Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp120638rdf; Thu, 2 Nov 2023 15:57:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFcYEjDvAvKVvys8f/kV7slKBbn338hJ3WhLpYzDnKMNQEpQ6+oStKNKE87Ho0XZLPC5wca X-Received: by 2002:a05:6a20:4293:b0:167:26c4:256d with SMTP id o19-20020a056a20429300b0016726c4256dmr1015187pzj.21.1698965856240; Thu, 02 Nov 2023 15:57:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698965856; cv=none; d=google.com; s=arc-20160816; b=Hlf5RTuMJWRYMjkWHvt8as+TB6B+R86owEdsYcynTyDEZEcaDigQXDimgjSSPaCjrH APa6b1lWi0083q92Tuwgo3jJcjaB7gyXIH1FqyEXG3JsV7gX8y0YMKy2xoM1E3E55Zth frvwvW0WXrN4XPtMwy5BoSAxKUrdx76g9ADZeHxAN9RQ9Dz2XLBbJAPrIQ+wcEq/8xdT t5z7j3+IjhjZ4YR/2b4br+UYypAfbHPSO660MS2xOM3zilNrWSEEnQxfX05M5Xt5iDzF NlrZB9MCEcP97CixfifET0Ggz4Qd1vAXemD6iRuaxoMYa0LPUEvSTG+EA7NvoMliSkjS QBLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=MeD71Q6biPj3nx4lgT1GcHQD3ltSRaQZ4DGHwulTS4Q=; fh=fAqrlMYH1fEHmaaZ3DhbJc1a1C2SUC29hk9YBohK+zY=; b=c2NWDfH5f7XkMWAPJJpxc4dPN5SFF+LcppHiKg7DWKweQ5AIZjqN/CImZdHPeUL9Ir XDl7yiJEC6ftzFVGxDjUyv/XyJuFnvSNWpyV2bXw4sfNmdT3nV2T4u9FPZTLustyDutW 46pN5cIU4HYOOTtJRhqOsgTVYvUwCohRHsTEKf9FBxZbmEcGI3nUMH0zJ/tzEogpsRw+ CLlQAznq56y7dZl0PZjFy4q9V6iE3J958CHMkk1SxmQiV67zD8VoQ1D0y35iuCXszqnf +pLSSLJsSXE2kILRqT/1J7QMITdomIOyVsFEdbTd1dtjk4Xfo0x5BiZDbFDtm3+LTcoP ldoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=YVJmYHq0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id bz40-20020a056a02062800b005b896ecd1efsi434506pgb.172.2023.11.02.15.57.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 15:57:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=YVJmYHq0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 2E39780707E4; Thu, 2 Nov 2023 15:57:31 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377544AbjKBW46 (ORCPT + 99 others); Thu, 2 Nov 2023 18:56:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229615AbjKBW45 (ORCPT ); Thu, 2 Nov 2023 18:56:57 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BAE15133; Thu, 2 Nov 2023 15:56:51 -0700 (PDT) Received: from [10.137.106.151] (unknown [131.107.159.23]) by linux.microsoft.com (Postfix) with ESMTPSA id 2780620B74C0; Thu, 2 Nov 2023 15:56:51 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2780620B74C0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1698965811; bh=MeD71Q6biPj3nx4lgT1GcHQD3ltSRaQZ4DGHwulTS4Q=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=YVJmYHq00nJnWXOaOSPSTB9CLF31HF844WK9jukAHjJwBurLVyw9YxueHfQGQbuAS xFhAUSlG0ZSdEvoJUpcBQGNDOEVTYD6tjqdCBHiacARnQT29rnL0TFNS+awxAjiTA2 sipFNWa9gayF5SdjotF0sP2f2g/4o4eKi61Us97s= Message-ID: Date: Thu, 2 Nov 2023 15:56:51 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH RFC v11 9/19] ipe: add permissive toggle Content-Language: en-US To: Paul Moore , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers References: <1696457386-3010-10-git-send-email-wufan@linux.microsoft.com> <1ef52e983dd5b9a7759dc76bfe156804.paul@paul-moore.com> From: Fan Wu In-Reply-To: <1ef52e983dd5b9a7759dc76bfe156804.paul@paul-moore.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 02 Nov 2023 15:57:31 -0700 (PDT) On 10/23/2023 8:52 PM, Paul Moore wrote: > On Oct 4, 2023 Fan Wu wrote: >> >> IPE, like SELinux, supports a permissive mode. This mode allows policy >> authors to test and evaluate IPE policy without it effecting their >> programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS >> be reported. >> >> This patch adds the following audit records: >> >> audit: MAC_STATUS enforcing=0 old_enforcing=1 auid=4294967295 >> ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 >> audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 >> ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 >> >> The audit record only emit when the value from the user input is >> different from the current enforce value. >> >> Signed-off-by: Deven Bowers >> Signed-off-by: Fan Wu >> --- >> v2: >> + Split evaluation loop, access control hooks, >> and evaluation loop from policy parser and userspace >> interface to pass mailing list character limit >> >> v3: >> + Move ipe_load_properties to patch 04. >> + Remove useless 0-initializations >> + Prefix extern variables with ipe_ >> + Remove kernel module parameters, as these are >> exposed through sysctls. >> + Add more prose to the IPE base config option >> help text. >> + Use GFP_KERNEL for audit_log_start. >> + Remove unnecessary caching system. >> + Remove comments from headers >> + Use rcu_access_pointer for rcu-pointer null check >> + Remove usage of reqprot; use prot only. >> + Move policy load and activation audit event to 03/12 >> >> v4: >> + Remove sysctls in favor of securityfs nodes >> + Re-add kernel module parameters, as these are now >> exposed through securityfs. >> + Refactor property audit loop to a separate function. >> >> v5: >> + fix minor grammatical errors >> + do not group rule by curly-brace in audit record, >> reconstruct the exact rule. >> >> v6: >> + No changes >> >> v7: >> + Further split lsm creation into a separate commit from the >> evaluation loop and audit system, for easier review. >> + Propagating changes to support the new ipe_context structure in the >> evaluation loop. >> + Split out permissive functionality into a separate patch for easier >> review. >> + Remove permissive switch compile-time configuration option - this >> is trivial to add later. >> >> v8: >> + Remove "IPE" prefix from permissive audit record >> + align fields to the linux-audit field dictionary. This causes the >> following fields to change: >> enforce -> permissive >> >> + Remove duplicated information correlated with syscall record, that >> will always be present in the audit event. >> + Change audit types: >> + AUDIT_TRUST_STATUS -> AUDIT_MAC_STATUS >> + There is no significant difference in meaning between >> these types. >> >> v9: >> + Clean up ipe_context related code >> >> v10: >> + Change audit format to comform with the existing format selinux is >> using >> + Remove the audit record emission during init to align with selinux, >> which does not perform this action. >> >> v11: >> + Remove redundant code >> --- >> security/ipe/audit.c | 22 ++++++++++++++ >> security/ipe/audit.h | 1 + >> security/ipe/eval.c | 14 +++++++-- >> security/ipe/eval.h | 1 + >> security/ipe/fs.c | 68 ++++++++++++++++++++++++++++++++++++++++++++ >> 5 files changed, 104 insertions(+), 2 deletions(-) > > ... > >> diff --git a/security/ipe/eval.c b/security/ipe/eval.c >> index 499b6b3338f2..78c54ff1fdd3 100644 >> --- a/security/ipe/eval.c >> +++ b/security/ipe/eval.c >> @@ -167,9 +172,12 @@ int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx) >> ipe_audit_match(ctx, match_type, action, rule); >> >> if (action == IPE_ACTION_DENY) >> - return -EACCES; >> + rc = -EACCES; >> + >> + if (!enforcing) >> + rc = 0; > > Why the local @enforcing variable? Why not: > > if (!READ_ONCE(enforce)) > rc = 0; > Yes the variable is unnecessary, I will remove it. -Fan >> - return 0; >> + return rc; >> } >> >> /** >> @@ -198,3 +206,5 @@ void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb) >> >> module_param(success_audit, bool, 0400); >> MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled"); >> +module_param(enforce, bool, 0400); >> +MODULE_PARM_DESC(enforce, "Start IPE in enforce or permissive mode"); > > "enforcing" > > -- > paul-moore.com