Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4892143imm; Wed, 30 May 2018 14:15:49 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLEomjob4evVjAGHv2WiCtVghqXKl6pxhtBS8mNlWOEUEdVZCndRJPsro8JlaKe5k4dt92o X-Received: by 2002:a62:2043:: with SMTP id g64-v6mr4263454pfg.12.1527714949853; Wed, 30 May 2018 14:15:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527714949; cv=none; d=google.com; s=arc-20160816; b=YoCJeKjcUTdoS0O/Jkfpe20qsEiy+R732bZzXc0tffhfzupt6Daix357W4GSKnVqex ng570sa6rEmjz7qmzIpzt9Oh1NfSnOjJnZdaNLFtL8MhqMKl/2blPEAAx98MsmPSDpir wdrig1SDvMAeodPlaClUzjavHmtgO4HA+IGQqkSYTQFW5OxSDxt0+nbFql9yS5yNcM0y QiJhznX/07xFXWWm9C/SSzhVO9qt917YLEdAgSYufoh/qADrRW7GiibEpOSkPgLIaRhR ynelN3uURavnWlxgTIfnTBrf4aocgpQX/lh3xXZdsFphL6bs4I6OjmwBQlDMVntmJ24U q0eA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Yw5eBbS29oGTn9IvgIUoXE6BpS1UqGGfP+o74ofOz+o=; b=Oey9fHcLFQWskOJwJiwVry82oCQ8YWHtyvyhdy+t4sH9qFLHJymGTxG8uXpYg03efT BADNqekqEYjj04yuZo/ypBKoW7kxgtiKukf4zENklVXy/k8hyKif3tqp+H2OJXSffGlr kh4NtHYomJccEydL7JoqSoN+xtu1BtYTcBgeMVysQpngAx40CRBRCtWFtrSQxRbsoON+ /NufMMJ3B0LjLroKAslk+SvMYwHJq2GzvgXW+jjJHqBJoetBLXfXO7szMWrl3ohN/wLw JPZNdXKwnylc7IHlbzIQKLDVryNrgukosz3G6EmoKl6C17DK0ZG861lHly2ZOns5nquP Jb0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=VRnjx9dC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v64-v6si8875686pfj.292.2018.05.30.14.15.35; Wed, 30 May 2018 14:15:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=VRnjx9dC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932376AbeE3VOg (ORCPT + 99 others); Wed, 30 May 2018 17:14:36 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:40622 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932234AbeE3VOd (ORCPT ); Wed, 30 May 2018 17:14:33 -0400 Received: by mail-lf0-f67.google.com with SMTP id q11-v6so6473918lfc.7 for ; Wed, 30 May 2018 14:14:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Yw5eBbS29oGTn9IvgIUoXE6BpS1UqGGfP+o74ofOz+o=; b=VRnjx9dCkJ3EJoEBuUFO52aLT/Vac+dXzPFIOUZW1+LC9xrMw5tUdg2tvGM4kYOXmP iePwfb1npIlL/OR1vYl8VmAY5KdZpIfG8LHiu1w4pdApWxD6lBksAYbkcueWLsCBPzBA 5wooVyy0p/QFodAu+fR6ToUCmXolakFoK6h37VOG1qXF1r89JUyb3eSH5jQ9/InJF2c/ mf3o52HAjVhsIxvyGu9tfiRDOSk2G5Km0Csaq3+BLbXOjyV874gAXAMfSHykm9jX9hUu 2Mi74Fc7FrH/t5nm2edxQuWeCulUd0KSE9JhRoAy4eqoqI7gQ0HN3wCaU2WEN01SgadN m7vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Yw5eBbS29oGTn9IvgIUoXE6BpS1UqGGfP+o74ofOz+o=; b=QbmzRFcRwJOEMImYPngCEx8sAOoTTebI8lS93Q9nR3yf0RJa8vKrfzcsEH59oPX/Yo 0dyEh5EK0i+GlKs+dO4KdZAxnO3W79XHn4+NJ+h7a2miiVzfNpZ6rTURki77cbRPRPNc CjAA6gYr4xtKQ55l3CZROdOttxmVv+CcK1jG/cgwxJ0f9ITeDfGlfqiCA01zU61dBMIx 3RDC/iRFIJhivnPCa06rzPIpAsrblLnvrb+m6mTRGuYqpRjAIGgjWfTXtxir63bTzo+C 9u8s8hNILOSAX1imRNht5NvEIMHFOb9O+vtXKODQxnMc0ECCNIJmOAg4eUIPfGgHhlXu BAVg== X-Gm-Message-State: ALKqPwfvSPjaE4q7c9pFPWQwz2RFH9fEsFtZhxEifENVPGH2p7QygmCs aitXpONNowmRtaZIaAB2v1TaxvhSvJAkfFtBtx2A X-Received: by 2002:a2e:29cf:: with SMTP id p76-v6mr3412771ljp.12.1527714872199; Wed, 30 May 2018 14:14:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 14:14:31 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <0c9616fe-b404-eeed-1cba-c920c31694fd@linux.vnet.ibm.com> References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <20180524201105.3179904-6-stefanb@linux.vnet.ibm.com> <0c9616fe-b404-eeed-1cba-c920c31694fd@linux.vnet.ibm.com> From: Paul Moore Date: Wed, 30 May 2018 17:14:31 -0400 Message-ID: Subject: Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits To: Stefan Berger Cc: zohar@linux.vnet.ibm.com, sgrubb@redhat.com, linux-integrity@vger.kernel.org, linux-audit@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 30, 2018 at 8:17 AM, Stefan Berger wrote: > On 05/29/2018 05:19 PM, Paul Moore wrote: >> >> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger >> wrote: >>> >>> Use the new public audit functions to add the exe= and tty= >>> parts to the integrity audit records. We place them before >>> res=. >>> >>> Signed-off-by: Stefan Berger >>> Suggested-by: Steve Grubb >>> --- >>> security/integrity/integrity_audit.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/security/integrity/integrity_audit.c >>> b/security/integrity/integrity_audit.c >>> index db30763d5525..8d25d3c4dcca 100644 >>> --- a/security/integrity/integrity_audit.c >>> +++ b/security/integrity/integrity_audit.c >>> @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode >>> *inode, >>> audit_log_untrustedstring(ab, inode->i_sb->s_id); >>> audit_log_format(ab, " ino=%lu", inode->i_ino); >>> } >>> + audit_log_d_path_exe(ab, current->mm); >>> + audit_log_tty(ab, current); >> >> NACK >> >> Please add the new fields to the end of the audit record, thank you. > > I put it there since Steve said '"res" is traditionally the last field in > any event' (https://lkml.org/lkml/2018/5/22/539). I don't mind breaking with > this tradition... Unfortunately Steve and I don't see eye-to-eye on everything, and this is perhaps one of the more prominent issues. I'll save you several years of arguments, on and off-list, and simply say that the "safe" option, and the only option I'm likely to ACK, would be to add new fields at the end of existing records. We have made exceptions in the past, but those were pretty extreme cases. -- paul moore www.paul-moore.com