From: Jasjiv Singh <jasjivsingh@linux.microsoft.com>
To: corbet@lwn.net, jmorris@namei.org, serge@hallyn.com,
eparis@redhat.com, paul@paul-moore.com
Cc: linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
Jasjiv Singh <jasjivsingh@linux.microsoft.com>
Subject: [PATCH v4 0/1] ipe: add errno field to IPE policy load auditing
Date: Fri, 7 Mar 2025 14:03:54 -0800 [thread overview]
Message-ID: <1741385035-22090-1-git-send-email-jasjivsingh@linux.microsoft.com> (raw)
Hello,
When deployment of a new IPE policy fails, there is no audit trail.
The failure is written to stderr, but not to the system log. So,
users of IPE require a way to identify when and why an operation fails,
allowing them to both respond to violations of policy and be notified
of potentially malicious actions on their systems with respect to IPE.
Previous Postings
-----------------
v3: https://lore.kernel.org/linux-security-module/1740784265-19829-1-git-send-email-jasjivsingh@linux.microsoft.com/
v2: https://lore.kernel.org/linux-security-module/1740696377-3986-1-git-send-email-jasjivsingh@linux.microsoft.com/
v1: https://lore.kernel.org/linux-security-module/1739569319-22015-1-git-send-email-jasjivsingh@linux.microsoft.com/
Changelog
---------
v4:
* added a seperate errno table to IPE AUDIT_IPE_POLICY_LOAD documentation.
* fixed error code handling that happens when memdup_user_nul is called
in new_policy() and update_policy().
* added additional errno documentation to new_policy(), update_policy(),
ipe_new_policy() and ipe_update_policy().
* added ENOKEY and EKEYREJECTED to IPE errno table documentation.
v3:
* used ERR_PTR(rc) directly rather than assigning to struct ipe_policy.
* removed unnecessary var from update_policy().
* removed unnecessary error handling from update_policy().
v2:
* added additional IPE audit log information to commit to show the errno case.
* changed log format from AUDIT_POLICY_LOAD_NULL_FMT to
AUDIT_POLICY_LOAD_FAIL_FMT.
* removed unnecessary res var from ipe_audit_policy_load().
* handled security fs failure case in new_policy() and update_policy().
* handled insufficent failure case in new_policy() and update_policy().
Jasjiv Singh (1):
ipe: add errno field to IPE policy load auditing
Documentation/admin-guide/LSM/ipe.rst | 69 +++++++++++++++++++--------
security/ipe/audit.c | 21 ++++++--
security/ipe/fs.c | 19 ++++++--
security/ipe/policy.c | 11 ++++-
security/ipe/policy_fs.c | 29 ++++++++---
5 files changed, 111 insertions(+), 38 deletions(-)
--
2.34.1
next reply other threads:[~2025-03-07 22:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-07 22:03 Jasjiv Singh [this message]
2025-03-07 22:03 ` [RFC PATCH v4 1/1] ipe: add errno field to IPE policy load auditing Jasjiv Singh
2025-03-10 20:40 ` Fan Wu
2025-03-11 22:10 ` [PATCH RFC " Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1741385035-22090-1-git-send-email-jasjivsingh@linux.microsoft.com \
--to=jasjivsingh@linux.microsoft.com \
--cc=audit@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).