Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp1616234rdb; Sat, 3 Feb 2024 14:26:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IHGF2uNCyoRCoJR0Q7nhDvvI1ti2Z+qn4d6pq3CK8umrj/88OxsUYVNtriY8dIfGPh98DsR X-Received: by 2002:a05:6214:e6f:b0:68c:7395:1bf with SMTP id jz15-20020a0562140e6f00b0068c739501bfmr2974038qvb.8.1706999205108; Sat, 03 Feb 2024 14:26:45 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706999205; cv=pass; d=google.com; s=arc-20160816; b=hwJmP8U5LqkyOYPKzsJZfXOsDSYqJklS9kyB64iijXQcnbcuKHp89WsmuWJ5WJhX63 aOYPQMYiY9zZwhqalUi2II7PlH/kr+idvBnhSQDqC/hB4ADTUACHBAZGnI4Ch6XzvU38 iTjGBiEXDiyO6Sv1aaXnIrRpXO/axxgEItNcVzLUg7aIVrBmFk9SqcFNs6gWutR35JgS EvDoSnKhY1kcpE1+tl9hH5+hK/aBRGH2pQ61ZXwcTrb4Sr5UPnKVlhNN8D3z9lvXpcMx y6n85+4ft+uWloMoIiEs/FHG9FA8djw8/ZVU7yBU6JIosqaATQHbW6yDTYk4aVPN2FRE FhAw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :content-disposition:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:message-id:date:dkim-signature; bh=gzyXztQxdq2bE3Xby4PIQ2YJXTmtNHMMsda74TWMo30=; fh=R7LLknlzHoevFGmNgxbHgP34AuOySXO9tGbME6QE2bs=; b=dm85Vi0Nw3NYLflY2StVx+pVSBX3EMA4+JNygnOHsYLl+iqhZlm+jBsJe7egWbqvZL Fz8FSxDgNRaQxrasOkBDOo1d8M07VhJPJlgT3FhF5JzLVdmmEVyySASRBR2AEOP1RUzE bILOjNj7ihZzdgZoxX9Y7LQe8C57xZor4oApw/5PUty6HvE/wt3POM/PDc8y9oWf1gAY xLptHurKDQr+EFDEdjqADtjlSGiqwFJdqmwn92iB607P7HmXs4BSmNWt1zhYaPqh4mrE Iogq1u7w+RuUFTxLy/PVehzwjhFgE2Tr6zmJgAFL/5v7dlmd/Zs5Ck9UC/l9PkYOgYVs cnhg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=djY+nsLr; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-51313-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-51313-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com X-Forwarded-Encrypted: i=1; AJvYcCW2A+oHgf3lAuzmDWxqPw0TmRHzBwliTPrOXMICuptY4dPdWbRN20DrRn12mBkQASuTzgG8nhiT4rB9W9g4F60mYmdUQnZCmYnI1TxxlQ== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id q4-20020a0cfa04000000b0068c6cb82b51si5227138qvn.192.2024.02.03.14.26.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Feb 2024 14:26:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-51313-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=djY+nsLr; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-51313-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-51313-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 828F91C23006 for ; Sat, 3 Feb 2024 22:26:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C1B4117C76; Sat, 3 Feb 2024 22:25:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="djY+nsLr" Received: from mail-qt1-f177.google.com (mail-qt1-f177.google.com [209.85.160.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C15017592 for ; Sat, 3 Feb 2024 22:25:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706999118; cv=none; b=Vw9Apqh8BZnC1zeiI+W4XHtcE1XfdhmBLAoU9f055DXCDyWug6YOfrZpfP4JmzJmqzO6tqK/MPL6OCZpgDqsDU/NtA1/kxRmguxloQ3ALyv4IAqIoLFWCj9rYKk0zYBE2QQTtwgf85BDW2g8lj4yQUK+kG3XADOGi9XlRP9Tscg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706999118; c=relaxed/simple; bh=+fSeNkwdSlLWMIl3lzfyk6Ik8ik57S7jL/iU5RejReE=; h=Date:Message-ID:MIME-Version:Content-Type:Content-Disposition: From:To:Cc:Subject:References:In-Reply-To; b=QzLAGYvwufShTgPVic2WpQQ0Xx9RiKyskjzKQPUbMAU6HzgpHGoAAHP+/7FPssPyyANlO2rjDIjiww/qBapXpqNQqoQ2Ncgwc5xeAuXOXyQKLwgzUDPXQSmPT/WtCF+dQFVJR+8bp4QbrS8QS9ScHBkZSk2SAeNg/+op9PLheP8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=djY+nsLr; arc=none smtp.client-ip=209.85.160.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-qt1-f177.google.com with SMTP id d75a77b69052e-42ab4f89bdbso19603971cf.0 for ; Sat, 03 Feb 2024 14:25:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1706999113; x=1707603913; darn=vger.kernel.org; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :content-disposition:mime-version:message-id:date:from:to:cc:subject :date:message-id:reply-to; bh=gzyXztQxdq2bE3Xby4PIQ2YJXTmtNHMMsda74TWMo30=; b=djY+nsLrurbaI1YTk9k5Ftj2c5nHXwTI1TjcLUK2gX9bBQ7ZsNWTstow2a2VxfnSQx ovAsxJAOVb5Xagd2H7w/ujsD72cWkw2MzTbVxXImn+tLxraGp0K4gkElA3AUwaSVioEw cU/C6oqd5uJqZTaDIw8YjiyqaOTLhUdojq5Q9AY6sa6r5SKCsIDP8U4nwzo24tOOOMGT zbD6V9Ktqh6AnZTq6u9r0TI0WKRM46zgbF2PGPgkNnWpLGZW+bHNaWhitYsI9qKe+OV3 tCAG6TKh2WR/fbDGDhSzy/n9WiJGW22io82DeQMpE7X7X4tTpUsIKcf5J1ljiCrkhi1c z5pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706999113; x=1707603913; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :content-disposition:mime-version:message-id:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=gzyXztQxdq2bE3Xby4PIQ2YJXTmtNHMMsda74TWMo30=; b=C7hGs6rXO6kvSoT1L+hbYELwRZX2JMCggSQ/6FR+e4/wi41lTFCSf7FFOpwdCjWc0Y 3ntADOiFSZt4Qmvfr5MJr3LqVRK7/GbygkP/0zDyHaeStgSGSwLO4qH4+ZTH6cJ8zu2V UPEkXNry0v+1TPPoBvWBgXlXnSlbQkqYnJlMMaB07dMVFchqB0Tb+W94G7iFcnEIBmyc hUyycQevI7PAqi+KGFnmDV4JCF0fHTlB+pVV1PV7Tv1424zjK7HtuhVEhmNQaUS3MCGc UaOXWAPsFgwawD0QTU3CU0e0FoJiAu1S1yLje0iH6+CCD3OELxFveKc5d6wPVKBx3HOE smpA== X-Gm-Message-State: AOJu0YxI54q1P4/IDFgV/4tdgjxrMvMFYmNUJgfo0f3qjcyXlrfLhTQu VJsxEYwiO6NQhSWKZpOvxnpZ8CjFq99rSVEddEh2xp1+4YutcyLHxwc3TRK7lQ== X-Received: by 2002:a05:622a:24f:b0:42c:c26:78f5 with SMTP id c15-20020a05622a024f00b0042c0c2678f5mr2911367qtx.46.1706999113409; Sat, 03 Feb 2024 14:25:13 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCVuY0T3ip8Fsoc4YOXsxEiSML+PXXAj7BdcQERzWW7YMnNONZ7M6to4B/uXE6/Q2IM9ijQ16YLuMXfn6iwWxGIX1ywdnqnYWflhqV1XouK2Irav754ejbgfiIVI2DLhZQPNulUp9qVHD8e+4B2fq+atfCTExNLldLSVwSGfyMIvarJJTv30NFr3ntoR3iqHnex23Jm7vWUEAddJXXnlITb6S9PKA625NAXJfBa/iBszvAsCpgg1O7m9MP1rsTT+qYHN6TsNkLFIlUpfWsCo6hF3kYwVjCMWh0zzqqfG6hM0+cCI7mRqZKZRdbo0f57rmoX8x4usfqtgebxmGD0+bmGLeFqdaMVJSV7ADTG1asx+XPfamgIMQae75XkpYXrNAu6/4o+eHD1J746/OiQIpMJwhz8C/6fHh+bL+cBWQ8qoIr5Cx1Hd6rswKRawTC0U95+t0O+DIO4SUeO7nzDW8NIQp5leTSzNkIlPH4y4ZBGmgZYseDBvFSxuIVQcL+yH5tOyDeW7sGBFRkyup+3VY/OQ3ihjS1empZSwya8w5sKY5Mp8UZebToJ7jsHYmBxKjwzgk2S9874rUdk6CwfUbOJ2GKoQUhjX8UBpJ9vzOvTP5AbOjb/ZvJfH Received: from localhost ([70.22.175.108]) by smtp.gmail.com with ESMTPSA id j13-20020ac84f8d000000b0042ab59ccd6csm2163130qtw.4.2024.02.03.14.25.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Feb 2024 14:25:13 -0800 (PST) Date: Sat, 03 Feb 2024 17:25:12 -0500 Message-ID: <1e8f6bbac94d62da330262af871aaa98@paul-moore.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit From: Paul Moore To: Fan Wu , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: Re: [PATCH RFC v12 10/20] ipe: add permissive toggle References: <1706654228-17180-11-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1706654228-17180-11-git-send-email-wufan@linux.microsoft.com> On Jan 30, 2024 Fan Wu wrote: > > IPE, like SELinux, supports a permissive mode. This mode allows policy > authors to test and evaluate IPE policy without it effecting their > programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS > be reported. > > This patch adds the following audit records: > > audit: MAC_STATUS enforcing=0 old_enforcing=1 auid=4294967295 > ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 > audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 > ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 > > The audit record only emit when the value from the user input is > different from the current enforce value. > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu > --- > v2: > + Split evaluation loop, access control hooks, > and evaluation loop from policy parser and userspace > interface to pass mailing list character limit > > v3: > + Move ipe_load_properties to patch 04. > + Remove useless 0-initializations > + Prefix extern variables with ipe_ > + Remove kernel module parameters, as these are > exposed through sysctls. > + Add more prose to the IPE base config option > help text. > + Use GFP_KERNEL for audit_log_start. > + Remove unnecessary caching system. > + Remove comments from headers > + Use rcu_access_pointer for rcu-pointer null check > + Remove usage of reqprot; use prot only. > + Move policy load and activation audit event to 03/12 > > v4: > + Remove sysctls in favor of securityfs nodes > + Re-add kernel module parameters, as these are now > exposed through securityfs. > + Refactor property audit loop to a separate function. > > v5: > + fix minor grammatical errors > + do not group rule by curly-brace in audit record, > reconstruct the exact rule. > > v6: > + No changes > > v7: > + Further split lsm creation into a separate commit from the > evaluation loop and audit system, for easier review. > + Propagating changes to support the new ipe_context structure in the > evaluation loop. > + Split out permissive functionality into a separate patch for easier > review. > + Remove permissive switch compile-time configuration option - this > is trivial to add later. > > v8: > + Remove "IPE" prefix from permissive audit record > + align fields to the linux-audit field dictionary. This causes the > following fields to change: > enforce -> permissive > > + Remove duplicated information correlated with syscall record, that > will always be present in the audit event. > + Change audit types: > + AUDIT_TRUST_STATUS -> AUDIT_MAC_STATUS > + There is no significant difference in meaning between > these types. > > v9: > + Clean up ipe_context related code > > v10: > + Change audit format to comform with the existing format selinux is > using > + Remove the audit record emission during init to align with selinux, > which does not perform this action. > > v11: > + Remove redundant code > > v12: > + Remove redundant code > --- > security/ipe/audit.c | 27 ++++++++++++++++-- > security/ipe/audit.h | 1 + > security/ipe/eval.c | 11 +++++-- > security/ipe/eval.h | 1 + > security/ipe/fs.c | 68 ++++++++++++++++++++++++++++++++++++++++++++ > 5 files changed, 104 insertions(+), 4 deletions(-) > > diff --git a/security/ipe/audit.c b/security/ipe/audit.c > index 79b7af25085c..ed390d32c641 100644 > --- a/security/ipe/audit.c > +++ b/security/ipe/audit.c > @@ -27,6 +27,9 @@ > "new_active_pol_version=%hu.%hu.%hu "\ > "new_policy_digest=" IPE_AUDIT_HASH_ALG ":" > > +#define AUDIT_ENFORCE_CHANGE_FMT "enforcing=%d old_enforcing=%d auid=%u ses=%u "\ > + "enabled=1 old-enabled=1 lsm=ipe res=1" It looks like you only ever use this in one place, it would probably be better to skip the macro definition in this case as it can make it easier to have a disconnect between the format string and the data. > static const char *const audit_op_names[__IPE_OP_MAX + 1] = { > "EXECUTE", > "FIRMWARE", > @@ -95,8 +98,8 @@ void ipe_audit_match(const struct ipe_eval_ctx *const ctx, > if (!ab) > return; > > - audit_log_format(ab, "ipe_op=%s ipe_hook=%s pid=%d comm=", > - op, audit_hook_names[ctx->hook], > + audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=", > + op, audit_hook_names[ctx->hook], READ_ONCE(enforce), > task_tgid_nr(current)); > audit_log_untrustedstring(ab, get_task_comm(comm, current)); > > @@ -210,3 +213,23 @@ void ipe_audit_policy_load(const struct ipe_policy *const p) > > audit_log_end(ab); > } > + > +/** > + * ipe_audit_enforce - Audit a change in IPE's enforcement state. > + * @new_enforce: The new value enforce to be set. > + * @old_enforce: The old value currently in enforce. > + */ > +void ipe_audit_enforce(bool new_enforce, bool old_enforce) > +{ > + struct audit_buffer *ab; > + > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS); > + if (!ab) > + return; > + > + audit_log_format(ab, AUDIT_ENFORCE_CHANGE_FMT, new_enforce, old_enforce, > + from_kuid(&init_user_ns, audit_get_loginuid(current)), > + audit_get_sessionid(current)); > + > + audit_log_end(ab); > +} -- paul-moore.com