Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp190011rwl; Tue, 11 Apr 2023 16:42:33 -0700 (PDT) X-Google-Smtp-Source: AKy350Z3f9dfxx+y8W2B4w6zTRrjxmENH6b8RLtFfii3HVQYa7AF6dKD9J5Cv9Ag+lvlyDLMdU77 X-Received: by 2002:aa7:8bd2:0:b0:639:c88b:c3e0 with SMTP id s18-20020aa78bd2000000b00639c88bc3e0mr7094526pfd.22.1681256552872; Tue, 11 Apr 2023 16:42:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681256552; cv=none; d=google.com; s=arc-20160816; b=hPoxp6GndgG3BTYjtuSQ5dIewkE4XQ7XP+bqrpCCWwoZVX4o3PPqNexDYpp4miuqOv 1WlL7dzZ543ncy3hJVOeFdlnaES+KquHVR0r12w+Xz8CBTAXx6FIYKYPwPJCNmLnTXdz /vo9JsjfipNB3IUHEKIalPIDogw6ArE71k/vW10X6UIq6QUUCjnwdl/WjUlPduOfaDCq pGM6afI0BNkp36N6BhIi/FHktNNTq7bTltJTFChw06E+w9Y4NjTOXDO22R6u8rOQsqOX S7tjppJ9OZBBLYcDp3FsfxxO5/C2fbcvfbzbMVvPNiL+s8KwA93MJnhzCGovyciORSJc rU9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=mjieG96zBNQQG2PDV49OxJZ6+3G2K7bw1ZbVf6U1lzk=; b=BZH7mvkm/hYLHz6JdothlKuX3NWV/DJuhS1kYE4wV8uuvmwNss1BHfTh56MKEfayq5 6bPDqhUrNv6Ac8fqpRqVGJ4/xXhiY1fTbA15+9T2BebBGuvHAxpEe3fpwezRmBtj+F9y 4UIs3E3Ws6oHdZccSaY4V/CPGf2U5mirFcJI7oHTb2qfYvRSywaHDy3CXNsTIwVkMQST Di6kSY7+l5vjJB5n1pk0aRF2/xC8OOrblx6CscCvksGjePUf5oAznpl2mX3Tw5wAS533 6TDwR1M0x9wCqjJHpKVFoBmJwVnqzy4MT/sq8opl5x1nW1G0oZfKYUA0EbPGkbdAfQii y02Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=JBJa4Zki; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c2-20020aa79522000000b0062dbafd7a3esi14984505pfp.100.2023.04.11.16.42.21; Tue, 11 Apr 2023 16:42:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=JBJa4Zki; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229481AbjDKXWK (ORCPT + 99 others); Tue, 11 Apr 2023 19:22:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229521AbjDKXWF (ORCPT ); Tue, 11 Apr 2023 19:22:05 -0400 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6037D30E0 for ; Tue, 11 Apr 2023 16:22:04 -0700 (PDT) Received: by mail-yb1-xb31.google.com with SMTP id y69so16863338ybe.2 for ; Tue, 11 Apr 2023 16:22:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1681255323; x=1683847323; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mjieG96zBNQQG2PDV49OxJZ6+3G2K7bw1ZbVf6U1lzk=; b=JBJa4Zkia5CL2Y2OupdXMM4PasK18pInJvMWdC+fcjeXMUtF7Az9LU/h0gwzthGF+x QFe+EM5gj0HfuwGanmiaXQwO3fOP8a4btCGAetQJYVHjOzucbpsePzuKkG8TR93btov3 ejiAzOSugxLP10TJ9faOUK77CIu/bvXaG3edhovV1FmhkPF7ahaMosgu3K9FFeA+6IjP qeh/0RVlrXKpAWpHVnAzwGCVyfYKB4mFnhjuGQJsrwBkOB5Jy3rtKOUgPR1BJr7DIua1 Fk/CkDcSU3fo0g3DUTmWuoTiaScyOwO7RNznY6OmT+Asa5k3Dvwtdp4bTuSz6pIhq7XJ tChQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681255323; x=1683847323; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mjieG96zBNQQG2PDV49OxJZ6+3G2K7bw1ZbVf6U1lzk=; b=cDGHq9UGuqX6kEqawUIalInBUH5oXrZVpo1t6qiXm1gXu9EJhu4ofu03bOD6lKlxwh IgND1TMDmSB70oDHkOJu92YdYaGziNwKF2/zQ55kcW58eK68VhT77FsXz56PcuEpQgpu BNMAw+U0CufdOdkk9kUdogJxdzcyodfoBtQl2+kRcOXiUZJsybX0FkhzOtO0M+4kZqmL qywhzHVfiCVF4p7aN0Z7WQ4PICRpDUOX66iQiQ8abSxk5GikJ0MKmfPORT5935H5CjLI 4TY835knSxfLOrr3zKosxPWrqrDDtA/FEZkLdxSiy81VloYrq5iWvN3iwBQcPdvgESiD SP8g== X-Gm-Message-State: AAQBX9d/ZRZdQ3GeOxkFWP/DmOMnbWTQw7R112D9G6yHH0Chnjq6m7dP OR/i3xuFlxYGlOJaSvZIaFeMXDaSWRa4jm0FgXhy X-Received: by 2002:a25:cace:0:b0:b8f:2f68:93b0 with SMTP id a197-20020a25cace000000b00b8f2f6893b0mr1197248ybg.3.1681255323520; Tue, 11 Apr 2023 16:22:03 -0700 (PDT) MIME-Version: 1.0 References: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com> <1675119451-23180-8-git-send-email-wufan@linux.microsoft.com> <3723852.kQq0lBPeGt@x2> In-Reply-To: From: Paul Moore Date: Tue, 11 Apr 2023 19:21:52 -0400 Message-ID: Subject: Re: [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support To: Steve Grubb , linux-audit@redhat.com Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, Fan Wu , dm-devel@redhat.com, linux-doc@vger.kernel.org, Deven Bowers , roberto.sassu@huawei.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-integrity@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 2, 2023 at 2:05=E2=80=AFPM Paul Moore wro= te: > On Tue, Jan 31, 2023 at 12:11=E2=80=AFPM Steve Grubb = wrote: > > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote: ... > > > audit: MAC_POLICY_LOAD policy_name=3D"dmverity_roothash" > > > policy_version=3D0.0.0 sha256=3DDC67AC19E05894EFB3170A8E55DE52979= 4E248C2 > > > auid=3D4294967295 ses=3D4294967295 lsm=3Dipe res=3D1 > > > > The MAC_POLICY_LOAD record type simply states the lsm that had it's pol= icy > > loaded. There isn't name, version, and hash information. I'd prefer to = see > > all users of this record type decide if it should be extended because t= hey > > also have that information available to record. > > Not all LSMs which load policy have that information; as an example, > SELinux doesn't have the concept of a policy name or version. The > SELinux policy version you might see in the kernel sources refers to > the policy format version and has no bearing on the actual policy > content beyond that dictated by the format. > > If additional information is required by IPE, perhaps an auxiliary IPE > policy load record could be created with those additional fields. The issue of policy load audit records came up in an offline discussion with Fan today and I think it's worth talking about this a bit more to reach some consensus. Currently only SELinux generates MAC_POLICY_LOAD records, and it contains all of the information that is present in the IPE example above with the exception of the 'policy_name', 'policy_version', and the policy digest. I personally don't have a problem extending the MAC_POLICY_LOAD record with these fields, and leaving them unused/"?" in the SELinux generated records. It's possible we may even want to use the policy digest field at some point, as it would be nice to be able to have some policy "key" within SELinux that could be used to help identify the loaded policy. The only catch is that we may want to find a better field name than just 'sha256', in the context of the MAC_POLICY_LOAD record it seems easily understood, but in the larger context of a full audit stream it might be too ambiguous. We would also need to decide if we wanted to encode the digest algorithm in the field name, the field value, or have it as a separate field. I might lean towards encoding it in the field value like this: policy_digest=3Dsha256:XXXXX ... however that is something that would need some discussion from the other folks on the To/CC line. --=20 paul-moore.com