Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp268376imm; Mon, 4 Jun 2018 17:22:48 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKW8cnhjQ8FbO85Dnn452jXLgRgRBsVweW54WqTNuCkwKxx5TguSSWsd9WTR3QrSvJp+2ci X-Received: by 2002:a17:902:76c9:: with SMTP id j9-v6mr12221840plt.15.1528158168449; Mon, 04 Jun 2018 17:22:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528158168; cv=none; d=google.com; s=arc-20160816; b=oaJ3gHaUya5pIFTt2tbUn6eda7GnseuSjgx9RkgkXkywVXZwZIq6LHTyuL4Q18rSzF T6dKb1D+UtDvrPHkOO46xR0bH6XZfFD7rHXiDcsS4RJGWE5K+YF9S6nzu3Tx1rPD0jr1 YT+myedXWMvU1hiY5J8S2ieO7L6hpH6Va4FFpC7yxohuq4qbMz/+cjASiPENSbqPaKh0 NzNl+AIIW98Y8A9hPmwtwPc/eXBr1+Sngp9JYBwLxhNkAyEDPwldW6dumyo4RmvZHX4y DOlCxFfrgECa91nR3VYpv+ruNvEyTqqM1hwyr3UcIyyX0LMMWdv+Tarr7VGw5NTpu0aA 2IHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=vGJb6Xb1tWmpg3q7+eNaI0QC40US7WbFg1xK2X6tYZU=; b=Rso/7qC6mca05+VupkGQeCz3wOPJOvD5mWqBfjaroRjsWaIka87YS9WPHV1ByV5i/l by1KwsP06DgXIx9CsP0A58rS7CzFqGIHl1cAGUtmetYvASPm+5xaoSxLb/8stLJK71eF eIi5c8ZLbzo8/12/IaLNbT1BuopWhuXFqMYFxi+OQH2T4SKEM9Q87STBLpMWJWEWP/Pl yvPcZQinAxNI8oB0LA/J6Vr+OhtQ6MAupPQg0e3rWhzzcUIZmnuxHDFFhOraze1pfM3m W3sVgvvDY5XlEPhFZNzbmyfJBqU1jxUePmggNcYIzmKzv7yRq+kEz+G2VDOnfnKYXiy+ /JEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=15UjiZN2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a97-v6si18505370pla.552.2018.06.04.17.22.24; Mon, 04 Jun 2018 17:22:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=15UjiZN2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751342AbeFEAV7 (ORCPT + 99 others); Mon, 4 Jun 2018 20:21:59 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:44151 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751046AbeFEAV5 (ORCPT ); Mon, 4 Jun 2018 20:21:57 -0400 Received: by mail-lf0-f67.google.com with SMTP id 36-v6so680910lfr.11 for ; Mon, 04 Jun 2018 17:21:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vGJb6Xb1tWmpg3q7+eNaI0QC40US7WbFg1xK2X6tYZU=; b=15UjiZN242mSUbwwJ4ol1yS1SfuN5tWFnG9UoYgBPsdfaUyE1azpQfURLWjHEBy88l yQ93HXWBT92oOHrk66fes3Di5NzFUoRC+KicI7ZNBBIkiBFkYurEaKftS0I0/Bg7UQeQ N6dyBIpwVJnn0jdCvy08YyFT9cB017XCTWN/rWgSWUtZxWultXFNEpKAV2w4LabHz/aq iyZOMrakIzw2MSQi/34FiPh9lsrJidlt6rINcIbdY5XCdyLYq/oMMhkarm8fSvh1G4qt 8XnQn8j5x6OVnuZeufZAqDpiixmTSpzo/SpN52dvzsIVz0OHRncH2WqUGZZvd/GwO4EW irhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vGJb6Xb1tWmpg3q7+eNaI0QC40US7WbFg1xK2X6tYZU=; b=NE7y8/mn2TlGcE9L0WGNL6zDu5adpEQcfZN7F8/QzL4uWnXPYfZomsd+eYVY1uTKeB 7LRYv/sfPGrvGREvPS3iPFbUVhMrNLKQeDV+DjRdRNIegRwwzoZ8hPdiyMlBk/c5LyZu Nm3C/9Mcsaa9mZarjLuXjN7VnQwvADF1hnUwK8Rc5YTQttfzjFWPT1TXj9gP7EuqcVMT OJpOOMUQl44vR31WJ86WeHw1APkLrLr+iBifRE6Gje2lfyS4N4UGA8A9how2fJ0Q748g lVKQdZ7mjAupwKz38IOpkccdyuZps+62dcJ8rJUrtPQfHpVxqrOwU9p3RtQ8Ti9B7Uem e14A== X-Gm-Message-State: ALKqPwetAAMNWM0p1muwaJhA3IPqTz5KCwLo6+O/mW4NM4PnNTFrdC/Y B9o6LkSubWJzDj/oqMz1E944LG5d5Kqf0qDeKuHvH5E= X-Received: by 2002:a2e:c41:: with SMTP id o1-v6mr16519719ljd.87.1528158115867; Mon, 04 Jun 2018 17:21:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Mon, 4 Jun 2018 17:21:55 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <20180604205455.2325754-5-stefanb@linux.vnet.ibm.com> References: <20180604205455.2325754-1-stefanb@linux.vnet.ibm.com> <20180604205455.2325754-5-stefanb@linux.vnet.ibm.com> From: Paul Moore Date: Mon, 4 Jun 2018 20:21:55 -0400 Message-ID: Subject: Re: [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions To: Stefan Berger Cc: zohar@linux.vnet.ibm.com, linux-integrity@vger.kernel.org, linux-audit@redhat.com, sgrubb@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 4, 2018 at 4:54 PM, Stefan Berger wrote: > The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and > the IMA "audit" policy action. This patch defines > AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules. > > Since we defined a new message type we can now also pass the > audit_context and get an associated SYSCALL record. This now produces > the following records when parsing IMA policy's rules: Aaand now I see you included the current->audit_context pointer I mentioned in my comments for 3/4 ;) So basically this should be fine, although I should point out that you do not need to define a new message type to associate records together. The fact that we don't associate all connected records is basically a bug. Anyway, patches 3/4 and 4/4 look good to me. Considering this is likely going in during the *next* merge window, I would ask that you convert from "current->audit_context" to "audit_context()" as soon as this merge window closes. Thanks! > type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \ > func=MMAP_CHECK mask=MAY_EXEC res=1 > type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \ > func=FILE_CHECK mask=MAY_READ res=1 > type=SYSCALL msg=audit(1527888965.738:320): arch=c000003e syscall=1 \ > success=yes exit=17 a0=1 a1=55bcfcca9030 a2=11 a3=7fcc1b55fb38 \ > items=0 ppid=1567 pid=1601 auid=0 uid=0 gid=0 euid=0 suid=0 \ > fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="echo" \ > exe="/usr/bin/echo" \ > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > Signed-off-by: Stefan Berger > --- > include/uapi/linux/audit.h | 1 + > security/integrity/ima/ima_policy.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 65d9293f1fb8..cb358551376b 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -148,6 +148,7 @@ > #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ > #define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ > #define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */ > +#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */ > > #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index bc99713dfe57..f7230db217a7 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -652,8 +652,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > bool uid_token; > int result = 0; > > - ab = integrity_audit_log_start(NULL, GFP_KERNEL, > - AUDIT_INTEGRITY_RULE); > + ab = integrity_audit_log_start(current->audit_context, GFP_KERNEL, > + AUDIT_INTEGRITY_POLICY_RULE); > > entry->uid = INVALID_UID; > entry->fowner = INVALID_UID; > -- > 2.13.6 > -- paul moore www.paul-moore.com