Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4774207img; Tue, 26 Mar 2019 17:00:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqw7tYE7DPghx8nahLH5ppHBuN07+OUId0vDTViXhOWXE6ixzNanZCrl4XJcYHcmOgYXte6g X-Received: by 2002:a17:902:bd82:: with SMTP id q2mr4041234pls.201.1553644849208; Tue, 26 Mar 2019 17:00:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553644849; cv=none; d=google.com; s=arc-20160816; b=zDvqK3b6cNJ3v+GfuTd4S9yGlIedyXWXkEcsrDOrNgPKhUkhcXnKGvAqWKURGBaLAg WjEFfCreFiBhSIcZ414jokyUY4D7idU9CpnXCT3sxJ6o+gnUVu6qznmympNOvcKP7JTO pi8zxDbF1HACEKEHaBWjfXzrKX9lvujz7EsyeQgaA7nStawjE+S5uAksf/dtj5zxnOJH FK/eXHGTCmmfo2wPy8B+s7ZxHHUbHIFqd1mFzwNGdKH6st0fWk7Ht5VYMGFmTVwv+T7K W3STFFPv6NFkLXPDIqXqCvGqLoKY/z/JTyJq3Gifg8OXpEnctDItzykODcn7Kka3gndT cizw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ez1d3rtd8Gt8vuFoJP9w9DkDqXFe0a1YWxYHhu4clFw=; b=rxM6gMNt0QxK/aB3Nb2PffcJ2cpyYMxVRg/hwkYIruS6Qnp3PxDVcazRQC5ufvnk9d C7+ySr2/vtW/klIDSAFapR0CP3y/N7RBqHEbgkcz4R+yhlHz/Dn/H2h65gajEpt122gq rGJ8617yfMyzPq/TT3YQALlsS1yEkPeqE5dhf70BNitFSMIomPa5E2jl6VNfbyYiUGXo 5n4UJ/W72rrXGlz+3HS4IhBn2lcqhqJ4Jg5YiX9rI1BZSH3ECS6F/5FQPJ5+ar3U/z6N qcYA+CFFaanH+kNCM8pV98L6CpXHfaYSbFLKE+Gokk6U0qrpmi+LmgkYFkfC3jA9JEFI Bf7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=N5HmmzPn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x4si16494177pgp.370.2019.03.26.17.00.33; Tue, 26 Mar 2019 17:00:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=N5HmmzPn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731840AbfCZX6S (ORCPT + 99 others); Tue, 26 Mar 2019 19:58:18 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:39320 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726922AbfCZX6S (ORCPT ); Tue, 26 Mar 2019 19:58:18 -0400 Received: by mail-lf1-f67.google.com with SMTP id m13so10002668lfb.6 for ; Tue, 26 Mar 2019 16:58:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ez1d3rtd8Gt8vuFoJP9w9DkDqXFe0a1YWxYHhu4clFw=; b=N5HmmzPn0hULnXUW4lDNN21MJvD8WMEPM2wOsUThimg2sDXJjQ6roao5w6pT26ID4E NYVYIrxycc3GhxGDe4F6Mk2bsMcP1wGCl/XErj2Zvr5saafq4+Ob6GypXcmW4v3z/i84 6c3KGX5JzcfbF9u7VByAdCssHoslA5c5tNhYEnp1WmHepKUXpOblyGpz80pcojQcYZ1B VgCueCyJm9qk4RRwhzDt5mI+De5gB4XKhEKpQA9VHWEs2Tk7U1/6nqNJhH0hnRRGrZPu KLrgk7gTb3aE+hsJRzZKfj1h8tu19jLlQ1bMPFDkasE+ebbvrJPZrx+osulQBsviLzJU yLrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ez1d3rtd8Gt8vuFoJP9w9DkDqXFe0a1YWxYHhu4clFw=; b=Fz9BPREhE2SCwdpUKowy4f3y/LHUbrzpimFHyGYDhWse/TMoXXQxHvNFd6hjtPXrK/ th2qaT35RFjv8BawWTnMygU3VfHEtMHZtNKIFBMcNV3GulPhk6uVh0gKOa6mhrr3tE7v ozBSw+gOUmXAlTFa2IPjw12ZMQnRJ6zCEvfZfNpbubtnbxDUy2ycE5lWcdlemwu2TPqp yCdDzibPgxacxVu6iHCjFEjKRLfHBvCswviGyM8+y09SlhQOkewkxjowIYb9ogqqUSVF IjZ7COxHcuRzRc/bRyVWyYJaR99d14XBIZ3CP2Pgc/NajMKL8Nzz4xqAt77Uh0jTueKD pkLg== X-Gm-Message-State: APjAAAWW747fIE24v2xNAolqZ87gOnZ7BdaOvZYuTLfLtSIBDKs5Wq7Y jKq1VDa2DfmmYMMS76ByQ4fTDmSaL5JlXvVSA3p+ X-Received: by 2002:a19:4f44:: with SMTP id a4mr16785603lfk.72.1553644696033; Tue, 26 Mar 2019 16:58:16 -0700 (PDT) MIME-Version: 1.0 References: <087489b21e50bcda65c6af3e038394d5bfe09e00.1553626080.git.rgb@redhat.com> <1553632830.4233.3.camel@linux.ibm.com> In-Reply-To: <1553632830.4233.3.camel@linux.ibm.com> From: Paul Moore Date: Tue, 26 Mar 2019 19:58:04 -0400 Message-ID: Subject: Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event To: Mimi Zohar Cc: Richard Guy Briggs , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML , sgrubb@redhat.com, omosnace@redhat.com, Eric Paris , Serge Hallyn , mjg59@google.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar wrote: > > Hi Richard, Paul, > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > verified xattrs"), the call to audit_log_start() is missing a context to > > link it to an audit event. Since this event is in user context, add > > the process' syscall context to the record. > > > > In addition, the orphaned keyword "locked" appears in the record. > > Normalize this by changing it to logging the locking string "." as any > > other user input in the "xattr=" field. > > > > Please see the github issue > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > Signed-off-by: Richard Guy Briggs > > Acked-by: Mimi Zohar > > Paul, were you planning on upstreaming this patch? Yep, unless you would rather do it? If you pull it into the IMA tree, please add my ACK; otherwise let me know and I'll merge it into audit/next. Acked-by: Paul Moore -- paul moore www.paul-moore.com