From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
"linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Preferred subj= with multiple LSMs
Date: Tue, 16 Jul 2019 14:06:27 -0400 [thread overview]
Message-ID: <2477603.130G60v5SE@x2> (raw)
In-Reply-To: <CAHC9VhSTwvueKcK2yhckwayh9YGou7gt2Gny36DOTaNkrck+Mg@mail.gmail.com>
On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler <casey@schaufler-ca.com>
wrote:
> > On 7/16/2019 10:12 AM, Paul Moore wrote:
> > > On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > >> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> > >>> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> > >>> <casey@schaufler-ca.com>
> > >>
> > >> wrote:
> > >>>> On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> > >>>>> On 2019-07-13 11:08, Steve Grubb wrote:
> > > ...
> > >
> > >>>>> Steve's answer is the obvious one, ideally allocating a seperate
> > >>>>> range
> > >>>>> to each LSM with each message type having its own well defined
> > >>>>> format.
> > >>>>
> > >>>> It doesn't address the issue of success records, or records
> > >>>> generated outside the security modules.
> > >>>
> > >>> Yes, exactly. The individual LSM will presumably will continue to
> > >>> generate their own audit records as they do today and I would imagine
> > >>> that the subject and object fields could remain as they do today for
> > >>> the LSM specific records.
> > >>>
> > >>> The trick is the other records which are not LSM specific but still
> > >>> want to include subject and/or object information. Unfortunately we
> > >>> are stuck with some tough limitations given the current audit record
> > >>> format and Steve's audit userspace tools;
> > >>
> > >> Not really. We just need to approach the problem thinking about how to
> > >> make it work based on how things currently work.
> > >
> > > I suppose it is all somewhat "subjective" - bad joke fully intended :)
> > > - with respect to what one considers good/bad/limiting. My personal
> > > view is that an ideal solution would allow for multiple independent
> > > subj/obj labels without having to multiplex on a single subj/obj
> > > field. My gut feeling is that this would confuse your tools, yes?
> > >
> > >> For example Casey had a list of possible formats. Like this one:
> > >>
> > >> Option 3:
> > >> lsms=selinux,apparmor subj=x:y:z:s:c subj=a
> > >>
> > >> I'd suggest something almost like that. The first field could be a map
> > >> to
> > >> decipher the labels. Then we could have a comma separated list of
> > >> labels.
> > >>
> > >> lsms=selinux,apparmor subj=x:y:z:s:c,a
> > >
> > > Some quick comments:
> > >
> > > * My usual reminder that new fields for existing audit records must be
> > > added to the end of the record.
> > >
> > > * If we are going to multiplex the labels on a single field (more on
> > > that below) I might suggest using "subj_lsms" instead of "lsms" so we
> > > leave ourself some wiggle room in the future.
> > >
> > > * Multiplexing on a single "subj" field is going to be difficult
> > > because picking the label delimiter is going to be a pain. For
> > > example, in the example above a comma is used, which at the very least
> > > is a valid part of a SELinux label and I suspect for Smack as well
> > > (I'm not sure about the other LSMs). I suspect the only way to parse
> > > out the component labels would be to have knowledge of the LSMs in
> > > use, as well as the policies loaded at the time the audit record was
> > > generated.
> > >
> > > This may be a faulty assumption, but assuming your tools will fall
> > > over if they see multiple "subj" fields, could we do something like
> > >
> > > the following (something between option #2 and #3):
> > > subj1_lsm=smack subj1=<smack_label> subj2_lsm=selinux
> > >
> > > subj2=<selinux_label> ...
> >
> > If it's not a subj= field why use the indirection?
> >
> > subj_smack=<smack_label> subj_selinux=<selinux_label>
> >
> > would be easier.
>
> Good point, that looks reasonable to me.
But doing something like this will totally break all parsers. To be honest, I
don't know if I'll ever see more than one labeled security system running at
the same time. And this would be a big penalty to pay for the flexibility that
someone, somewhere just might possibly do this.
-Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Richard Guy Briggs <rgb@redhat.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>
Subject: Re: Preferred subj= with multiple LSMs
Date: Tue, 16 Jul 2019 14:06:27 -0400 [thread overview]
Message-ID: <2477603.130G60v5SE@x2> (raw)
In-Reply-To: <CAHC9VhSTwvueKcK2yhckwayh9YGou7gt2Gny36DOTaNkrck+Mg@mail.gmail.com>
On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler <casey@schaufler-ca.com>
wrote:
> > On 7/16/2019 10:12 AM, Paul Moore wrote:
> > > On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > >> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> > >>> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> > >>> <casey@schaufler-ca.com>
> > >>
> > >> wrote:
> > >>>> On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> > >>>>> On 2019-07-13 11:08, Steve Grubb wrote:
> > > ...
> > >
> > >>>>> Steve's answer is the obvious one, ideally allocating a seperate
> > >>>>> range
> > >>>>> to each LSM with each message type having its own well defined
> > >>>>> format.
> > >>>>
> > >>>> It doesn't address the issue of success records, or records
> > >>>> generated outside the security modules.
> > >>>
> > >>> Yes, exactly. The individual LSM will presumably will continue to
> > >>> generate their own audit records as they do today and I would imagine
> > >>> that the subject and object fields could remain as they do today for
> > >>> the LSM specific records.
> > >>>
> > >>> The trick is the other records which are not LSM specific but still
> > >>> want to include subject and/or object information. Unfortunately we
> > >>> are stuck with some tough limitations given the current audit record
> > >>> format and Steve's audit userspace tools;
> > >>
> > >> Not really. We just need to approach the problem thinking about how to
> > >> make it work based on how things currently work.
> > >
> > > I suppose it is all somewhat "subjective" - bad joke fully intended :)
> > > - with respect to what one considers good/bad/limiting. My personal
> > > view is that an ideal solution would allow for multiple independent
> > > subj/obj labels without having to multiplex on a single subj/obj
> > > field. My gut feeling is that this would confuse your tools, yes?
> > >
> > >> For example Casey had a list of possible formats. Like this one:
> > >>
> > >> Option 3:
> > >> lsms=selinux,apparmor subj=x:y:z:s:c subj=a
> > >>
> > >> I'd suggest something almost like that. The first field could be a map
> > >> to
> > >> decipher the labels. Then we could have a comma separated list of
> > >> labels.
> > >>
> > >> lsms=selinux,apparmor subj=x:y:z:s:c,a
> > >
> > > Some quick comments:
> > >
> > > * My usual reminder that new fields for existing audit records must be
> > > added to the end of the record.
> > >
> > > * If we are going to multiplex the labels on a single field (more on
> > > that below) I might suggest using "subj_lsms" instead of "lsms" so we
> > > leave ourself some wiggle room in the future.
> > >
> > > * Multiplexing on a single "subj" field is going to be difficult
> > > because picking the label delimiter is going to be a pain. For
> > > example, in the example above a comma is used, which at the very least
> > > is a valid part of a SELinux label and I suspect for Smack as well
> > > (I'm not sure about the other LSMs). I suspect the only way to parse
> > > out the component labels would be to have knowledge of the LSMs in
> > > use, as well as the policies loaded at the time the audit record was
> > > generated.
> > >
> > > This may be a faulty assumption, but assuming your tools will fall
> > > over if they see multiple "subj" fields, could we do something like
> > >
> > > the following (something between option #2 and #3):
> > > subj1_lsm=smack subj1=<smack_label> subj2_lsm=selinux
> > >
> > > subj2=<selinux_label> ...
> >
> > If it's not a subj= field why use the indirection?
> >
> > subj_smack=<smack_label> subj_selinux=<selinux_label>
> >
> > would be easier.
>
> Good point, that looks reasonable to me.
But doing something like this will totally break all parsers. To be honest, I
don't know if I'll ever see more than one labeled security system running at
the same time. And this would be a big penalty to pay for the flexibility that
someone, somewhere just might possibly do this.
-Steve
next prev parent reply other threads:[~2019-07-16 18:06 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-12 16:33 Preferred subj= with multiple LSMs Casey Schaufler
2019-07-12 16:33 ` Casey Schaufler
2019-07-13 15:08 ` Steve Grubb
2019-07-13 15:08 ` Steve Grubb
2019-07-15 19:04 ` Richard Guy Briggs
2019-07-15 19:04 ` Richard Guy Briggs
2019-07-15 19:37 ` Casey Schaufler
2019-07-15 21:28 ` Paul Moore
2019-07-15 22:55 ` Steve Grubb
2019-07-16 16:00 ` Casey Schaufler
2019-07-16 16:14 ` Steve Grubb
2019-07-16 16:33 ` Lenny Bruzenak
2019-07-16 16:37 ` Steve Grubb
2019-07-16 17:16 ` Casey Schaufler
2019-07-16 17:16 ` Casey Schaufler
2019-07-16 17:12 ` Paul Moore
2019-07-16 17:29 ` Casey Schaufler
2019-07-16 17:29 ` Casey Schaufler
2019-07-16 17:43 ` Paul Moore
2019-07-16 17:43 ` Paul Moore
2019-07-16 17:58 ` Casey Schaufler
2019-07-16 17:58 ` Casey Schaufler
2019-07-16 18:06 ` Steve Grubb [this message]
2019-07-16 18:06 ` Steve Grubb
2019-07-16 18:41 ` Casey Schaufler
2019-07-16 18:41 ` Casey Schaufler
2019-07-16 21:25 ` Paul Moore
2019-07-16 21:25 ` Paul Moore
2019-07-16 21:46 ` Steve Grubb
2019-07-16 21:46 ` Steve Grubb
2019-07-16 22:18 ` Casey Schaufler
2019-07-16 22:18 ` Casey Schaufler
2019-07-16 23:13 ` Paul Moore
2019-07-16 23:13 ` Paul Moore
2019-07-16 23:47 ` Casey Schaufler
2019-07-16 23:47 ` Casey Schaufler
2019-07-17 12:14 ` Paul Moore
2019-07-17 12:14 ` Paul Moore
2019-07-17 15:49 ` Casey Schaufler
2019-07-17 15:49 ` Casey Schaufler
2019-07-17 16:23 ` Paul Moore
2019-07-17 16:23 ` Paul Moore
2019-07-17 23:02 ` Casey Schaufler
2019-07-17 23:02 ` Casey Schaufler
2019-07-18 13:10 ` Simon McVittie
2019-07-18 13:10 ` Simon McVittie
2019-07-18 16:13 ` Casey Schaufler
2019-07-18 16:13 ` Casey Schaufler
2019-07-19 12:15 ` Simon McVittie
2019-07-19 12:15 ` Simon McVittie
2019-07-19 16:29 ` Casey Schaufler
2019-07-19 16:29 ` Casey Schaufler
2019-07-19 18:47 ` Simon McVittie
2019-07-19 18:47 ` Simon McVittie
2019-07-19 20:02 ` Dbus and multiple LSMs (was Preferred subj= with multiple LSMs) Casey Schaufler
2019-07-19 20:02 ` Casey Schaufler
2019-07-22 11:36 ` Simon McVittie
2019-07-22 11:36 ` Simon McVittie
2019-07-22 16:04 ` Casey Schaufler
2019-07-22 16:04 ` Casey Schaufler
2019-07-19 21:21 ` Preferred subj= with multiple LSMs Paul Moore
2019-07-19 21:21 ` Paul Moore
2019-07-22 20:50 ` James Morris
2019-07-22 20:50 ` James Morris
2019-07-22 22:01 ` Casey Schaufler
2019-07-22 22:01 ` Casey Schaufler
2019-07-22 22:30 ` Paul Moore
2019-07-22 22:30 ` Paul Moore
2019-07-23 0:11 ` Casey Schaufler
2019-07-23 0:11 ` Casey Schaufler
2019-07-23 14:06 ` Simon McVittie
2019-07-23 14:06 ` Simon McVittie
2019-07-23 17:32 ` Casey Schaufler
2019-07-23 17:32 ` Casey Schaufler
2019-07-23 21:46 ` James Morris
2019-07-23 21:46 ` James Morris
2019-07-16 23:09 ` Paul Moore
2019-07-16 23:09 ` Paul Moore
2019-07-17 4:36 ` James Morris
2019-07-17 4:36 ` James Morris
2019-07-17 12:23 ` Paul Moore
2019-07-17 12:23 ` Paul Moore
2019-07-18 15:01 ` William Roberts
2019-07-18 15:01 ` William Roberts
2019-07-18 18:48 ` Casey Schaufler
2019-07-18 18:48 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2477603.130G60v5SE@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.