From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions
Date: Wed, 16 May 2018 17:40:31 -0400 [thread overview]
Message-ID: <1526506831.3254.13.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <2496f165-67f7-304d-08a0-ea8eedd3c3d4@linux.vnet.ibm.com>
On Wed, 2018-05-16 at 16:28 -0400, Stefan Berger wrote:
> On 05/15/2018 09:40 AM, Mimi Zohar wrote:
> > Hi Stefan,
> >
> > On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >>
> >> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
> >> the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY
> >> to reflect the IMA policy rules.
> >>
> >> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > We do need to separate out auditing the IMA policy rules from the
> > "IMA-audit" messages. ?Based on the IMA policy rule aspect of the
> > discussions [1], ?I would really appreciate if you could work with
> > Richard and Steve on the new IMA policy rule audit format.
> Is your patch below still valid for splitting it up into 'two distinct
> audit record types' ?
We need to separate the IMA policy audit rules from the IMA-audit
messages. ?As we're changing the audit numbers, we need to take into
account Richard's and Steve's comments about the IMA policy record
format at the same time.
This patch is incomplete and needs to address their comments.
Mimi
> >
> > This change can be upstreamed independently of either the IMA
> > namespacing or the audit containerid patch sets. ?The sooner we make
> > this change and upstream it, the better.
> >
> > [1]?https://www.redhat.com/archives/linux-audit/2018-March/msg00092.html
> >
> > thanks,
> >
> > Mimi
> >
> >> ---
> >> include/uapi/linux/audit.h | 3 ++-
> >> security/integrity/ima/ima_policy.c | 2 +-
> >> 2 files changed, 3 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> >> index 4e61a9e05132..8966e7ff1c4c 100644
> >> --- a/include/uapi/linux/audit.h
> >> +++ b/include/uapi/linux/audit.h
> >> @@ -146,7 +146,8 @@
> >> #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
> >> #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
> >> #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
> >> -#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
> >> +#define AUDIT_INTEGRITY_RULE 1805 /* IMA "audit" action policy msgs */
> >> +#define AUDIT_INTEGRITY_POLICY 1806 /* IMA policy rules */
> >>
> >> #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
> >>
> >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> >> index 915f5572c6ff..3a1412db02a3 100644
> >> --- a/security/integrity/ima/ima_policy.c
> >> +++ b/security/integrity/ima/ima_policy.c
> >> @@ -619,7 +619,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> >> bool uid_token;
> >> int result = 0;
> >>
> >> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
> >> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_POLICY);
> >>
> >> entry->uid = INVALID_UID;
> >> entry->fowner = INVALID_UID;
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-16 21:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-11 14:42 [RFC PATCH v4 0/5] ima: Namespacing IMA Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 1/5] ima: Add IMA namespace support Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 2/5] ima: Add ns_status for storing namespaced iint data Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions Stefan Berger
2018-05-15 13:40 ` Mimi Zohar
2018-05-16 20:28 ` Stefan Berger
2018-05-16 21:40 ` Mimi Zohar [this message]
2018-05-11 14:42 ` [RFC PATCH v4 4/5] ima: extend IMA audit policy rules with attribute to audit namespaces Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 5/5] ima: namespace audit status flags Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1526506831.3254.13.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).