Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4658487imm;
        Wed, 30 May 2018 09:29:03 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLj6iRtDV4HooxNw3zrdLi7iWtLwLPHhoypNlls1s28TolC8nVPjLoYdW2z7yfXbgF9bTZg
X-Received: by 2002:a62:98c9:: with SMTP id d70-v6mr3294658pfk.195.1527697743365;
        Wed, 30 May 2018 09:29:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527697743; cv=none;
        d=google.com; s=arc-20160816;
        b=0cF44glw+BqOZyJY3buVx33XVLWpe0Qhm+TFuxMdf9aVRGShXhLI3iU3w5lD7zfZcj
         OePkEpNGJQ/2rtweFRPGUVNFaQg+w6XZAcQx1i8vOBxuC78oI44nYormU9M4BE66Kf9G
         tWm141vaqjGoUnmu2tC8vDvLK9mbS9qpLKjHtJ8mdjsZofcw2PpAnuIcYLfMJDmnf7g2
         6yAWdsKOLZC+PNGYdO3hs2MZQSoGXzce3iNrc7yZtkTSXpDRBeCT03GVnE9k+Mk5byuY
         VAKmM+Zgxa4ZSCQRs6cvjSjoh0d/p9Rbtp3RX6O8x6zlBIBH0VRh6QQtzSum7IK97Vhf
         Y4lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:organization:message-id:date:subject:cc:to
         :from:arc-authentication-results;
        bh=XQKb4dkJt/vIPty9FnpesYwGRQ5EYEJeJX3+yv3HgII=;
        b=aAJuPDCFH2hcSpg3MBlFnzqtpLjrrzBEPx4V3IRQluoyPoam7Zth4PcXdBzKN1TjLI
         BKE10CWWg5SnBtHj9N0qvxZL8vF61C2PjoV3SXsCVZQEOr/O+HHD2BbzXJjsdW9mChpz
         NsP2PY7kAblcB0xRUHp9csENcTOuEDzVNJLT7y+0d6UVAH/DoPblTbh2brgTxOsE+/d1
         Y1PIUjRLxVDspR4teDHqIU7V5+ErRiEJqMn/fRZJiIibAGktaCMPDuju1s4gU9Pl3Qkb
         RyLgY6WlAtZM8J9EGycBHjycM5uMHdZVe+xNSc6KlIRArUz4aPTWDmQxaa71ZDuSxCNG
         BsLA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s21-v6si33663693plr.143.2018.05.30.09.28.49;
        Wed, 30 May 2018 09:29:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753912AbeE3Q1T (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Wed, 30 May 2018 12:27:19 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57214 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1753560AbeE3Q1R (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 May 2018 12:27:17 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id AA7284000B6E;
        Wed, 30 May 2018 16:27:16 +0000 (UTC)
Received: from x2.localnet (ovpn-120-68.rdu2.redhat.com [10.10.120.68])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 2C4FE1002968;
        Wed, 30 May 2018 16:27:14 +0000 (UTC)
From:   Steve Grubb <sgrubb@redhat.com>
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc:     Paul Moore <paul@paul-moore.com>, zohar@linux.vnet.ibm.com,
        linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-audit@redhat.com
Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions
Date:   Wed, 30 May 2018 12:27:14 -0400
Message-ID: <3607733.4k8ofLVAdP@x2>
Organization: Red Hat
In-Reply-To: <00f66ee1-7494-8249-f148-688616deca0c@linux.vnet.ibm.com>
References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <15281606.YptaXzsEVL@x2> <00f66ee1-7494-8249-f148-688616deca0c@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Wed, 30 May 2018 16:27:16 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Wed, 30 May 2018 16:27:16 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wednesday, May 30, 2018 11:25:05 AM EDT Stefan Berger wrote:
> On 05/30/2018 11:15 AM, Steve Grubb wrote:
> > On Wednesday, May 30, 2018 9:54:00 AM EDT Stefan Berger wrote:
> >> On 05/29/2018 05:30 PM, Steve Grubb wrote:
> >>> Hello,
> >>> 
> >>> On Thursday, May 24, 2018 4:11:05 PM EDT Stefan Berger wrote:
> >>>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
> >>>> the IMA "audit" policy action.  This patch defines
> >>>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.
> >>>> 
> >>>> With this change we now call integrity_audit_msg_common() to get
> >>>> common integrity auditing fields. This now produces the following
> >>>> record when parsing an IMA policy rule:
> >>>> 
> >>>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure
> >>>> \
> >>>> 
> >>>> fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \
> >>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
> >>>> op=policy_update cause=parse_rule comm="echo" exe="/usr/bin/echo" \
> >>>> tty=tty2 res=1
> >>> 
> >>> Since this is a new event, do you mind moving the tty field to be
> >>> between
> >>> auid= and ses=  ?   That is the more natural place for it.
> >> 
> >> 6/8 refactors the code so that the integrity audit records produced by
> >> IMA follow one format in terms of ordering of the fields, with fields
> >> like inode optional, though, and AUDIT_INTEGRITY_RULE in the end being
> >> the only one with a different format. Do we really want to change that
> >> order just for 1806?
> >> 
> >> 5/8 now produces the following:
> >> 
> >> type=INTEGRITY_PCR msg=audit(1527685075.941:502): pid=2431 \
> >> uid=0 auid=1000 ses=5 \
> >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
> >> op=invalid_pcr cause=open_writers comm="grep" \
> >> name="/var/log/audit/audit.log" dev="dm-0" ino=1962494 \
> >> exe="/usr/bin/grep" tty=pts0 res=1
> >> 
> >> Comparing the two:
> >> 
> >> 1806:          action, fsmagic, pid, uid, auid, ses, subj, op, cause,
> >> comm,    exe, tty, res
> >> INTEGRITY_PCR:                  pid, uid, auid, ses, subj, op, cause,
> >> comm, name, dev, ino, exe, tty, res
> > 
> > OK. I guess go with it as is. It passes testing.
> 
> What about the position of 'res' field relative to the two new fields
> 'exe' and 'tty'?

res (results) is always the last field for every event. We have no events 
where it is not the last field. I'd prefer to go with it as is. The events 
pass my testing the way they are.

> Do we want to keep them as shown or strictly append the
> two new fields 'exe' and 'tty'? 

I'd prefer the first option to keep things as expected.

> Paul seems to request that they appear after 'res'.

I'd rather see them dropped, as useful as they could be, than to malform the 
events.

-Steve