From: Paul Moore <paul.moore@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: netdev@vger.kernel.org, linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/1] NetLabel: add audit support for configuration changes
Date: Fri, 29 Sep 2006 14:09:19 -0400 [thread overview]
Message-ID: <451D614F.8090502@hp.com> (raw)
In-Reply-To: <200609291008.07290.sgrubb@redhat.com>
Steve Grubb wrote:
> On Thursday 28 September 2006 14:03, paul.moore@hp.com wrote:
>>@@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_
>>
>> {
>> int ret_val = -EINVAL;
>>- u32 map_type;
>>+ u32 type;
>>+ u32 doi;
>>+ const char *type_str = "(unknown)";
>>+ struct audit_buffer *audit_buf;
>>
>>- if (!info->attrs[NLBL_CIPSOV4_A_MTYPE])
>>+ if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
>>+ !info->attrs[NLBL_CIPSOV4_A_MTYPE])
>> return -EINVAL;
>>
>>- map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
>>- switch (map_type) {
>>+ type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
>>+ switch (type) {
>> case CIPSO_V4_MAP_STD:
>>+ type_str = "std";
>> ret_val = netlbl_cipsov4_add_std(info);
>> break;
>> case CIPSO_V4_MAP_PASS:
>>+ type_str = "pass";
>> ret_val = netlbl_cipsov4_add_pass(info);
>> break;
>> }
>>
>>+ if (ret_val == 0) {
>>+ doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
>>+ audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
>>+ NETLINK_CB(skb).sid);
>>+ audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str);
>
>
> type field is already taken for another purpose, it needs to be renamed.
If we can't have duplicate field names I would propose prefixing both
these fields (and doing similar things with the other NetLabel specific
fields) with a "cipso_" making them "cipso_doi" and "cipso_type".
If this isn't acceptable please suggest names which you feel are
appropriate.
>>+/**
>>+ * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
>>+ * @value: desired value
>>+ * @audit_secid: the LSM secid to use in the audit message
>>+ *
>>+ * Description:
>>+ * Set the value of the unlabeled accept flag to @value.
>>+ *
>>+ */
>>+static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
>>+{
>>+ atomic_set(&netlabel_unlabel_accept_flg, value);
>>+ netlbl_audit_nomsg((value ?
>>+ AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),
>>+ audit_secid);
>
> Looking at how this is being used, I think only 1 message type should be used.
> There are places in the audit system where we set a flag to 1 or 0, but only
> have 1 message type. We record the old and new value. So, you'd need to pass
> that to the logger.
With that in mind I would probably change the message type to
AUDIT_MAC_UNLBL_ALLOW and use a "unlbl_accept" field; is that okay? If
not please suggest something you would find acceptable.
>>+/**
>>+ * netlbl_audit_start_common - Start an audit message
>>+ * @type: audit message type
>>+ * @secid: LSM context ID
>>+ *
>>+ * Description:
>>+ * Start an audit message using the type specified in @type and fill the
>>audit + * message with some fields common to all NetLabel audit messages.
>>Returns + * a pointer to the audit buffer on success, NULL on failure.
>>+ *
>>+ */
>>+struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
>>+{
>
> Generally, logging functions are moved into auditsc.c where the context and
> other functions are defined.
How about leaving this for a future revision? I'd like this first
attempt to be relatively self contained. James Morris has made other
comments along the same lines.
>>+ audit_log_format(audit_buf,
>>+ "netlabel: auid=%u uid=%u tty=%s pid=%d",
>>+ audit_loginuid,
>>+ current->uid,
>>+ audit_tty,
>>+ current->pid);
>
>
> Why are you logging all this? When we add audit rules, all that we log is the
> auid, and subj. If we need to log all this, we should probably have a helper
> function that gets called by other config change loggers.
If I drop the uid, tty, and pid fields will this be acceptable?
>>+ audit_log_format(audit_buf, " comm=");
>>+ audit_log_untrustedstring(audit_buf, audit_comm);
>>+ if (current->mm) {
>>+ down_read(¤t->mm->mmap_sem);
>>+ vma = current->mm->mmap;
>>+ while (vma) {
>>+ if ((vma->vm_flags & VM_EXECUTABLE) &&
>>+ vma->vm_file) {
>>+ audit_log_d_path(audit_buf,
>>+ " exe=",
>>+ vma->vm_file->f_dentry,
>>+ vma->vm_file->f_vfsmnt);
>>+ break;
>>+ }
>>+ vma = vma->vm_next;
>>+ }
>>+ up_read(¤t->mm->mmap_sem);
>>+ }
>>+
>
>
> If this function was moved inside auditsc.c you could use a function there
> that does this. But the question remains why all this data?
In the ideal world would you prefer this to be removed?
--
paul moore
linux security @ hp
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, netdev@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/1] NetLabel: add audit support for configuration changes
Date: Fri, 29 Sep 2006 14:09:19 -0400 [thread overview]
Message-ID: <451D614F.8090502@hp.com> (raw)
In-Reply-To: <200609291008.07290.sgrubb@redhat.com>
Steve Grubb wrote:
> On Thursday 28 September 2006 14:03, paul.moore@hp.com wrote:
>>@@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_
>>
>> {
>> int ret_val = -EINVAL;
>>- u32 map_type;
>>+ u32 type;
>>+ u32 doi;
>>+ const char *type_str = "(unknown)";
>>+ struct audit_buffer *audit_buf;
>>
>>- if (!info->attrs[NLBL_CIPSOV4_A_MTYPE])
>>+ if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
>>+ !info->attrs[NLBL_CIPSOV4_A_MTYPE])
>> return -EINVAL;
>>
>>- map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
>>- switch (map_type) {
>>+ type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
>>+ switch (type) {
>> case CIPSO_V4_MAP_STD:
>>+ type_str = "std";
>> ret_val = netlbl_cipsov4_add_std(info);
>> break;
>> case CIPSO_V4_MAP_PASS:
>>+ type_str = "pass";
>> ret_val = netlbl_cipsov4_add_pass(info);
>> break;
>> }
>>
>>+ if (ret_val == 0) {
>>+ doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
>>+ audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
>>+ NETLINK_CB(skb).sid);
>>+ audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str);
>
>
> type field is already taken for another purpose, it needs to be renamed.
If we can't have duplicate field names I would propose prefixing both
these fields (and doing similar things with the other NetLabel specific
fields) with a "cipso_" making them "cipso_doi" and "cipso_type".
If this isn't acceptable please suggest names which you feel are
appropriate.
>>+/**
>>+ * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
>>+ * @value: desired value
>>+ * @audit_secid: the LSM secid to use in the audit message
>>+ *
>>+ * Description:
>>+ * Set the value of the unlabeled accept flag to @value.
>>+ *
>>+ */
>>+static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
>>+{
>>+ atomic_set(&netlabel_unlabel_accept_flg, value);
>>+ netlbl_audit_nomsg((value ?
>>+ AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),
>>+ audit_secid);
>
> Looking at how this is being used, I think only 1 message type should be used.
> There are places in the audit system where we set a flag to 1 or 0, but only
> have 1 message type. We record the old and new value. So, you'd need to pass
> that to the logger.
With that in mind I would probably change the message type to
AUDIT_MAC_UNLBL_ALLOW and use a "unlbl_accept" field; is that okay? If
not please suggest something you would find acceptable.
>>+/**
>>+ * netlbl_audit_start_common - Start an audit message
>>+ * @type: audit message type
>>+ * @secid: LSM context ID
>>+ *
>>+ * Description:
>>+ * Start an audit message using the type specified in @type and fill the
>>audit + * message with some fields common to all NetLabel audit messages.
>>Returns + * a pointer to the audit buffer on success, NULL on failure.
>>+ *
>>+ */
>>+struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
>>+{
>
> Generally, logging functions are moved into auditsc.c where the context and
> other functions are defined.
How about leaving this for a future revision? I'd like this first
attempt to be relatively self contained. James Morris has made other
comments along the same lines.
>>+ audit_log_format(audit_buf,
>>+ "netlabel: auid=%u uid=%u tty=%s pid=%d",
>>+ audit_loginuid,
>>+ current->uid,
>>+ audit_tty,
>>+ current->pid);
>
>
> Why are you logging all this? When we add audit rules, all that we log is the
> auid, and subj. If we need to log all this, we should probably have a helper
> function that gets called by other config change loggers.
If I drop the uid, tty, and pid fields will this be acceptable?
>>+ audit_log_format(audit_buf, " comm=");
>>+ audit_log_untrustedstring(audit_buf, audit_comm);
>>+ if (current->mm) {
>>+ down_read(¤t->mm->mmap_sem);
>>+ vma = current->mm->mmap;
>>+ while (vma) {
>>+ if ((vma->vm_flags & VM_EXECUTABLE) &&
>>+ vma->vm_file) {
>>+ audit_log_d_path(audit_buf,
>>+ " exe=",
>>+ vma->vm_file->f_dentry,
>>+ vma->vm_file->f_vfsmnt);
>>+ break;
>>+ }
>>+ vma = vma->vm_next;
>>+ }
>>+ up_read(¤t->mm->mmap_sem);
>>+ }
>>+
>
>
> If this function was moved inside auditsc.c you could use a function there
> that does this. But the question remains why all this data?
In the ideal world would you prefer this to be removed?
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-09-29 18:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060928180326.896170000@hp.com>
2006-09-28 18:03 ` [PATCH 1/1] NetLabel: add audit support for configuration changes paul.moore
2006-09-28 18:03 ` paul.moore
2006-09-28 19:50 ` James Morris
2006-09-28 19:50 ` James Morris
2006-09-28 20:04 ` Paul Moore
2006-09-28 20:04 ` Paul Moore
2006-09-28 20:10 ` James Morris
2006-09-28 20:10 ` James Morris
2006-09-28 21:25 ` Paul Moore
2006-09-28 21:25 ` Paul Moore
2006-09-28 21:51 ` David Miller
2006-09-29 14:08 ` Steve Grubb
2006-09-29 14:08 ` Steve Grubb
2006-09-29 14:13 ` James Morris
2006-09-29 14:13 ` James Morris
2006-09-29 15:43 ` Paul Moore
2006-09-29 15:43 ` Paul Moore
2006-09-29 18:09 ` Paul Moore [this message]
2006-09-29 18:09 ` Paul Moore
2006-09-29 18:35 ` Steve Grubb
2006-09-29 18:35 ` Steve Grubb
2006-09-29 20:28 ` Paul Moore
2006-09-29 20:28 ` Paul Moore
2006-09-29 21:33 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=451D614F.8090502@hp.com \
--to=paul.moore@hp.com \
--cc=linux-audit@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.