Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4897697imm; Wed, 30 May 2018 14:23:44 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLyjDo8/sNqjFvauSzNN20+/lR0tv71gwWhK9OQf/0ttkLkqipvCwk/NxWc9z/39qtUWLVX X-Received: by 2002:a17:902:d90f:: with SMTP id c15-v6mr4317956plz.65.1527715424919; Wed, 30 May 2018 14:23:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527715424; cv=none; d=google.com; s=arc-20160816; b=SLfTtf4Az+Ylr+IJFrznxD6fxKOv6ODvC/+Z67zexFiAnOejxiUeh/BqfnVjaUsPSz 6Ht2b3ssMjCVc684UZrbpjQNvNr/4zWhvfqNwTkW5jXNRCFoJB0O27/fTlzZ9LvF5XH4 xI2bGq8V+s6err8eXrwRCMx1O1hlVB8PQpqX0zYbZ7eKLZglnfqpuiTN+VwLt9y4Pks3 M8k13QmHFPk9JOqUj93q4xf92YCr2MkCgg2JU9QHHNwPNEvE4bMZ+UQEE3X0Ny+f9KL3 wW2DclHUFXG8pSUQ06wwkk0m26WwrkWxKddv5fGRKC7puYge6k3Q9T+wHVG5oBm0MhP3 XLAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=FebqYFPrmi1jCMmVjftSvgOru/RwRbvt7TzWPVLZLRA=; b=SXhVFELq55z2zpNIz2/AI3weAlTkYd5mlemZyQVxKODFH/3ewGmjWCpTuovIcayL1X qZNHNdkWcWQhd2hJJu04T4wkVrMp628PJqFy3UZ2yyKD+CV7EcTscmbC38zs3JhXZG1o AiYZm3aPUvJ4kYpqzH8zqjwWJoZoee0EhKVOvBMJ+t9waIf1+d9BId8uH+cWYHCG5g4c tZ9lYfM1MJzep8zpqaM87IbSFv7tltnlP/XkSp7qfTGZMA1d2Sk3UDcz+dVfTuFfbdHr K2Ncl8nPhxQSBSJn7B4zxcGlRDXbSUX1FQF1pQ8ScGmtrVKfY5B1IYjETLHEghhN9uQV sIAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=C57gdcUH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2-v6si28810678pgc.569.2018.05.30.14.23.30; Wed, 30 May 2018 14:23:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=C57gdcUH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932495AbeE3VW6 (ORCPT + 99 others); Wed, 30 May 2018 17:22:58 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:35249 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932268AbeE3VWq (ORCPT ); Wed, 30 May 2018 17:22:46 -0400 Received: by mail-lf0-f68.google.com with SMTP id y72-v6so6497532lfd.2 for ; Wed, 30 May 2018 14:22:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FebqYFPrmi1jCMmVjftSvgOru/RwRbvt7TzWPVLZLRA=; b=C57gdcUHddiwMRlI3kXZwDz5t5hPQoyD7khsTRmS7zk3cqB1wJbYdXDMzPzi/ZeYD8 f+der9vICE9oNNSyOafvngQJrQ+8tT17SJMcre07dhncr/+Hz5TzoEI+kTJ/9gRI0eB/ KT3Cm8bs13g4nOGOrlN+98syT/ExiI4fNIlIwzlc2gsBc2o4RPalGSIsPOX//2H6LDNN nJQxZ1UPRvowkgPz/ebI8sBZh6zAnNznTUPEB5IHEcDGqggBB7TLvhIc3JYRgzxGoR61 Hce2WP/DDxNiQQdTxKJ5RL0nPJasJNZClYFSJb37UndW2tj7qNMZrm5zNEOiY1qps8mY AmHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FebqYFPrmi1jCMmVjftSvgOru/RwRbvt7TzWPVLZLRA=; b=Y+qYXtNAD1kDGsa4JVs5bdMBRARMb0/eLWPTRfzhyXWBH/l6dXQN5qfnyuLLsrcFEf giYdd2pdtcEEVO3ARVrnnV69p6KTIy2qwUbhQlDKAJnQgKOqOdUwMn1v0wDGRuquee8S iDbW/zi+qaVXGCeaAF5ceMLvonCC03f0R9BkPerjGh1dnfnQXPqD5rPtyn5OAj7ZqSAv u5l2E3iRr3F3t6kPzMRTYv4A7yZTKssQPI4rAcD/AD5hWrx3Uj2w4CkpU264QSyeOG6y RdAgwcjpHLGv/IrxhlRJ6ilAHSKeridv4PHkwUzd62HaDzC58BgIQlTiT4p1bymNiNsw 3Nmw== X-Gm-Message-State: ALKqPweAJMG/EqHsEmvdaYjMQbHLe6gpnJe87URivQKi/6hV3bjLPgwp kpBBoGtqtxV0uZRSB9zg6CtUhImJqMONOJtCCQ0T X-Received: by 2002:a2e:18b:: with SMTP id f11-v6mr3273921lji.83.1527715364487; Wed, 30 May 2018 14:22:44 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 14:22:43 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <35894dae-c9c6-aa65-da99-c0283d459878@linux.vnet.ibm.com> References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <20180524201105.3179904-9-stefanb@linux.vnet.ibm.com> <20180530124920.g5agxm75x4i6pw6n@madcap2.tricolour.ca> <35894dae-c9c6-aa65-da99-c0283d459878@linux.vnet.ibm.com> From: Paul Moore Date: Wed, 30 May 2018 17:22:43 -0400 Message-ID: Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions To: Stefan Berger Cc: Richard Guy Briggs , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 30, 2018 at 9:08 AM, Stefan Berger wrote: > On 05/30/2018 08:49 AM, Richard Guy Briggs wrote: >> >> On 2018-05-24 16:11, Stefan Berger wrote: >>> >>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and >>> the IMA "audit" policy action. This patch defines >>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules. >>> >>> With this change we now call integrity_audit_msg_common() to get >>> common integrity auditing fields. This now produces the following >>> record when parsing an IMA policy rule: >>> >>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure \ >>> fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \ >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ >>> op=policy_update cause=parse_rule comm="echo" exe="/usr/bin/echo" \ >>> tty=tty2 res=1 >>> >>> Signed-off-by: Stefan Berger >>> --- >>> include/uapi/linux/audit.h | 3 ++- >>> security/integrity/ima/ima_policy.c | 5 +++-- >>> 2 files changed, 5 insertions(+), 3 deletions(-) >>> >>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h >>> index 4e61a9e05132..776e0abd35cf 100644 >>> --- a/include/uapi/linux/audit.h >>> +++ b/include/uapi/linux/audit.h >>> @@ -146,7 +146,8 @@ >>> #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable >>> status */ >>> #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ >>> #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ >>> -#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ >>> +#define AUDIT_INTEGRITY_RULE 1805 /* IMA "audit" action policy >>> msgs */ >>> +#define AUDIT_INTEGRITY_POLICY_RULE 1806 /* IMA policy rules */ >>> #define AUDIT_KERNEL 2000 /* Asynchronous audit >>> record. NOT A REQUEST. */ >>> diff --git a/security/integrity/ima/ima_policy.c >>> b/security/integrity/ima/ima_policy.c >>> index 3aed25a7178a..a8ae47a386b4 100644 >>> --- a/security/integrity/ima/ima_policy.c >>> +++ b/security/integrity/ima/ima_policy.c >>> @@ -634,7 +634,7 @@ static int ima_parse_rule(char *rule, struct >>> ima_rule_entry *entry) >>> int result = 0; >>> ab = integrity_audit_log_start(NULL, GFP_KERNEL, >>> - AUDIT_INTEGRITY_RULE); >>> + AUDIT_INTEGRITY_POLICY_RULE); >> >> Is it possible to connect this record to a syscall by replacing the >> first parameter (NULL) by current->context? We're likely going to need to "associate" this record (audit speak for making the first parameter non-NULL) with others for the audit container ID work. If you do it now, Richard's patches will likely get a few lines smaller and that will surely make him a bit happier :) > We would have to fix current->context in this case since it is NULL. We get > to this location by root cat'ing a policy or writing a policy filename into > /sys/kernel/security/ima/policy. Perhaps I'm missing something, but current in this case should point to the process which is writing to the policy file, yes? -- paul moore www.paul-moore.com