Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4952314imm;
        Wed, 30 May 2018 15:42:37 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLQLEd2xWSHvxa35+uNaAHrH4O70d0Ap27gfvSgbxatfmphj5aY9ED+Um1gQiJZwD/7xf0U
X-Received: by 2002:a17:902:9a08:: with SMTP id v8-v6mr4550005plp.148.1527720157093;
        Wed, 30 May 2018 15:42:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527720157; cv=none;
        d=google.com; s=arc-20160816;
        b=Z/OoYzzuxqMYsmO+yVaukOxjry6FeabPwTOuHFNkRiPHIF91RCo88fn9J+UnfGhx8C
         YwsYzsFzfu0USh3y4Viu2/9EZ2rwP5OVczJQS6A4/DHqjpcznSxUZci50sLFyT0vy+Ye
         iJ4evyZ+SSfSq/lCdFfb96Q37uyZDxPLtDCRVcRgoFZqmx8OQigdjPRN/I7QDpRBS5N0
         pTfxVFspO/pf+hc31DmSxGFo1FLrRLOG6QYc2EkWqkDdGmdJCKBncR3QyUpzxvzcPny2
         Q50B+Ep+akoLTlYEyFMBVqB9DtRb//Gwu0UboiqFAFZKrms3QpxaINpTcthJ4ZvL04ew
         RILw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=/EpzsSQjV6T37w0GirisaZ6+GnYrkIN0UMEjyth7f9c=;
        b=iHXRHlYKp/DYDFzfqEOw1gLbUj7BtZ/GUEWkxnSqawCAOP+wrARmCn9N7TBrGkkjly
         voIWFHqv6m67olm8KAWoEc7/iDIvSOoqGGFunBt5FDXykyUcZJJf0GkWA1LTeYWk8cHQ
         HlWJXGkMF9mg+mqmZl6s997vDosGaXZAOc/TQUqxIx+q5It00ObrBvWmqkk9OxvO55Y6
         GF9BSING45PG2KqCRGGje+vqbhjPkW9P+CgGB/VoyZYXoUYISuGmSggP7pQBYa4hPgOg
         7wDlrufj89BoKTBxROiKhEHMF1Xd5V0ihGbWFC2EUtoHAg+noohWmbRdKAr66E2pkpqs
         /Wtw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k14-v6si17180171pgr.206.2018.05.30.15.42.23;
        Wed, 30 May 2018 15:42:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932612AbeE3Wli (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 30 May 2018 18:41:38 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:35990 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1753730AbeE3Wlf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 May 2018 18:41:35 -0400
Received: from pps.filterd (m0098394.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4UMdN3j070202
        for <linux-kernel@vger.kernel.org>; Wed, 30 May 2018 18:41:34 -0400
Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2ja2jwdh9d-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Wed, 30 May 2018 18:41:34 -0400
Received: from localhost
        by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Wed, 30 May 2018 23:41:32 +0100
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Wed, 30 May 2018 23:41:29 +0100
Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4UMfSqA23658654
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL);
        Wed, 30 May 2018 22:41:28 GMT
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 7D59FAE04D;
        Wed, 30 May 2018 23:30:33 +0100 (BST)
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 98F39AE051;
        Wed, 30 May 2018 23:30:32 +0100 (BST)
Received: from localhost.localdomain (unknown [9.80.108.143])
        by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Wed, 30 May 2018 23:30:32 +0100 (BST)
Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from
 "audit" actions
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>,
        Paul Moore <paul@paul-moore.com>
Cc:     Steve Grubb <sgrubb@redhat.com>, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-audit@redhat.com
Date:   Wed, 30 May 2018 18:41:16 -0400
In-Reply-To: <b9b37328-2977-39fe-e3d2-822144dce6f1@linux.vnet.ibm.com>
References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com>
         <15281606.YptaXzsEVL@x2>
         <00f66ee1-7494-8249-f148-688616deca0c@linux.vnet.ibm.com>
         <3607733.4k8ofLVAdP@x2>
         <1160afb4-4184-b30c-5f67-c21536b5f7d3@linux.vnet.ibm.com>
         <CAHC9VhQZeBS3EzgsWogeuCPtGxSFVDm1jUOLV7Jk4JRC4CVLyQ@mail.gmail.com>
         <85d2a40a-884c-c63d-50f6-024f7bbea4a8@linux.vnet.ibm.com>
         <1527717628.3534.79.camel@linux.vnet.ibm.com>
         <b9b37328-2977-39fe-e3d2-822144dce6f1@linux.vnet.ibm.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18053022-0008-0000-0000-000002422433
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18053022-0009-0000-0000-000021A7CC98
Message-Id: <1527720076.3534.84.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-30_10:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1805220000 definitions=main-1805300239
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-05-30 at 18:15 -0400, Stefan Berger wrote:
> On 05/30/2018 06:00 PM, Mimi Zohar wrote:
> > On Wed, 2018-05-30 at 17:49 -0400, Stefan Berger wrote:
> >> So the other choice is to only keep patches 1,2, 6, and 7, so leave most
> >> of the integrity audit messages untouched. Then only create a different
> >> format for the new AUDIT_INTEGRITY_POLICY_RULE (current 8/8) that shares
> >> (for consistency reasons) the same format with the existing integrity
> >> audit messages but also misses tty= and exe= ?
> > Another option would be for the new AUDIT_INTEGRITY_POLICY_RULE to
> > call audit_log_task_info() similar to what ima_audit_measurement()
> > does.
> 
> Right. [That would mean keep 1,2, 7 and modify 8.] Is that the best 
> solution?

Yes, I think so.  Calling audit_log_task_info() will only add the
"exe=" and "tty=" to the new AUDIT_INTEGRITY_POLICY_RULE.