Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4908886imm; Wed, 30 May 2018 14:39:45 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLU2aExFsQ/+6bqlxSWeyXMLS65UNGU6BS7xud/+d4zU3LgvZX8dgpK0iISmPbYiBOC3jwP X-Received: by 2002:a62:fe0e:: with SMTP id z14-v6mr4313970pfh.73.1527716385363; Wed, 30 May 2018 14:39:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527716385; cv=none; d=google.com; s=arc-20160816; b=VzRowzbz7SSirOO/u5q5D3ygjBp8Kb5Fgn2ISf2B0u/r2pKybRHJvfQfISFGwC+pIb 1TEhkh3ujgGSLC0GIhK0NMs2Ah6YOBexrQGtXmeLz1cux0k4GwbpSGUCi+HSRHkK+BDO wBM6/Kcwf+ypGy7oLnapoqKHQsTbL+F6O24Jhqn4UzSMAYsMijlgkQbBP9DN75QhiV4N V73fJ0fKl1ub2i2qe015Te3rjRnsNVc1Mw7dwBtWx9yHhkTaKvuWulK6sExkrKw+m4wh n4pduoa+RfIp8T7v4lSHSz2lMeQvtWGUgIFtT6OLgLmDQRMwiei64vtWaSizTPTICfp2 Nr2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject:arc-authentication-results; bh=r1OhNSdJC8hybodm3Ba3kj1dDvrrs6NuE88A9uKPF54=; b=hfn8x+zsjdwsN/+iEagRdlB1kWb2xrMBhnxnZfHA+Du8d6BDaupw/gdZWCZ185xFbW +pZJL2YlkXVbKDvvK47DF7FC0SDsiAHtomT+B52LZLu7WCeQf/fe8cemUK+YHIvjhCzx 6emiNX4yooe7mO+fj9yb2ZUEoVFf30+a4SOuMiFlkfYPEM06Ivik+p9t1fMSWD9fkTYt ixUxwxpEBcyMJlLLGU43FpQ8KDI80YaLaoq7B5uZuYBM6zNvlk788vzMLIYH9GC2WSYr fkjod2qEPfq+1CBOsJQ+2nu4A6RdyJGwqKz1QK2nIuMwol08Um3UAaD2CM+wUna8X3uP vT8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m14-v6si28674565pgs.178.2018.05.30.14.39.31; Wed, 30 May 2018 14:39:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932551AbeE3Vi0 (ORCPT + 99 others); Wed, 30 May 2018 17:38:26 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:58948 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932222AbeE3ViY (ORCPT ); Wed, 30 May 2018 17:38:24 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4ULZr2K079937 for ; Wed, 30 May 2018 17:38:24 -0400 Received: from e13.ny.us.ibm.com (e13.ny.us.ibm.com [129.33.205.203]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ja0dw2evv-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 30 May 2018 17:38:23 -0400 Received: from localhost by e13.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 30 May 2018 17:38:23 -0400 Received: from b01cxnp23033.gho.pok.ibm.com (9.57.198.28) by e13.ny.us.ibm.com (146.89.104.200) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 30 May 2018 17:38:19 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4ULcITp1442144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 30 May 2018 21:38:18 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5EFC0112069; Wed, 30 May 2018 17:38:20 -0400 (EDT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4D04F112067; Wed, 30 May 2018 17:38:20 -0400 (EDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 30 May 2018 17:38:20 -0400 (EDT) Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions To: Paul Moore Cc: Richard Guy Briggs , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <20180524201105.3179904-9-stefanb@linux.vnet.ibm.com> <20180530124920.g5agxm75x4i6pw6n@madcap2.tricolour.ca> <35894dae-c9c6-aa65-da99-c0283d459878@linux.vnet.ibm.com> From: Stefan Berger Date: Wed, 30 May 2018 17:38:18 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-MW X-TM-AS-GCONF: 00 x-cbid: 18053021-0008-0000-0000-0000030EE60D X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009099; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000264; SDB=6.01039998; UDB=6.00532331; IPR=6.00819131; MB=3.00021384; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-30 21:38:21 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18053021-0009-0000-0000-0000396981D9 Message-Id: <85a2ad4d-6406-ad64-f440-7ab8289ceb2e@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-30_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1805300229 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/30/2018 05:22 PM, Paul Moore wrote: > On Wed, May 30, 2018 at 9:08 AM, Stefan Berger > wrote: >> On 05/30/2018 08:49 AM, Richard Guy Briggs wrote: >>> On 2018-05-24 16:11, Stefan Berger wrote: >>>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and >>>> the IMA "audit" policy action. This patch defines >>>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules. >>>> >>>> With this change we now call integrity_audit_msg_common() to get >>>> common integrity auditing fields. This now produces the following >>>> record when parsing an IMA policy rule: >>>> >>>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure \ >>>> fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \ >>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ >>>> op=policy_update cause=parse_rule comm="echo" exe="/usr/bin/echo" \ >>>> tty=tty2 res=1 >>>> >>>> Signed-off-by: Stefan Berger >>>> --- >>>> include/uapi/linux/audit.h | 3 ++- >>>> security/integrity/ima/ima_policy.c | 5 +++-- >>>> 2 files changed, 5 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h >>>> index 4e61a9e05132..776e0abd35cf 100644 >>>> --- a/include/uapi/linux/audit.h >>>> +++ b/include/uapi/linux/audit.h >>>> @@ -146,7 +146,8 @@ >>>> #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable >>>> status */ >>>> #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ >>>> #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ >>>> -#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ >>>> +#define AUDIT_INTEGRITY_RULE 1805 /* IMA "audit" action policy >>>> msgs */ >>>> +#define AUDIT_INTEGRITY_POLICY_RULE 1806 /* IMA policy rules */ >>>> #define AUDIT_KERNEL 2000 /* Asynchronous audit >>>> record. NOT A REQUEST. */ >>>> diff --git a/security/integrity/ima/ima_policy.c >>>> b/security/integrity/ima/ima_policy.c >>>> index 3aed25a7178a..a8ae47a386b4 100644 >>>> --- a/security/integrity/ima/ima_policy.c >>>> +++ b/security/integrity/ima/ima_policy.c >>>> @@ -634,7 +634,7 @@ static int ima_parse_rule(char *rule, struct >>>> ima_rule_entry *entry) >>>> int result = 0; >>>> ab = integrity_audit_log_start(NULL, GFP_KERNEL, >>>> - AUDIT_INTEGRITY_RULE); >>>> + AUDIT_INTEGRITY_POLICY_RULE); >>> Is it possible to connect this record to a syscall by replacing the >>> first parameter (NULL) by current->context? > We're likely going to need to "associate" this record (audit speak for > making the first parameter non-NULL) with others for the audit > container ID work. If you do it now, Richard's patches will likely > get a few lines smaller and that will surely make him a bit happier :) Richard is also introducing a local context that we can then create and use instead of the NULL. Can we not use that then? Steven seems to say: "We don't want to add syscall records to everything. That messes up schemas and existing code. The integrity events are 1 record in size and should stay that way. This saves disk space and improves readability." > >> We would have to fix current->context in this case since it is NULL. We get >> to this location by root cat'ing a policy or writing a policy filename into >> /sys/kernel/security/ima/policy. > Perhaps I'm missing something, but current in this case should point > to the process which is writing to the policy file, yes? > Yes, but current->context is NULL for some reason.