Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp160347rwl; Tue, 11 Apr 2023 16:11:05 -0700 (PDT) X-Google-Smtp-Source: AKy350Z5iJ3NWdG6LhOu66UGqRcc2bDdeBYCi2mly+nTSmiSscM12YFipdkDaL7TDUEDSu2zL1JB X-Received: by 2002:a17:90b:4d0f:b0:23d:1143:c664 with SMTP id mw15-20020a17090b4d0f00b0023d1143c664mr20221203pjb.31.1681254665575; Tue, 11 Apr 2023 16:11:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681254665; cv=none; d=google.com; s=arc-20160816; b=tY/Rzx45vNfhp435chtYcrjCtk0z9qjIA4DRLoh42tyM71e2gaIHeZqcz6zBLnUzVu ypfAQBbpge4qtOoL9TrRq8VMAf/qTA47Ye/Hyeaxu/XdW0eGhtf/x/d/TeUYaMvdH3yJ uVxLDQPWo9vVifINqyIXyX6sfviwmdEgRd0C2Q28yTragqy2jAQ3L/9+v64b3VPLytTF EJbqqSLI/1A6DGo/9SmVeubu9xKaYuUZsXLcVDtgBBWKJBhC2WtyMDBnDFfV2bahJOwR 4tDezQ6mNVd8DfUy4rnGHx5H8SRrVhbvNEke8GawwDzQbAWfHKJGusCpu81AbD6p6AfA 6opA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=eIyxfCRdtVW6DZEqESNyM82Zcjpw6q1yxE2SLi7Q/10=; b=ekL+RRXgZsXcKMEPpzYVUAvWpabKVttl2lOeyRN+Hl9eFJ44tBxRllVxjf/CbZEQlv q83bsBAB/I/o+4HGA87C9Pn9ckx/o6vDbr614qyXTnbWjFivs6c9W7NoFwRGX1EmJRuF GdgHHd+eR8r/uLkNWjxNS2BiQYc8rcCQhWBdp4D7UsK42iHA4qmWQSCBGn1D3QhjdZZo 5482HI0uRmJ96vunmVpmz4yZjRtSZ1ZDGp3IWQg9pNxbiwxCWqhqzXVWZQZiY5rnaF7Y JyfRlEJDgzWIb55V0NSB5YqQ4zirbIfHWa5w+PB+iBM5PZa6AakSy9OP6dPjNlloOeKK g37A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=XXnbf3ZX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q18-20020a17090ad39200b00246a6cecff8si309348pju.44.2023.04.11.16.10.54; Tue, 11 Apr 2023 16:11:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=XXnbf3ZX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229523AbjDKXIT (ORCPT + 99 others); Tue, 11 Apr 2023 19:08:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229499AbjDKXIN (ORCPT ); Tue, 11 Apr 2023 19:08:13 -0400 Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9885F199D for ; Tue, 11 Apr 2023 16:08:09 -0700 (PDT) Received: by mail-yb1-xb33.google.com with SMTP id q5so12777348ybk.7 for ; Tue, 11 Apr 2023 16:08:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1681254489; x=1683846489; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eIyxfCRdtVW6DZEqESNyM82Zcjpw6q1yxE2SLi7Q/10=; b=XXnbf3ZXHmVyyAWosjbgtLtVe0obVxWMHT6ER5WKVjE2//n1kQT1vqGfH+itDlXM2k 2fneTH+5x2uocctQ6SccdU559tW16dOAzYZt4SUNr3SQZoWWsatyRHmcKNDLHGZiFZX1 ngNGr73HAG/JBY+0W9DmkWkoC+3V3vgClv7PS81c7UdnCx+3aMFz1Ishp4aKe2GcG+9q +3SRRyJSTGsRHSMejxxYLambtKEVZffeY9ZCgEkqByHxjKnrI4D7N/WlEOpBuqUt0lI4 YOvKnY4/lPDxTBJnhmllQ0VSpmZ1AJLwV7aGqPZH7Infu2EyjgWnt0Qsp4/uyydvAv+I TYrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681254489; x=1683846489; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eIyxfCRdtVW6DZEqESNyM82Zcjpw6q1yxE2SLi7Q/10=; b=m27I7t8S8BRrq+GU28JH99Y4V0HWq1jf2w4EWg9Zvo6M08hzXJeSFtnYvybzg55EBS +cXI38lu1Ffai5J6s4Ro7WkZkq4hvQUjsYu13QhykOjZJKp8uDsn4CB39Sr4xAMhIRYC PK8bzmgozDLRIQtj+aMBpo6OIrwQ4bAjfT/eCFcHYMAczonsasVrxPHB1AWm+oOCIJt3 itZwAKbVQfCKmnv3bCQ7c6FLNZdlwwkCyMOQjsJt+Qb9EeY7XvowpoiZy5ckuV9uWIR1 /+fqxU3HZukH/fHF+5ph6ZExIuZ8JHCcIBhI4U3/UfSgaqSa8oU3xC+6gmEukNIA4IR1 XS1w== X-Gm-Message-State: AAQBX9fCY9jmsRt6E/EFZV8GTzLnz6vTkQaUth1xk/3CICdVzhPuDfOe k5lCh2AS/8Pg8ks2qtJcTGd992gUagbMCzaW6zIu X-Received: by 2002:a25:d702:0:b0:b68:7a4a:5258 with SMTP id o2-20020a25d702000000b00b687a4a5258mr377571ybg.3.1681254488697; Tue, 11 Apr 2023 16:08:08 -0700 (PDT) MIME-Version: 1.0 References: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com> <1675119451-23180-8-git-send-email-wufan@linux.microsoft.com> <3723852.kQq0lBPeGt@x2> <20230316225340.GB22567@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> In-Reply-To: <20230316225340.GB22567@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> From: Paul Moore Date: Tue, 11 Apr 2023 19:07:57 -0400 Message-ID: Subject: Re: [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support To: Fan Wu Cc: Steve Grubb , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, linux-audit@redhat.com, dm-devel@redhat.com, linux-doc@vger.kernel.org, Deven Bowers , roberto.sassu@huawei.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-integrity@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 16, 2023 at 6:53=E2=80=AFPM Fan Wu = wrote: > On Thu, Mar 02, 2023 at 02:05:33PM -0500, Paul Moore wrote: > > On Tue, Jan 31, 2023 at 12:11???PM Steve Grubb wrot= e: > > > > > > Hello, > > > > > > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote: > > > > From: Deven Bowers > > > > > > > > Users of IPE require a way to identify when and why an operation fa= ils, > > > > allowing them to both respond to violations of policy and be notifi= ed > > > > of potentially malicious actions on their systens with respect to I= PE > > > > itself. > > > > > > > > The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a poli= cy > > > > evaulation of a resource. The other two events, AUDIT_MAC_POLICY_LO= AD, > > > > and AUDIT_MAC_CONFIG_CHANGE represent a new policy was loaded into = the > > > > kernel and the currently active policy changed, respectively. > > > > > > Typically when you reuse an existing record type, it is expected to m= aintain > > > the same fields in the same order. Also, it is expect that fields tha= t are > > > common across diferent records have the same meaning. To aid in this,= we have > > > a field dictionary here: > > > > > > https://github.com/linux-audit/audit-documentation/blob/main/specs/fi= elds/ > > > field-dictionary.csv > > > > > > For example, dev is expected to be 2 hex numbers separated by a colon= which > > > are the device major and minor numbers. But down a couple lines from = here, we > > > find dev=3D"tmpfs". But isn't that a filesystem type? > > > > What Steve said. > > > > I'll also add an administrative note, we just moved upstream Linux > > audit development to a new mailing list, audit@vger.kernel.org, please > > use that in future patch submissions. As a positive, it's a fully > > open list so you won't run into moderation delays/notifications/etc. > > > Thanks for the info, I will update the address. > > > > > This patch also adds support for success auditing, allowing users t= o > > > > identify how a resource passed policy. It is recommended to use thi= s > > > > option with caution, as it is quite noisy. > > > > > > > > This patch adds the following audit records: > > > > > > > > audit: AUDIT1420 path=3D"/tmp/tmpwxmam366/deny/bin/hello" dev=3D"= tmpfs" > > > > ino=3D72 rule=3D"DEFAULT op=3DEXECUTE action=3DDENY" > > > > > > Do we really need to log the whole rule? > > > > Fan, would it be reasonable to list the properties which caused the > > access denial? That seems like it might be more helpful than the > > specific rule, or am I missing something? > > Audit the whole rule can let the user find the reason of a policy decisio= n. > We need the whole rule because an allow/block is not caused by a specific > property, but the combination of all property conditions in a rule. Okay, that's a reasonable argument for logging the rule along with the decision. I think it helps that the IPE policy rules are not particularly long. > We could also add a verbose switch such that we only audit > the whole rule when a user turned the verbose switch on. I'm not sure that's necessary, and honestly it might be annoying as we would still need to output a 'rule=3D"?"' field in the audit record as it is considered good practice to not have fields magically appear and disappear from the record format. However, if there are concerns about record sizes, that could be a potential mitigation. --=20 paul-moore.com