From: Steve Grubb <sgrubb@redhat.com>
To: Neil Horman <nhorman@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>,
Miloslav Trmac <mitr@redhat.com>,
Herbert Xu <herbert@gondor.hengli.com.au>,
Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>,
linux-crypto@vger.kernel.org, Linda Wang <lwang@redhat.com>
Subject: Re: [PATCH 0/4] RFC: "New" /dev/crypto user-space interface
Date: Tue, 10 Aug 2010 15:10:12 -0400 [thread overview]
Message-ID: <201008101510.12638.sgrubb@redhat.com> (raw)
In-Reply-To: <20100810184544.GB9789@hmsreliant.think-freely.org>
On Tuesday, August 10, 2010 02:45:44 pm Neil Horman wrote:
> On Tue, Aug 10, 2010 at 02:14:24PM -0400, Steve Grubb wrote:
> > On Tuesday, August 10, 2010 01:57:40 pm Neil Horman wrote:
> > > > > I'm not so sure I follow. how can you receive messages on a socket
> > > > > in response to requests that were sent from a different socket.
> > > > > In the netlink multicast and broadcast case, sure, but theres no
> > > > > need to use those. I suppose you could exit a process, start
> > > > > another process in which the pid gets reused, open up a subsequent
> > > > > socket and perhaps confuse audit that way, but you're not going to
> > > > > get responses to the requests that the previous process sent in
> > > > > that case.
> > > >
> > > > I don't even need to open a subsequent socket - as son as the process
> > > > ID is reused, the audit message is incorrect, which is not really
> > > > acceptable in itself.
> > >
> > > But, you do, thats my point. If a process exits, and another process
> > > starts up that happens to reuse the same pid, it can't just call
> > > recvmsg on the socket descriptor that the last process used for
> > > netlink messages and expect to get any data. That socket descriptor
> > > won't be connected to the netlink service (or anything) anymore, and
> > > you'll get an error from the kernel.
> >
> > You are looking at it from the wrong end. Think of it from audit's
> > perspective about how do you guarantee that the audit trail is correct?
> > This has been discussed on linux-audit mail list before and the
> > conclusion is you have very limited information to work with. By being
> > synchronous the syscall, we get everything in the syscall record from
> > the processes audit context.
>
> What information do you need in the audit record that you might loose
> accross two syscalls?
This is easier to show that explain. With Mirek's current patch:
type=SYSCALL msg=audit(1281013374.713:11671): arch=c000003e syscall=2
success=yes exit=3 a0=400b67 a1=2 a2=0 a3=7fff4daa1200 items=1 ppid=1352
pid=1375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty6 ses=3 comm="ncr-setkey" exe="/home/mitr/cryptodev-
linux/userspace/ncr-setkey" subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=(null)
type=CRYPTO_USERSPACE_OP msg=audit(1281013374.713:11671):
crypto_op=context_new ctx=0
type=CWD msg=audit(1281013374.713:11671): cwd="/root"
type=PATH msg=audit(1281013374.713:11671): item=0 name="/dev/crypto"
inode=12498 dev=00:05 mode=020660 ouid=0 ogid=0 rdev=0a:3a
obj=system_u:object_r:device_t:s0
type=CRYPTO_STORAGE_KEY msg=audit(1281013374.715:11672): key_size=16
The netlink aproach, we only get the credentials that ride with the netlink
packet
http://lxr.linux.no/#linux+v2.6.35/include/linux/netlink.h#L159
There really is no comparison between what can be recorded synchronously vs
async.
> It sounds from previous emails that, generally speaking, you're worried that
> you want the task struct that current points to in the recvmsg call be
> guaranteeed to be the same as the task struct that current points to in the
> sendmsg call (i.e. no children (re)using the same socket descriptor, etc).
Not really, we are _hoping_ that the pid in the netlink credentials is the
same pid that sent the packet in the first place. From the time we reference
the pid out of the skb until we go hunting and locate the pid in the list of
tasks, it could have died and been replaced with another task with different
credentials. We can't take that risk.
> Can this be handled by using the fact that netlink is actually syncronous
> under the covers?
But its not or all the credentials would not be riding in the skb.
> Can you ennumerate here what FIPS and Common Criteria mandate be presented
> in the audit logs?
Who did what to whom at what time and what was the outcome. In the case of
configuration changes we need the new and old values. However, we need extra
information to make the selective audit work right.
-Steve
next prev parent reply other threads:[~2010-08-10 19:10 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1036252728.135401281454634072.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-10 15:40 ` [PATCH 0/4] RFC: "New" /dev/crypto user-space interface Miloslav Trmac
2010-08-10 16:40 ` Neil Horman
2010-08-10 16:57 ` Miloslav Trmac
2010-08-10 17:57 ` Neil Horman
2010-08-10 18:14 ` Steve Grubb
2010-08-10 18:45 ` Neil Horman
2010-08-10 19:10 ` Steve Grubb [this message]
2010-08-10 19:17 ` Neil Horman
2010-08-10 20:08 ` Steve Grubb
2010-08-10 18:19 ` Miloslav Trmac
2010-08-10 18:34 ` Herbert Xu
2010-08-10 18:36 ` Miloslav Trmac
2010-08-10 19:10 ` Neil Horman
2010-08-10 19:37 ` Miloslav Trmac
2010-08-10 18:12 ` Loc Ho
[not found] <1488103333.203081281527737237.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-11 12:09 ` Miloslav Trmac
[not found] <2115846701.201281281525518833.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-11 11:31 ` Miloslav Trmac
[not found] <227903841.184591281491835434.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-11 2:06 ` Miloslav Trmac
2010-08-11 11:46 ` Neil Horman
[not found] <897762024.164521281469254847.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-10 19:44 ` Miloslav Trmac
[not found] <1649376471.162481281467800176.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-10 19:18 ` Miloslav Trmac
[not found] <1250838696.160111281466456373.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-10 18:58 ` Miloslav Trmac
2010-08-10 19:37 ` Neil Horman
[not found] <15765372.157161281465237985.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-10 18:34 ` Miloslav Trmac
2010-08-10 18:39 ` Loc Ho
[not found] <801204854.134521281454377550.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-10 15:36 ` Miloslav Trmac
2010-08-10 16:17 ` Neil Horman
2010-08-05 20:17 Miloslav Trmač
2010-08-06 0:25 ` Neil Horman
2010-08-07 0:54 ` Miloslav Trmac
2010-08-09 14:39 ` Herbert Xu
2010-08-10 0:00 ` Miloslav Trmac
2010-08-10 12:46 ` Neil Horman
2010-08-10 13:24 ` Steve Grubb
2010-08-10 14:37 ` Neil Horman
2010-08-10 14:47 ` Miloslav Trmac
2010-08-10 14:51 ` Neil Horman
2010-08-11 6:50 ` Linus Walleij
2010-08-11 23:10 ` Nikos Mavrogiannopoulos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201008101510.12638.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-crypto@vger.kernel.org \
--cc=lwang@redhat.com \
--cc=mitr@redhat.com \
--cc=n.mavrogiannopoulos@gmail.com \
--cc=nhorman@redhat.com \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.