From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
SElinux list <selinux@tycho.nsa.gov>
Subject: Re: [PATCH ghak46 V1] audit: normalize MAC_STATUS record
Date: Mon, 16 Apr 2018 14:07:21 -0400 [thread overview]
Message-ID: <1817813.xZzHaMM7Yh@x2> (raw)
In-Reply-To: <20180416141101.zcovkknupxcgiwf2@madcap2.tricolour.ca>
On Monday, April 16, 2018 10:11:01 AM EDT Richard Guy Briggs wrote:
> On 2018-04-16 09:26, Ondrej Mosnacek wrote:
> > 2018-04-10 1:34 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>:
> > > There were two formats of the audit MAC_STATUS record, one of which was
> > > more standard than the other. One listed enforcing status changes and
> > > the other listed enabled status changes with a non-standard label. In
> > > addition, the record was missing information about which LSM was
> > > responsible and the operation's completion status. While this record
> > > is
> > > only issued on success, the parser expects the res= field to be
> > > present.
> > >
> > > old enforcing/permissive:
> > > type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0
> > > old_enforcing=1 auid=0 ses=1 old enable/disable:
> > > type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1
> > >
> > > List both sets of status and old values and add the lsm= field and the
> > > res= field.
> > >
> > > Here is the new format:
> > > type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0
> > > old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1
> > >
> > > This record already accompanied a SYSCALL record.
> > >
> > > See: https://github.com/linux-audit/audit-kernel/issues/46
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > >
> > > security/selinux/selinuxfs.c | 11 +++++++----
> > > 1 file changed, 7 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/security/selinux/selinuxfs.c
> > > b/security/selinux/selinuxfs.c
> > > index 00eed84..00b21b2 100644
> > > --- a/security/selinux/selinuxfs.c
> > > +++ b/security/selinux/selinuxfs.c
> > > @@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file
> > > *file, const char __user *buf,> >
> > > if (length)
> > >
> > > goto out;
> > >
> > > audit_log(current->audit_context, GFP_KERNEL,
> > > AUDIT_MAC_STATUS,
> > >
> > > - "enforcing=%d old_enforcing=%d auid=%u ses=%u",
> > > + "enforcing=%d old_enforcing=%d auid=%u ses=%u"
> > > + " enabled=%d old-enabled=%d lsm=selinux res=1",
> >
> > This is just a tiny nit but why does "old_enforcing" use an underscore
> > and "old-enabled" a dash? Shouldn't the style be consistent across
> > fields?
Well, we have this thing called the field dictionary:
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/
field-dictionary.csv
If a field exists, we should reuse it and follow the exact formatting for the
value side. In this case, old_enforcing is in the dictionary. So, it should
be used.
> Yes, but my understanding is a preference for underscore, and not to
> change existing field names.
>
> Steve?
When you are gluing 2 words together, I prefer a dash. But, in this case we
alreday have precedent that the field name exists, so we should reuse it.
-Steve
> > Just my two cents...
>
> These details are worth noticing, thank you.
>
> > > new_value, selinux_enforcing,
> > > from_kuid(&init_user_ns,
> > > audit_get_loginuid(current)),
> > >
> > > - audit_get_sessionid(current));
> > > + audit_get_sessionid(current), selinux_enabled,
> > > selinux_enabled);> >
> > > selinux_enforcing = new_value;
> > > if (selinux_enforcing)
> > >
> > > avc_ss_reset(0);
> > >
> > > @@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file
> > > *file, const char __user *buf,> >
> > > if (length)
> > >
> > > goto out;
> > >
> > > audit_log(current->audit_context, GFP_KERNEL,
> > > AUDIT_MAC_STATUS,
> > >
> > > - "selinux=0 auid=%u ses=%u",
> > > + "enforcing=%d old_enforcing=%d auid=%u ses=%u"
> > > + " enabled=%d old-enabled=%d lsm=selinux res=1",
> > > + selinux_enforcing, selinux_enforcing,
> >
> > ^ also here
> >
> > > from_kuid(&init_user_ns,
> > > audit_get_loginuid(current)),
> > >
> > > - audit_get_sessionid(current));
> > > + audit_get_sessionid(current), 0, 1);
> > >
> > > }
> > >
> > > length = count;
> >
> > Ondrej Mosnacek <omosnace at redhat dot com>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: sgrubb@redhat.com (Steve Grubb)
To: linux-security-module@vger.kernel.org
Subject: [PATCH ghak46 V1] audit: normalize MAC_STATUS record
Date: Mon, 16 Apr 2018 14:07:21 -0400 [thread overview]
Message-ID: <1817813.xZzHaMM7Yh@x2> (raw)
In-Reply-To: <20180416141101.zcovkknupxcgiwf2@madcap2.tricolour.ca>
On Monday, April 16, 2018 10:11:01 AM EDT Richard Guy Briggs wrote:
> On 2018-04-16 09:26, Ondrej Mosnacek wrote:
> > 2018-04-10 1:34 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>:
> > > There were two formats of the audit MAC_STATUS record, one of which was
> > > more standard than the other. One listed enforcing status changes and
> > > the other listed enabled status changes with a non-standard label. In
> > > addition, the record was missing information about which LSM was
> > > responsible and the operation's completion status. While this record
> > > is
> > > only issued on success, the parser expects the res= field to be
> > > present.
> > >
> > > old enforcing/permissive:
> > > type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0
> > > old_enforcing=1 auid=0 ses=1 old enable/disable:
> > > type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1
> > >
> > > List both sets of status and old values and add the lsm= field and the
> > > res= field.
> > >
> > > Here is the new format:
> > > type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0
> > > old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1
> > >
> > > This record already accompanied a SYSCALL record.
> > >
> > > See: https://github.com/linux-audit/audit-kernel/issues/46
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > >
> > > security/selinux/selinuxfs.c | 11 +++++++----
> > > 1 file changed, 7 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/security/selinux/selinuxfs.c
> > > b/security/selinux/selinuxfs.c
> > > index 00eed84..00b21b2 100644
> > > --- a/security/selinux/selinuxfs.c
> > > +++ b/security/selinux/selinuxfs.c
> > > @@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file
> > > *file, const char __user *buf,> >
> > > if (length)
> > >
> > > goto out;
> > >
> > > audit_log(current->audit_context, GFP_KERNEL,
> > > AUDIT_MAC_STATUS,
> > >
> > > - "enforcing=%d old_enforcing=%d auid=%u ses=%u",
> > > + "enforcing=%d old_enforcing=%d auid=%u ses=%u"
> > > + " enabled=%d old-enabled=%d lsm=selinux res=1",
> >
> > This is just a tiny nit but why does "old_enforcing" use an underscore
> > and "old-enabled" a dash? Shouldn't the style be consistent across
> > fields?
Well, we have this thing called the field dictionary:
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/
field-dictionary.csv
If a field exists, we should reuse it and follow the exact formatting for the
value side. In this case, old_enforcing is in the dictionary. So, it should
be used.
> Yes, but my understanding is a preference for underscore, and not to
> change existing field names.
>
> Steve?
When you are gluing 2 words together, I prefer a dash. But, in this case we
alreday have precedent that the field name exists, so we should reuse it.
-Steve
> > Just my two cents...
>
> These details are worth noticing, thank you.
>
> > > new_value, selinux_enforcing,
> > > from_kuid(&init_user_ns,
> > > audit_get_loginuid(current)),
> > >
> > > - audit_get_sessionid(current));
> > > + audit_get_sessionid(current), selinux_enabled,
> > > selinux_enabled);> >
> > > selinux_enforcing = new_value;
> > > if (selinux_enforcing)
> > >
> > > avc_ss_reset(0);
> > >
> > > @@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file
> > > *file, const char __user *buf,> >
> > > if (length)
> > >
> > > goto out;
> > >
> > > audit_log(current->audit_context, GFP_KERNEL,
> > > AUDIT_MAC_STATUS,
> > >
> > > - "selinux=0 auid=%u ses=%u",
> > > + "enforcing=%d old_enforcing=%d auid=%u ses=%u"
> > > + " enabled=%d old-enabled=%d lsm=selinux res=1",
> > > + selinux_enforcing, selinux_enforcing,
> >
> > ^ also here
> >
> > > from_kuid(&init_user_ns,
> > > audit_get_loginuid(current)),
> > >
> > > - audit_get_sessionid(current));
> > > + audit_get_sessionid(current), 0, 1);
> > >
> > > }
> > >
> > > length = count;
> >
> > Ondrej Mosnacek <omosnace@redhat dot com>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-16 18:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-09 23:34 [PATCH ghak46 V1] audit: normalize MAC_STATUS record Richard Guy Briggs
2018-04-09 23:34 ` Richard Guy Briggs
2018-04-11 21:08 ` Paul Moore
2018-04-11 21:08 ` Paul Moore
2018-04-17 21:59 ` Paul Moore
2018-04-17 21:59 ` Paul Moore
2018-04-17 22:09 ` Richard Guy Briggs
2018-04-17 22:09 ` Richard Guy Briggs
2018-04-18 1:51 ` Paul Moore
2018-04-18 1:51 ` Paul Moore
2018-04-16 7:26 ` Ondrej Mosnacek
2018-04-16 7:26 ` Ondrej Mosnacek
2018-04-16 14:11 ` Richard Guy Briggs
2018-04-16 14:11 ` Richard Guy Briggs
2018-04-16 14:25 ` Ondrej Mosnacek
2018-04-16 14:25 ` Ondrej Mosnacek
2018-04-16 18:07 ` Steve Grubb [this message]
2018-04-16 18:07 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1817813.xZzHaMM7Yh@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=rgb@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.