Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4892143imm;
        Wed, 30 May 2018 14:15:49 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLEomjob4evVjAGHv2WiCtVghqXKl6pxhtBS8mNlWOEUEdVZCndRJPsro8JlaKe5k4dt92o
X-Received: by 2002:a62:2043:: with SMTP id g64-v6mr4263454pfg.12.1527714949853;
        Wed, 30 May 2018 14:15:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527714949; cv=none;
        d=google.com; s=arc-20160816;
        b=YoCJeKjcUTdoS0O/Jkfpe20qsEiy+R732bZzXc0tffhfzupt6Daix357W4GSKnVqex
         ng570sa6rEmjz7qmzIpzt9Oh1NfSnOjJnZdaNLFtL8MhqMKl/2blPEAAx98MsmPSDpir
         wdrig1SDvMAeodPlaClUzjavHmtgO4HA+IGQqkSYTQFW5OxSDxt0+nbFql9yS5yNcM0y
         QiJhznX/07xFXWWm9C/SSzhVO9qt917YLEdAgSYufoh/qADrRW7GiibEpOSkPgLIaRhR
         ynelN3uURavnWlxgTIfnTBrf4aocgpQX/lh3xXZdsFphL6bs4I6OjmwBQlDMVntmJ24U
         q0eA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Yw5eBbS29oGTn9IvgIUoXE6BpS1UqGGfP+o74ofOz+o=;
        b=Oey9fHcLFQWskOJwJiwVry82oCQ8YWHtyvyhdy+t4sH9qFLHJymGTxG8uXpYg03efT
         BADNqekqEYjj04yuZo/ypBKoW7kxgtiKukf4zENklVXy/k8hyKif3tqp+H2OJXSffGlr
         kh4NtHYomJccEydL7JoqSoN+xtu1BtYTcBgeMVysQpngAx40CRBRCtWFtrSQxRbsoON+
         /NufMMJ3B0LjLroKAslk+SvMYwHJq2GzvgXW+jjJHqBJoetBLXfXO7szMWrl3ohN/wLw
         JPZNdXKwnylc7IHlbzIQKLDVryNrgukosz3G6EmoKl6C17DK0ZG861lHly2ZOns5nquP
         Jb0Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=VRnjx9dC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v64-v6si8875686pfj.292.2018.05.30.14.15.35;
        Wed, 30 May 2018 14:15:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=VRnjx9dC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932376AbeE3VOg (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 30 May 2018 17:14:36 -0400
Received: from mail-lf0-f67.google.com ([209.85.215.67]:40622 "EHLO
        mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932234AbeE3VOd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 May 2018 17:14:33 -0400
Received: by mail-lf0-f67.google.com with SMTP id q11-v6so6473918lfc.7
        for <linux-kernel@vger.kernel.org>; Wed, 30 May 2018 14:14:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Yw5eBbS29oGTn9IvgIUoXE6BpS1UqGGfP+o74ofOz+o=;
        b=VRnjx9dCkJ3EJoEBuUFO52aLT/Vac+dXzPFIOUZW1+LC9xrMw5tUdg2tvGM4kYOXmP
         iePwfb1npIlL/OR1vYl8VmAY5KdZpIfG8LHiu1w4pdApWxD6lBksAYbkcueWLsCBPzBA
         5wooVyy0p/QFodAu+fR6ToUCmXolakFoK6h37VOG1qXF1r89JUyb3eSH5jQ9/InJF2c/
         mf3o52HAjVhsIxvyGu9tfiRDOSk2G5Km0Csaq3+BLbXOjyV874gAXAMfSHykm9jX9hUu
         2Mi74Fc7FrH/t5nm2edxQuWeCulUd0KSE9JhRoAy4eqoqI7gQ0HN3wCaU2WEN01SgadN
         m7vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Yw5eBbS29oGTn9IvgIUoXE6BpS1UqGGfP+o74ofOz+o=;
        b=QbmzRFcRwJOEMImYPngCEx8sAOoTTebI8lS93Q9nR3yf0RJa8vKrfzcsEH59oPX/Yo
         0dyEh5EK0i+GlKs+dO4KdZAxnO3W79XHn4+NJ+h7a2miiVzfNpZ6rTURki77cbRPRPNc
         CjAA6gYr4xtKQ55l3CZROdOttxmVv+CcK1jG/cgwxJ0f9ITeDfGlfqiCA01zU61dBMIx
         3RDC/iRFIJhivnPCa06rzPIpAsrblLnvrb+m6mTRGuYqpRjAIGgjWfTXtxir63bTzo+C
         9u8s8hNILOSAX1imRNht5NvEIMHFOb9O+vtXKODQxnMc0ECCNIJmOAg4eUIPfGgHhlXu
         BAVg==
X-Gm-Message-State: ALKqPwfvSPjaE4q7c9pFPWQwz2RFH9fEsFtZhxEifENVPGH2p7QygmCs
        aitXpONNowmRtaZIaAB2v1TaxvhSvJAkfFtBtx2A
X-Received: by 2002:a2e:29cf:: with SMTP id p76-v6mr3412771ljp.12.1527714872199;
 Wed, 30 May 2018 14:14:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 14:14:31
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <0c9616fe-b404-eeed-1cba-c920c31694fd@linux.vnet.ibm.com>
References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com>
 <20180524201105.3179904-6-stefanb@linux.vnet.ibm.com> <CAHC9VhQTFPwz5tpL133DQuXDbZR4P7zy4m3hb4nwm9OSf4RNgQ@mail.gmail.com>
 <0c9616fe-b404-eeed-1cba-c920c31694fd@linux.vnet.ibm.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 30 May 2018 17:14:31 -0400
Message-ID: <CAHC9VhQsRLPcXm7aesGw4XqWSQMH5znnURCrQHH1w5+tfDjYCA@mail.gmail.com>
Subject: Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc:     zohar@linux.vnet.ibm.com, sgrubb@redhat.com,
        linux-integrity@vger.kernel.org, linux-audit@redhat.com,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 30, 2018 at 8:17 AM, Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
> On 05/29/2018 05:19 PM, Paul Moore wrote:
>>
>> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
>> <stefanb@linux.vnet.ibm.com> wrote:
>>>
>>> Use the new public audit functions to add the exe= and tty=
>>> parts to the integrity audit records. We place them before
>>> res=.
>>>
>>> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
>>> Suggested-by: Steve Grubb <sgrubb@redhat.com>
>>> ---
>>>   security/integrity/integrity_audit.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/security/integrity/integrity_audit.c
>>> b/security/integrity/integrity_audit.c
>>> index db30763d5525..8d25d3c4dcca 100644
>>> --- a/security/integrity/integrity_audit.c
>>> +++ b/security/integrity/integrity_audit.c
>>> @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
>>> *inode,
>>>                  audit_log_untrustedstring(ab, inode->i_sb->s_id);
>>>                  audit_log_format(ab, " ino=%lu", inode->i_ino);
>>>          }
>>> +       audit_log_d_path_exe(ab, current->mm);
>>> +       audit_log_tty(ab, current);
>>
>> NACK
>>
>> Please add the new fields to the end of the audit record, thank you.
>
> I put it there since Steve said '"res" is traditionally the last field in
> any event' (https://lkml.org/lkml/2018/5/22/539). I don't mind breaking with
> this tradition...

Unfortunately Steve and I don't see eye-to-eye on everything, and this
is perhaps one of the more prominent issues.

I'll save you several years of arguments, on and off-list, and simply
say that the "safe" option, and the only option I'm likely to ACK,
would be to add new fields at the end of existing records.  We have
made exceptions in the past, but those were pretty extreme cases.

-- 
paul moore
www.paul-moore.com