[PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: zohar@linux.vnet.ibm.com, paul@paul-moore.com,
	linux-integrity@vger.kernel.org, linux-audit@redhat.com
Cc: sgrubb@redhat.com, linux-kernel@vger.kernel.org,
	Stefan Berger <stefanb@linux.vnet.ibm.com>
Subject: [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions
Date: Mon,  4 Jun 2018 16:54:55 -0400	[thread overview]
Message-ID: <20180604205455.2325754-5-stefanb@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180604205455.2325754-1-stefanb@linux.vnet.ibm.com>

The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
the IMA "audit" policy action.  This patch defines
AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.

Since we defined a new message type we can now also pass the
audit_context and get an associated SYSCALL record. This now produces
the following records when parsing IMA policy's rules:

type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \
  func=MMAP_CHECK mask=MAY_EXEC res=1
type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \
  func=FILE_CHECK mask=MAY_READ res=1
type=SYSCALL msg=audit(1527888965.738:320): arch=c000003e syscall=1 \
  success=yes exit=17 a0=1 a1=55bcfcca9030 a2=11 a3=7fcc1b55fb38 \
  items=0 ppid=1567 pid=1601 auid=0 uid=0 gid=0 euid=0 suid=0 \
  fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="echo" \
  exe="/usr/bin/echo" \
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 include/uapi/linux/audit.h          | 1 +
 security/integrity/ima/ima_policy.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 65d9293f1fb8..cb358551376b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -148,6 +148,7 @@
 #define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
 #define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
 #define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */
+#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
 
 #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
 
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index bc99713dfe57..f7230db217a7 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -652,8 +652,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 	bool uid_token;
 	int result = 0;
 
-	ab = integrity_audit_log_start(NULL, GFP_KERNEL,
-				       AUDIT_INTEGRITY_RULE);
+	ab = integrity_audit_log_start(current->audit_context, GFP_KERNEL,
+				       AUDIT_INTEGRITY_POLICY_RULE);
 
 	entry->uid = INVALID_UID;
 	entry->fowner = INVALID_UID;
-- 
2.13.6

next prev parent reply	other threads:[~2018-06-04 20:54 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-04 20:54 [PATCH v3 0/4] IMA: work on audit records produced by IMA Stefan Berger
2018-06-04 20:54 ` [PATCH v3 1/4] ima: Call audit_log_string() rather than logging it untrusted Stefan Berger
2018-06-04 20:54 ` [PATCH v3 2/4] ima: Use audit_log_format() rather than audit_log_string() Stefan Berger
2018-06-04 20:54 ` [PATCH v3 3/4] ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set Stefan Berger
2018-06-05  0:16   ` Paul Moore
2018-06-04 20:54 ` Stefan Berger [this message]
2018-06-05  0:21   ` [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions Paul Moore
2018-06-05 14:15     ` Mimi Zohar
2018-06-05 14:15       ` Mimi Zohar
2018-06-05 22:18       ` Paul Moore
2018-06-06 14:52         ` Mimi Zohar
2018-06-06 14:52           ` Mimi Zohar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:65d9293f1fb dfblob:cb358551376 dfblob:bc99713dfe5
dfblob:f7230db217a )
 OR (
bs:"[PATCH v3 4/4] ima: Differentiate auditing policy rules from "
bs:"audit"
bs:" actions" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180604205455.2325754-5-stefanb@linux.vnet.ibm.com \
    --to=stefanb@linux.vnet.ibm.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sgrubb@redhat.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.