 14:47:55 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <4331521.GQBdaJNAj6@x2> References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <20180524201105.3179904-6-stefanb@linux.vnet.ibm.com> <4331521.GQBdaJNAj6@x2> From: Paul Moore Date: Tue, 29 May 2018 17:47:55 -0400 Message-ID: Subject: Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits To: Steve Grubb , Stefan Berger Cc: zohar@linux.vnet.ibm.com, linux-integrity@vger.kernel.org, linux-audit@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 29, 2018 at 5:35 PM, Steve Grubb wrote: > On Tuesday, May 29, 2018 5:19:39 PM EDT Paul Moore wrote: >> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger >> >> wrote: >> > Use the new public audit functions to add the exe= and tty= >> > parts to the integrity audit records. We place them before >> > res=. >> > >> > Signed-off-by: Stefan Berger >> > Suggested-by: Steve Grubb >> > --- >> > >> > security/integrity/integrity_audit.c | 2 ++ >> > 1 file changed, 2 insertions(+) >> > >> > diff --git a/security/integrity/integrity_audit.c >> > b/security/integrity/integrity_audit.c index db30763d5525..8d25d3c4dcca >> > 100644 >> > --- a/security/integrity/integrity_audit.c >> > +++ b/security/integrity/integrity_audit.c >> > @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode >> > *inode,> >> > audit_log_untrustedstring(ab, inode->i_sb->s_id); >> > audit_log_format(ab, " ino=%lu", inode->i_ino); >> > >> > } >> > >> > + audit_log_d_path_exe(ab, current->mm); >> > + audit_log_tty(ab, current); >> >> NACK >> >> Please add the new fields to the end of the audit record, thank you. > > Let's see what an example event looks like before NACK'ing this. Way back in > 2013 the IMA events were good. I think this is repairing the event after some > drift. Can you reference a specific commit, or point in time during 2013? Looking at the git log quickly, if I go back to commit d726d8d719b6 ("integrity: move integrity_audit_msg()") from March 18, 2013 (the commit that created integrity_audit.c) the field ordering appears to be the same as it today. My NACK still stands. -- paul moore www.paul-moore.com