Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5775529img; Wed, 27 Mar 2019 15:15:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqwrpzJkDV36Qs70aUQnohi0svs4vcfFSaUMjsinnPEeDC00HsvVKpiN1lNdMl/wIrEz7Eoc X-Received: by 2002:a17:902:8690:: with SMTP id g16mr39191382plo.284.1553724946975; Wed, 27 Mar 2019 15:15:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553724946; cv=none; d=google.com; s=arc-20160816; b=FaYQ49dTsRHOclcH93AhptoxSWmgnOAx9PRJGHh/+CFogXkQd4Ucb55FWJ/L9kNLFA HW35VwunH+WSDu16WC4/PtmjutUm3Z0kvLNzaplaTsSgmn04esxb4OvzoY4McK1BBXvX afnfJkwik2wRkXe/rtGK1F9+mTZHGpyhh1H3A/PJcHbARBlFzT76oaFWtfmbMspi7PgT 7sptbOF9PbwQVs2VeY87j2tQipjeA62vj4+93ySBqXAtk+YuwIJwAH9NHRKAC+eFX+Am nJK44csDHaTB0zZwjUQLOpDr897k6Ths3nQjGGuB3flXr6t9lOdWv7CnL4hOrYuSVtwj uiyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=SsRGAQ7sJFAbYvV3GBI8Nbjp7rSZFjGzVO6KmG1CsfQ=; b=GPiTUFImRCMqRHY7YUaEwt10CNGHSH4KXF79l0qq4EHBybCVzUjcfFmJ5YTa+mxN/2 bipT7n568GqKQmqQdZVO83pQX8AFnmoCiY0BVjWoxAiY2cazKta2fHhCelgBOG3pOpmO 6sLkIYwc6EvyuN1f3e5ti1iTmbRvVzrg0s5PZtMAOxzMNBuJdmNYJIkYPjPUp3KaCV1T 8D0P9Kv++GmL15LKj/MCTFoepNnQybxE3RzAGRD6evj+gTFnmljmcdVL5TTkd5HnniC5 /+rj/IfaNfWjf5HXBa19SEHSGe7uvZL6mvaU0eW9Ov8T86AfZczITNVIsXpYaLDwPw3S ZY5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=06Bh2pTw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 14si1329033ple.218.2019.03.27.15.15.31; Wed, 27 Mar 2019 15:15:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=06Bh2pTw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727567AbfC0WOj (ORCPT + 99 others); Wed, 27 Mar 2019 18:14:39 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:33007 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726102AbfC0WOi (ORCPT ); Wed, 27 Mar 2019 18:14:38 -0400 Received: by mail-lj1-f195.google.com with SMTP id f23so15867733ljc.0 for ; Wed, 27 Mar 2019 15:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SsRGAQ7sJFAbYvV3GBI8Nbjp7rSZFjGzVO6KmG1CsfQ=; b=06Bh2pTww9SeR3OZRDoe/rWJyAoIYX2qQEJKdTMSK6HaMSiWKQF6xqBbrBAc0VybQ1 ivdi3ZgiroM9TTLtAIf+2xZoyuWdjRfQHJOrZoYfCQdrsUx1o96FMlMNa0J/AAK+XspN taIuOn/AqmSDvWl7b3R4VqwLRdCZMYcqqmmVLyJxYLg8/k0x715gxg/1UIBv8HDsI9ta pYHESFAUTVvU2i5Yc0nIDqMDMpWmdYG/t6ZCOYfosrc5wu+pbVzYCWY098orvxXHGlrn iaH60AO8CPKG2Y2AC7mt2x3yN7/yMDW1l/vSrxiqKQAJaRyZOG3wLQ1AajyNzHEqgeZW /vtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SsRGAQ7sJFAbYvV3GBI8Nbjp7rSZFjGzVO6KmG1CsfQ=; b=i4UPWnEqed9REC5BNMrIBLVzZXUQLnCWRbA4QDX6MG7Vrf3IfMUzxchklpDIPzW00I bpRZ+4sY/gx6E1Sei5pT0G7L6lZEQEaqKmScY4Nl+btkVt4jfUlGqDu4W5PvJ2WOQGWh 69CPPkibMjfcLCVLPqdNPBosUtAbq868ynFXTfgK+cRSP1qgUFqEVckUWyeq+ixLTCL7 TktyE8tVDXAugB/IW8bSg1O83ZnLYvXDwc3aDrUnoMwqV7x1QeyQu5xUrizGWYH4cHu4 M9x1WDqvlS9+IB15Msj+B83hJ24S6IHQsgbrCDROo3zdqgcU136Z/YUFxSp035yIeOL6 MuvA== X-Gm-Message-State: APjAAAXHkYq8TcLbdWpIvh4c5tv4WSDIj+g1H/ax89Mvz+U3TuoWbb5t zNYZHP5nIAnARaenb7lOev2an18ANAUYwpc6Z7Yt X-Received: by 2002:a2e:500d:: with SMTP id e13mr21128699ljb.169.1553724876420; Wed, 27 Mar 2019 15:14:36 -0700 (PDT) MIME-Version: 1.0 References: <087489b21e50bcda65c6af3e038394d5bfe09e00.1553626080.git.rgb@redhat.com> <1553632830.4233.3.camel@linux.ibm.com> <1553699048.4154.1.camel@linux.ibm.com> In-Reply-To: <1553699048.4154.1.camel@linux.ibm.com> From: Paul Moore Date: Wed, 27 Mar 2019 18:14:25 -0400 Message-ID: Subject: Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event To: Mimi Zohar , Richard Guy Briggs Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML , sgrubb@redhat.com, omosnace@redhat.com, Eric Paris , Serge Hallyn , mjg59@google.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 27, 2019 at 11:05 AM Mimi Zohar wrote: > On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote: > > On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar wrote: > > > > > > Hi Richard, Paul, > > > > > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > > > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > > > verified xattrs"), the call to audit_log_start() is missing a context to > > > > link it to an audit event. Since this event is in user context, add > > > > the process' syscall context to the record. > > > > > > > > In addition, the orphaned keyword "locked" appears in the record. > > > > Normalize this by changing it to logging the locking string "." as any > > > > other user input in the "xattr=" field. > > > > > > > > Please see the github issue > > > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > > > > > Signed-off-by: Richard Guy Briggs > > > > > > Acked-by: Mimi Zohar > > > > > > Paul, were you planning on upstreaming this patch? > > > > Yep, unless you would rather do it? > > No, that's fine. Thanks! Merged into audit/next, thanks all. -- paul moore www.paul-moore.com