Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp980794imm;
        Fri, 1 Jun 2018 13:02:42 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLUhWOeazVp37Q7v0peTvpuHxE+bHVdtdmrjnIFreBZ9Iq9cf5eJ8LECAqsHrLK1Q9UyCED
X-Received: by 2002:a65:5a07:: with SMTP id y7-v6mr9722383pgs.177.1527883362012;
        Fri, 01 Jun 2018 13:02:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527883361; cv=none;
        d=google.com; s=arc-20160816;
        b=UQBLL2dRHd0nYHJT7yKdqm3ZohhO3N9lFSrNeUZZCXzlpyReyx+EMifMksuaEfbzTU
         DTRwnSHwxhAt3Fr7P/hRSH62Aw2meoO4K4emFYIRKYoZxIKNS+3cQMF3v3vr2SDKHUWR
         K5quzesASImMljxwCdBXHfLfBtOvpK7JEQLZhuYiv8ZnlG4nT/49SXX1KIyCZfDwcgz0
         pUPNPutM1pF0IcJdMDpChwVovmSe+TakOQjJUZ8VlEN+pFMD8ltgxtw3hVirKOEoy8+h
         ECK7OpKWKS4ndC5lguxQrkCbDUWtYRxb1r+3gIzjUh8x8UhInYqvi1Gi3h9O6wV+qziS
         XbCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :from:references:cc:to:subject:arc-authentication-results;
        bh=eoWfX7+pRmA9VXK0oCyyHhUOWeKqG3sWssfXKvaMwp4=;
        b=1LV0Jd0g6HJOb2ZcDxalNkr6wt56WmkZnSofJCkuTOeDWC09kzVYZdaiPKbs5wvlWm
         pSHT5lfeaUkwbmt+t1+7Y9IfShMQx61hom9QEKARCUiVWUcVtBCuWJAfV/c9RrP6wO9J
         mmaG/66wiX0XkTuFOGJ8paCIKVIT4a5eBMGPSur/f0pfBwTZMoY5QS/awORcPW/cO5Nd
         2KEcpgAmb99ucbfJM3GkTtqQBF1oXQkIujzheNDYMmOTvupRtYjBa8UmvfmvX2UxfEiQ
         q9B7m2B1n0ZH/Hrq4J08hsz6JNkRv1uE43SIs4jhUEI8PcqluHY5E0gJuHvi8uze1P1j
         pWow==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 91-v6si20611797ple.308.2018.06.01.13.02.27;
        Fri, 01 Jun 2018 13:02:41 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753395AbeFAUAr (ORCPT <rfc822;schlichte.alexander@gmail.com>
        + 99 others); Fri, 1 Jun 2018 16:00:47 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43554 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1753088AbeFAUAp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Jun 2018 16:00:45 -0400
Received: from pps.filterd (m0098421.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w51Jwbee059479
        for <linux-kernel@vger.kernel.org>; Fri, 1 Jun 2018 16:00:44 -0400
Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2jbaab60bw-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Fri, 01 Jun 2018 16:00:44 -0400
Received: from localhost
        by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <stefanb@linux.vnet.ibm.com>;
        Fri, 1 Jun 2018 14:00:43 -0600
Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17)
        by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Fri, 1 Jun 2018 14:00:40 -0600
Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236])
        by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w51K0d9u22413780
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL);
        Fri, 1 Jun 2018 13:00:39 -0700
Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 5F49FBE04C;
        Fri,  1 Jun 2018 14:00:39 -0600 (MDT)
Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153])
        by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id 0BCABBE03B;
        Fri,  1 Jun 2018 14:00:38 -0600 (MDT)
Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit"
 actions
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Paul Moore <paul@paul-moore.com>, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-audit@redhat.com
References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com>
 <20180524201105.3179904-9-stefanb@linux.vnet.ibm.com>
 <20180530124920.g5agxm75x4i6pw6n@madcap2.tricolour.ca>
 <35894dae-c9c6-aa65-da99-c0283d459878@linux.vnet.ibm.com>
 <CAHC9VhSnubpfY6=RF9ZHQS0js18xor2nF=REfd=ZKTxV-wabiA@mail.gmail.com>
 <85a2ad4d-6406-ad64-f440-7ab8289ceb2e@linux.vnet.ibm.com>
 <20180530233413.xz5bs3zb4jwmddpi@madcap2.tricolour.ca>
From:   Stefan Berger <stefanb@linux.vnet.ibm.com>
Date:   Fri, 1 Jun 2018 16:00:38 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20180530233413.xz5bs3zb4jwmddpi@madcap2.tricolour.ca>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-MW
X-TM-AS-GCONF: 00
x-cbid: 18060120-0020-0000-0000-00000E121E34
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00009111; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000265; SDB=6.01040925; UDB=6.00532885; IPR=6.00820055;
 MB=3.00021416; MTD=3.00000008; XFM=3.00000015; UTC=2018-06-01 20:00:41
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18060120-0021-0000-0000-000061B4461C
Message-Id: <89c5f9c1-cdc4-6d2c-c187-04e94c2b8e75@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-06-01_12:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1805220000 definitions=main-1806010231
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 05/30/2018 07:34 PM, Richard Guy Briggs wrote:
> On 2018-05-30 17:38, Stefan Berger wrote:
>> On 05/30/2018 05:22 PM, Paul Moore wrote:
>>> On Wed, May 30, 2018 at 9:08 AM, Stefan Berger
>>> <stefanb@linux.vnet.ibm.com> wrote:
>>>> On 05/30/2018 08:49 AM, Richard Guy Briggs wrote:
>>>>> On 2018-05-24 16:11, Stefan Berger wrote:
>>>>>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
>>>>>> the IMA "audit" policy action.  This patch defines
>>>>>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.
>>>>>>
>>>>>> With this change we now call integrity_audit_msg_common() to get
>>>>>> common integrity auditing fields. This now produces the following
>>>>>> record when parsing an IMA policy rule:
>>>>>>
>>>>>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure \
>>>>>>      fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \
>>>>>>      subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
>>>>>>      op=policy_update cause=parse_rule comm="echo" exe="/usr/bin/echo" \
>>>>>>      tty=tty2 res=1
>>>>>>
>>>>>> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
>>>>>> ---
>>>>>>     include/uapi/linux/audit.h          | 3 ++-
>>>>>>     security/integrity/ima/ima_policy.c | 5 +++--
>>>>>>     2 files changed, 5 insertions(+), 3 deletions(-)
>>>>>>
>>>>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>>>>>> index 4e61a9e05132..776e0abd35cf 100644
>>>>>> --- a/include/uapi/linux/audit.h
>>>>>> +++ b/include/uapi/linux/audit.h
>>>>>> @@ -146,7 +146,8 @@
>>>>>>     #define AUDIT_INTEGRITY_STATUS            1802 /* Integrity enable
>>>>>> status */
>>>>>>     #define AUDIT_INTEGRITY_HASH      1803 /* Integrity HASH type */
>>>>>>     #define AUDIT_INTEGRITY_PCR       1804 /* PCR invalidation msgs */
>>>>>> -#define AUDIT_INTEGRITY_RULE       1805 /* policy rule */
>>>>>> +#define AUDIT_INTEGRITY_RULE       1805 /* IMA "audit" action policy
>>>>>> msgs  */
>>>>>> +#define AUDIT_INTEGRITY_POLICY_RULE 1806 /* IMA policy rules */
>>>>>>       #define AUDIT_KERNEL                2000    /* Asynchronous audit
>>>>>> record. NOT A REQUEST. */
>>>>>>     diff --git a/security/integrity/ima/ima_policy.c
>>>>>> b/security/integrity/ima/ima_policy.c
>>>>>> index 3aed25a7178a..a8ae47a386b4 100644
>>>>>> --- a/security/integrity/ima/ima_policy.c
>>>>>> +++ b/security/integrity/ima/ima_policy.c
>>>>>> @@ -634,7 +634,7 @@ static int ima_parse_rule(char *rule, struct
>>>>>> ima_rule_entry *entry)
>>>>>>           int result = 0;
>>>>>>           ab = integrity_audit_log_start(NULL, GFP_KERNEL,
>>>>>> -                                      AUDIT_INTEGRITY_RULE);
>>>>>> +                                      AUDIT_INTEGRITY_POLICY_RULE);
>>>>> Is it possible to connect this record to a syscall by replacing the
>>>>> first parameter (NULL) by current->context?
>>> We're likely going to need to "associate" this record (audit speak for
>>> making the first parameter non-NULL) with others for the audit
>>> container ID work.  If you do it now, Richard's patches will likely
>>> get a few lines smaller and that will surely make him a bit happier :)
>> Richard is also introducing a local context that we can then create and use
>> instead of the NULL. Can we not use that then?
> That is for records for which there is no syscall or user associated.
>
> In fact there is another recent change that would be better to use than
> current->audit_context, which is the function audit_context().
> See commit cdfb6b3 ("audit: use inline function to get audit context").
>
>> Steven seems to say: "We don't want to add syscall records to everything.
>> That messes up schemas and existing code. The integrity events are 1 record
>> in size and should stay that way. This saves disk space and improves
>> readability."
>>
>>>> We would have to fix current->context in this case since it is NULL. We get
>>>> to this location by root cat'ing a policy or writing a policy filename into
>>>> /sys/kernel/security/ima/policy.
>>> Perhaps I'm missing something, but current in this case should point
>>> to the process which is writing to the policy file, yes?
>> Yes, but current->context is NULL for some reason.
> Is it always this way?  If it isn't, which it should not be, we should
> find out why.  Well, we should find out why this is NULL anyways, since
> it shouldn't be.

When someone writes a policy for IMA into securityfs, it's always NULL. 
There's another location where IMA uses the current->audit_context, and 
that's here:

https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_api.c#L323

At this location we sometimes see a (background) process with an 
audit_context but in the majority of cases it's current->audit_context 
is NULL. Starting a process as root or also non-root user, with the 
appropriate IMA audit policy rules set, we always see a NULL 
audit_context here.


>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>