Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4384723img; Tue, 26 Mar 2019 08:24:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqwrloWY927jTHWSV6XMNrLKotiyFVE0pBOIF7UAvDzLpC1VjjfvuW93C609O1oD2jRkjNjN X-Received: by 2002:a63:d304:: with SMTP id b4mr16489114pgg.300.1553613847100; Tue, 26 Mar 2019 08:24:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553613847; cv=none; d=google.com; s=arc-20160816; b=YLZiRgk8YLgXX8U2I4wppYxh29mnajHAXUlolV+nI0AfYtBBDTFDJmVcLcJcbYF0iN cBou6Hmi4E0HQ5SPs9biU3426QZo0OAnqOWZBsbZPZQH30eOKyx51EYLDwfdgjQrsekM J1pBydYWSbAs/tyEG9553zdZY0qGhscBSgeAbD6pL45eNsM9SLAcT1QC19O2bFyWTvVI rGOq2QbZ4uwT+EgD1RGBfxxWdIfKyGF7aH9Ak/cBkzFenRsvO32BtMRaXHxgh5qUNgV4 STOCa39BZyklTAc2+pAG1dNweiX4S6VACrqese3NIqWpZ5tuXKjQshj7/d2BaonnzJ77 9CRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from; bh=F38AVsZULOYc/F86QEgkzm3ZgQuPX712BB2uhiRkGkg=; b=yHofdO18eML00zRvPz5+P5PmI5bxnAr6QkJCCBXPdkVw3ygvCQhuDv/0O4nV+mmEit Vcj9c4KWcYYQiYL+5x3U8l4GMg2e2JCpudkxHlFSzsoxl7ceICzInN3gRosEKVGnom2Q X9odCxgEtjC3M5Vw8CNrEdArj8EeBDyhQBrSNxEx6byQ9V1u/F300ESo8YhUcO+h1qnS 0pSKkfHA+BPdSW5iFTXn9iOIHTEUOodat5JWQv9urnWvXov9yQcfrLkt8th22/U0zjIO hpDwKfuYSAWJDnpWy318gTkcdmruf9yxw4ru9XQOk2Egx1wG8WZ6ybSAEqLJz5ByiNy9 9rLQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l33si17485084pld.309.2019.03.26.08.23.51; Tue, 26 Mar 2019 08:24:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731943AbfCZPWO (ORCPT + 99 others); Tue, 26 Mar 2019 11:22:14 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46691 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731652AbfCZPWN (ORCPT ); Tue, 26 Mar 2019 11:22:13 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 415CA30832EB; Tue, 26 Mar 2019 15:22:13 +0000 (UTC) Received: from x2.localnet (ovpn-122-217.rdu2.redhat.com [10.10.122.217]) by smtp.corp.redhat.com (Postfix) with ESMTP id B337B825FB; Tue, 26 Mar 2019 15:22:07 +0000 (UTC) From: Steve Grubb To: Richard Guy Briggs Cc: Paul Moore , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML , omosnace@redhat.com, Eric Paris , Serge Hallyn , zohar@linux.ibm.com, mjg59@google.com Subject: Re: [PATCH ghak109 V1] audit: link integrity evm_write_xattrs record to syscall event Date: Tue, 26 Mar 2019 11:22:07 -0400 Message-ID: <2006016.NXIvICiRTL@x2> Organization: Red Hat In-Reply-To: <20190321005008.wfz3bk7q262km5fz@madcap2.tricolour.ca> References: <81d0122d14c4fbb3a2ad33d25fdf2dd001c7dcc7.1552737854.git.rgb@redhat.com> <20190321005008.wfz3bk7q262km5fz@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Tue, 26 Mar 2019 15:22:13 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wednesday, March 20, 2019 8:50:08 PM EDT Richard Guy Briggs wrote: > On 2019-03-20 19:48, Paul Moore wrote: > > On Sat, Mar 16, 2019 at 8:10 AM Richard Guy Briggs wrote: > > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > > verified xattrs"), the call to audit_log_start() is missing a context > > > to > > > link it to an audit event. Since this event is in user context, add > > > the process' syscall context to the record. > > > > > > In addition, the orphaned keyword "locked" appears in the record. > > > Normalize this by changing it to "xattr=(locked)". > > > > > > Please see the github issue > > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > > > > security/integrity/evm/evm_secfs.c | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/security/integrity/evm/evm_secfs.c > > > b/security/integrity/evm/evm_secfs.c index 015aea8fdf1e..4171d174e9da > > > 100644 > > > --- a/security/integrity/evm/evm_secfs.c > > > +++ b/security/integrity/evm/evm_secfs.c > > > @@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, > > > const char __user *buf,> > > > > if (count > XATTR_NAME_MAX) > > > > > > return -E2BIG; > > > > > > - ab = audit_log_start(NULL, GFP_KERNEL, > > > AUDIT_INTEGRITY_EVM_XATTR); > > > + ab = audit_log_start(audit_context(), GFP_KERNEL, > > > + AUDIT_INTEGRITY_EVM_XATTR); > > > > This part is fine. > > > > > if (!ab) > > > > > > return -ENOMEM; > > > > > > @@ -222,7 +223,7 @@ static ssize_t evm_write_xattrs(struct file *file, > > > const char __user *buf,> > > > > inode_lock(inode); > > > err = simple_setattr(evm_xattrs, &newattrs); > > > inode_unlock(inode); > > > > > > - audit_log_format(ab, "locked"); > > > + audit_log_format(ab, "xattr=(locked)"); > > > > Two things come to mind: > > > > * While we can clearly trust the string above, should we be logging > > the xattr field value as an untrusted string so it is consistent with > > how we record other xattr names? > > That would be a question for Steve. All fields with the same name must be represented the same way. If one instance is untrusted, every instance of the same keyword must be untrusted. -Steve > > * I'm not sure you can ever have parens in a xattr (I would hope not), > > but if we are going to use the xattr field, perhaps we should simply > > stick with the name as provided (".") so we don't ever run afoul of > > xattr names? I'm curious to hear what the IMA/EVM folks think of > > this. > > The legal xaddr names start with XATTR_SECURITY_PREFIX which is > "security." so there is no danger of collision with legal names, but I > suppose someone could try to use "(locked)" as a name which would look > identical but fail with a different res= number. I think I prefer your > idea of printing the given value verbatim. > > > paul moore > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635