From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com [209.85.160.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5399C12BF24 for ; Wed, 15 Jan 2025 23:53:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736985190; cv=none; b=NX0bJT+YeVFkUtAHvzdq3wVv0x+jLRZvv8muWvGM48Xhpi3OvgBZUKcsjNsJWwoxRMzXCangcFm4IEhSNPuRQiqqsENcWSQDo9/8E6OHVPHWLm+wPqZs7lDEOG47Gw9JtHdn/mvN212cpmneDhonAdZTx//24oy9Tp7X09qLUeA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736985190; c=relaxed/simple; bh=VD4HZMMruEXK3cWYgeMKyhT73yPU3eGiPRX9oJ6qcNA=; h=Date:Message-ID:MIME-Version:Content-Type:From:To:Cc:Subject: References:In-Reply-To; b=O8C5Ww2bPHMo/KQUUK5bnCrSvUwNqb1Fc01vTyCW48mXkSzqtq3kn/Ch6cGkjIJyNoGYqCHjpfIHGcxndcMFygfxYUBwyVJl3b1AJE0hozR9DMmWMLTfuzm+1T4f87/Gg0tHaNyLdkWnpBwGFK28IH4o5lkK0wW3s1oox6UK7HY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=bncMIhVU; arc=none smtp.client-ip=209.85.160.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="bncMIhVU" Received: by mail-qt1-f180.google.com with SMTP id d75a77b69052e-467a6ecaa54so3850841cf.0 for ; Wed, 15 Jan 2025 15:53:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1736985187; x=1737589987; darn=vger.kernel.org; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :mime-version:message-id:date:from:to:cc:subject:date:message-id :reply-to; bh=5X1Qgkk1oWMSBXVfaHGiDjtsWRKN/BWSKCTADzfhM94=; b=bncMIhVUKzOSxKC3Mq63MHv1s+59LuyJiIjKQqLJeREW1mQi59S+Ssj1+laDdk6LtD IJmCmoObbyNDwpjLejpAYcTX1u+3LwCrB49RjV+pYsaErMWq8bkA4Ad8WVIhks9eJlge OTRWGUmu/MoVzcFCjhe7sqnZkutgAfUqlKGqfMKjud2jaX48V6IO8YAwnpG+QbwQ83Xo NxT5Vq3COMwU+7ubVSJunpg9DosFezpwuYPQVJMC39VnGb4QgLAoJodCcKgGNk9jTNAO h5bgPuiVrUiJmYN9dM/Ho0GTNeuJJeCmG7LwAJNjNKRBbDOpII7j3sXYBHFHVQdXgKXn 9HHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736985187; x=1737589987; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :mime-version:message-id:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=5X1Qgkk1oWMSBXVfaHGiDjtsWRKN/BWSKCTADzfhM94=; b=lbooAW5nXV1JA+euKTYg6OzYy6PbS81BnKPTKr+Ntaq+iVQM7f+J6pTzkRuPW6U71M R6H+2iwKv3ISrI0nMviOu2vqACR89vpKiTDhZKcyeJyWpQWz9iGFqbxM0GmtglSVoIAR LCwnynEH9rckfsPBm5nSNrpg4NaZfEXj6kRHOi3coRJYGdwKAk6X9oNS3NCOxAA9qQZW SuKXKlpFJa9YpAktrovSnRCFnGOGzOh4SrgSjhgq11sb7cl5yaoNhjXQGOEV57e81wMo jqSWAkulMcx/6+LIusI8rFSrwMh+wjH9e3ZBJelUNJWEQdd1xwAXPC2QksgGPPwuNnhR y7/Q== X-Forwarded-Encrypted: i=1; AJvYcCUowgEfAknrpunS1sGOEc4nvRODYJ3xAZPU6EWnzKTUKc+9Um1gB1lgwNIvR4h8i65wqzx1cw==@vger.kernel.org X-Gm-Message-State: AOJu0YwdqeK4MBUbunLuyB5emW7AtBhkvDK5TEX6UU0S6GTOrcDG7S2j qtuLCXlIPnxhb4fuu+91dAJ7+fudvmYVs1cjyMx3ZRrSXjCNxs2SmTl/5Om5Xw== X-Gm-Gg: ASbGncttu0Xb9SBfmWlDFlK2uP/XfhU9eYX168r0HoOuSppg4QYKdB9uQdft9X6FYCN k/TWnTfd0KXSs3WdSPJwV/yn8Oocagf7BeKvoldqqkT/1NqcvhZVHp2p+vuoYqS53OgO9kIeU6T Td3kpebJg4b4pDVH8NdnLrsHlWtCSlNIshBf2+MzIwSQ6KfKQB75rZpj6A/h0eHY6jEgmm5R39o qgU9K02k85QnNMBK4BFUhh9SEAacBSRyjpHOt0Jg0qCsJKYE0c= X-Google-Smtp-Source: AGHT+IGIHtyRoNutItU5LCDTdU6jNgI0Qs73ZHfm/NG1vsDq/TQ3ibefz9r6vrtgc2RPzEV1qHCiHg== X-Received: by 2002:a05:622a:15c9:b0:467:6e88:4548 with SMTP id d75a77b69052e-46c7108c109mr550006181cf.39.1736985187203; Wed, 15 Jan 2025 15:53:07 -0800 (PST) Received: from localhost ([70.22.175.108]) by smtp.gmail.com with UTF8SMTPSA id d75a77b69052e-46c873dd754sm69938751cf.69.2025.01.15.15.53.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 15:53:06 -0800 (PST) Date: Wed, 15 Jan 2025 18:53:06 -0500 Message-ID: <081bd4a2a44a80e046662667e0aeb309@paul-moore.com> Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailer: pstg-pwork:20250115_1512/pstg-lib:20250114_2216/pstg-pwork:20250115_1512 From: Paul Moore To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Eric Paris , =?UTF-8?q?G=C3=BCnther=20Noack?= , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials References: <20250108154338.1129069-9-mic@digikod.net> In-Reply-To: <20250108154338.1129069-9-mic@digikod.net> On Jan 8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= wrote: > > Add a new AUDIT_LANDLOCK_DENY record type dedicated to any Landlock > denials. ... > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 75e21a135483..60c909c396c0 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -33,7 +33,7 @@ > * 1100 - 1199 user space trusted application messages > * 1200 - 1299 messages internal to the audit daemon > * 1300 - 1399 audit event messages > - * 1400 - 1499 SE Linux use > + * 1400 - 1499 access control messages > * 1500 - 1599 kernel LSPP events > * 1600 - 1699 kernel crypto events > * 1700 - 1799 kernel anomaly records > @@ -146,6 +146,7 @@ > #define AUDIT_IPE_ACCESS 1420 /* IPE denial or grant */ > #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ > #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ > +#define AUDIT_LANDLOCK_DENY 1423 /* Landlock denial */ I didn't have an opportunity to respond to your reply to my v3 comments before you posted v4, but I see you've decided to stick with _DENY as opposed to _ACCESS (or something similar). Let me copy your reply below so I can respond appropriately ... > A stronger type with the "denied" semantic makes more sense to me, > especially for Landlock which is unprivileged, and it makes it clear > that it should only impact performance and log size (i.e. audit log > creation) for denied actions. This is not consistent with how audit is typically used. Please convert to AUDIT_LANDLOCK_ACCESS, or something similar. > The next patch > series will also contain a new kind of audit rule to specifically > identify the origin of the policy that created this denied event, which > should make more sense. Generally speaking audit only wants to support a small number of message types dedicated to a specific LSM. If you're aware of additional message types that you plan to propose in a future patchset, it's probably a time to discuss those now. > Because of its unprivileged nature, Landlock will never log granted > accesses by default. In the future, we might want a permissive-like > mode for Landlock, but this will be optional, and I would also strongly > prefer to add new audit record types for new semantics. Once again, this isn't consistent with how audit is typically used and I'm not seeing a compelling reason to rework how things are done. Please stick with encoding the success/failure, accept/reject, etc. states in audit record fields, not the message types themselves. -- paul-moore.com