Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1201454imu; Tue, 11 Dec 2018 14:43:10 -0800 (PST) X-Google-Smtp-Source: AFSGD/W903ZDj3BYEMoJbFZ1JiSG0fpkQQrcqONKC/YzrxcxIICtfdAlCVxzdFGk3QXkOFXgnzIo X-Received: by 2002:a62:444b:: with SMTP id r72mr18391937pfa.184.1544568190434; Tue, 11 Dec 2018 14:43:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544568190; cv=none; d=google.com; s=arc-20160816; b=eVdN1r2l8MGzyiyYBkokRs731aMMPkpWPrLJxZ0YSP1QTKLmby7QhPWvwyGYWQDQpJ /Bqb1Vmg/r0MJ6+hIWtNNzw9kfJC4KZmw0oIX5tlcZhsYVL5IaljwJRYDk6FjxVQYL2h vsES1rwbJ0ia+a25yGjYoPpMu0S2hO241IA8H8eYxP2VDAF6jRPK3AVyuJ6UVSXYRJLu sPtbJByKTGcmEFsFYcfpizNOOTOMsZrNmpMq8R4h8y/9LNWSGsjUgkLUcFUfdPcjw1vR 5rVdvuUnq4kNHAIFiszZ9MXUIPEXrBXFy0VLCS4B5lnxJyNZ8e775bhw4etAoPHHM03c Nlfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=/be2IzPkxhFe7rLAi/Od7czs3o4tn8LoWpZR+5nz5KE=; b=cNCFWPEBe9x/ZTIOspPSI/IJKkPLx8Lhs+8b4iUjBfGVnajSJ7azVsj7ihBvgXYwJR K0co6hTzviQUAMZrA0b6nxxONSsWfuS76XNcWEPD24+ZQRca4u91g2xlaza9lRcvfE3i qAvSftrFvRaXOdKvxnw0U/alfbFQXEaB+TUh4Euv1lbGUBCLEqPIihvRCNRNU/h6RRe9 8ZsQAAGqo6OWsD6RFs8ehSfqEc4n2U0jh04ge9lqikpT6BrH4ZEgwToxNn1seteE6Gn+ IeQbi4hluNxAIMkevAHi+D2NcmfPPNbB9kZm0OKdn36Esi7W5DGKgHfxMZwIazf09Hti vVEg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q32si12458813pgm.410.2018.12.11.14.42.55; Tue, 11 Dec 2018 14:43:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726262AbeLKWlT (ORCPT + 99 others); Tue, 11 Dec 2018 17:41:19 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35192 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726225AbeLKWlT (ORCPT ); Tue, 11 Dec 2018 17:41:19 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A6EFA307DAA4; Tue, 11 Dec 2018 22:41:18 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-24.phx2.redhat.com [10.3.112.24]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4CBA15D736; Tue, 11 Dec 2018 22:41:10 +0000 (UTC) Date: Tue, 11 Dec 2018 17:41:07 -0500 From: Richard Guy Briggs To: Paul Moore Cc: linux-kernel@vger.kernel.org, linux-audit@redhat.com, Eric Paris , viro@zeniv.linux.org.uk, sgrubb@redhat.com Subject: Re: [PATCH ghak59 V3 0/4] audit: config_change normalizations and event record gathering Message-ID: <20181211224107.vdeksnc5bd5bb7mb@madcap2.tricolour.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Tue, 11 Dec 2018 22:41:18 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-12-11 17:31, Paul Moore wrote: > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote: > > Make a number of changes to normalize CONFIG_CHANGE records by adding > > missing op= fields, providing more information in existing op fields > > (optional last patch) and connecting all records to existing audit > > events. The user record needs special-casing since its content isn't > > directly related to the call that logs it. > > > > Since tree purge records are processed after the EOE record is produced, > > the order of operation of the EOE record and the purge will have to be > > reversed so that the purge records can be included in the event. > > > > The last patch is included for completeness understanding it may be more > > information than necessary. > > > > For reference, here are the calling methods and function tree for all > > CONFIG_CHANGE events with fields: > > - audit_log_config_change() > > - add "op=set" to fields: "[op] old auid ses subj res" > > - AUDIT_SET:AUDIT_STATUS_PID > > - AUDIT_SET:AUDIT_STATUS_LOST > > - audit_do_config_change() > > - AUDIT_SET:AUDIT_STATUS_FAILURE > > - AUDIT_SET:AUDIT_STATUS_ENABLED > > - AUDIT_SET:AUDIT_STATUS_RATE_LIMIT > > - AUDIT_SET:AUDIT_STATUS_BACKLOG_LIMIT > > - AUDIT_SET:AUDIT_STATUS_BACKLOG_WAIT_TIME > > - audit_log_rule_change() > > - fields: "auid ses subj op key list res" > > - AUDIT_ADD_RULE -F dir=... > > - AUDIT_DEL_RULE -F dir=... > > - audit_log_common_recv_msg() > > - fields: "pid uid auid ses subj ..." > > - AUDIT_*USER* events (not CONFIG_CHANGE like all the rest) > > - AUDIT_LOCKED add "op={add,remove}_rule" to "[op] audit_enabled res" > > - AUDIT_TRIM "op=trim res" > > - AUDIT_MAKE_EQUIV: "op=make_equiv old new res" > > - AUDIT_TTY_SET: "op=tty_set old-enabled new-enabled old-log_passwd new-log_passwd res" > > - audit_mark_log_rule_change() > > - add ":mark" to op in fields: "uid ses op=autoremove_rule[] path key list res" > > - audit_autoremove_mark_rule() > > - audit_mark_handle_event() > > - audit_mark_fsnotify_ops.handle_event > > - audit_tree_log_remove_rule() called from kill_rules() > > - add to op ":tree:%s" to fields: "op=remove_rule[] dir key list res" > > - from trim_marked() > > - AUDIT_TRIM: audit_trim_trees() "trim" > > - audit_add_tree_rule() iterate_mounts err "add" > > - audit_add_rule() > > - audit_rule_change() > > - AUDIT_ADD_RULE -F dir=... > > - AUDIT_MAKE_EQUIV: audit_tag_tree() iterate_mounts err "equiv" > > - from audit_kill_trees() > > - __audit_free() "free" > > - do_exit() > > - copy_process() err > > - __audit_syscall_exit() "exit" > > - from evict_chunk() "evict" > > - audit_tree_freeing_mark() > > - audit_tree_ops.freeing_mark > > - audit_watch_log_rule_change() > > add to op ":watch:%s" to fields "auid ses op={updated,remove}_rule[] path key list res" > > - audit_update_watch() "updated_rules:watch:inval" : "updated_rules:watch:set" > > - audit_watch_handle_event() FS_CREATE|FS_MOVED_TO, FS_DELETE|FS_MOVED_FROM > > - audit_watch_fsnotify_ops.handle_event > > - audit_remove_parent_watches() "remove_rule:watch:parent" > > - audit_watch_handle_event() FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF > > - audit_watch_fsnotify_ops.handle_event > > - audit_seccomp_actions_logged() > > - fields: "op actions old-actions res" > > > > > > See: https://github.com/linux-audit/audit-kernel/issues/50 > > See: https://github.com/linux-audit/audit-kernel/issues/59 > > > > Sources of AUDIT_CONFIG_CHANGE records and their current and proposed > > fields are listed here > > https://github.com/linux-audit/audit-kernel/issues/59#issuecomment-445055154 > > > > Changelog: > > v3: > > - un-clever %s_rule to not break up op values > > - create audit_log_user_recv_msg() and squash into record connection > > - squash kill_trees context handling with kill-trees before EOE > > - rebase on audit/next (v4.20-rc1) with 2a1fe215e730 ("audit: use current whenever possible") > > - remove parens in extended format > > > > v2: > > - re-order audit_log_exit() and audit_kill_trees() > > - drop EOE reordering patch > > - rebase on 4.18-rc1 (audit/next) > > > > Richard Guy Briggs (4): > > audit: give a clue what CONFIG_CHANGE op was involved > > audit: add syscall information to CONFIG_CHANGE records > > audit: hand taken context to audit_kill_trees for syscall logging > > audit: extend config_change mark/watch/tree rule changes > > > > kernel/audit.c | 33 +++++++++++++++++++++++---------- > > kernel/audit.h | 4 ++-- > > kernel/audit_fsnotify.c | 4 ++-- > > kernel/audit_tree.c | 28 +++++++++++++++------------- > > kernel/audit_watch.c | 8 +++++--- > > kernel/auditfilter.c | 2 +- > > kernel/auditsc.c | 12 ++++++------ > > 7 files changed, 54 insertions(+), 37 deletions(-) > > In order to make sure expectations are set appropriately, as we are at > -rc6 right now this is not something that would go into audit/next now > (assuming everything looks okay on review), it would go into > audit/next *after* the upcoming merge window. I agree it is a bit late for this. I wasn't expecting it to go in this one. I'm filling the queue since I'm blocked on other review for ghak81(5.5wks), ghak90(5.5wks), ghak100(3.5wks). ghak90 missed another merge window. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635