From: Greg KH <gregkh@linuxfoundation.org>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com, wmealing <wmealing@redhat.com>,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details
Date: Mon, 4 Apr 2016 20:39:05 -0700 [thread overview]
Message-ID: <20160405033905.GA14854@kroah.com> (raw)
In-Reply-To: <153e4582800.2832.85c95baa4474aabc7814e68940a78392@paul-moore.com>
On Mon, Apr 04, 2016 at 10:54:56PM -0400, Paul Moore wrote:
> On April 4, 2016 6:17:23 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> > On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote:
> > > On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > > > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > > > > From: Wade Mealing <wmealing@redhat.com>
> > > > >
> > > > > Gday,
> > > > >
> > > > > I'm looking to create an audit trail for when devices are added or removed
> > > > > from the system.
> > > >
> > > > Then please do it in userspace, as I suggested before, that way you
> > > > catch all types of devices, not just USB ones.
> > >
> > > Audit has some odd requirements placed on it by some of its users. I think
> > > most notable in this particular case is the need to take specific actions,
> > > including panicking the system, when audit records can't be sent to userspace
> > > and are "lost". Granted, it's an odd requirement, definitely not the
> > > norm/default configuration, but supporting weird stuff like this has allowed
> > > Linux to be used on some pretty interesting systems that wouldn't have been
> > > possible otherwise. Looking quickly at some of the kobject/uvent code, it
> > > doesn't appear that the uevent/netlink channel has this capability.
> >
> > Are you sure you can loose netlink messages? If you do, you know you
> > lost them, so isn't that good enough?
>
> Last I checked netlink didn't have a provision for panicking the system, so
> no :)
Userspace can panic the system if it detects this, so why not just do
that?
> > > It also just noticed that it looks like userspace can send fake uevent
> > > messages;
> >
> > That's how your machine boots properly :)
>
> Yes, it looks like that is how the initial devices are handled, right?
> Allowing something like that is probably okay for a variety of reasons, but
> I expect users would want to restrict access beyond this single trusted
> process. The good news is that I think you should be able to do that with a
> combination of DAC and MAC.
Again, please step back. What exactly are you trying to do here? What
is the requirement?
> > > I haven't looked at it closely enough yet, but that may be a concern
> > > for users which restrict/subdivide root using a LSM ... although it is
> > > possible that the LSM policy could help here. I'm thinking aloud a bit right
> > > now, but for SELinux the netlink controls aren't very granular and sysfs can
> > > be tricky so I can't say for certain about blocking fake events from userspace
> > > using LSMs/SELinux.
> >
> > uevents are not tied into LSMs from what I can tell, so I don't
> > understand wht you are talking about here, sorry.
>
> Perhaps I'm mistaken, but uevents are sent to userspace via netlink which
> does have LSM controls. There also appears to be a file I/O mechanism via
> sysfs which also has LSM controls.
And do any of them look at uevents through these mechanisms?
I doubt they care...
thanks,
greg k-h
next prev parent reply other threads:[~2016-04-05 3:39 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-04 4:02 [RFC] Create an audit record of USB specific details wmealing
2016-04-04 6:48 ` Oliver Neukum
2016-04-04 7:47 ` Bjørn Mork
2016-04-05 8:40 ` Wade Mealing
2016-04-05 11:49 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 13:46 ` Greg KH
2016-04-05 13:52 ` Boyce, Kevin P (AS)
2016-04-05 15:35 ` Greg KH
2016-04-05 14:40 ` Alan Stern
2016-04-05 22:17 ` Wade Mealing
2016-04-05 17:02 ` Oliver Neukum
2016-04-05 19:38 ` Steve Grubb
2016-04-05 22:18 ` Greg KH
2016-04-04 12:56 ` Greg KH
2016-04-04 21:33 ` Steve Grubb
2016-04-04 21:48 ` Greg KH
2016-04-04 21:53 ` Greg KH
2016-04-05 13:07 ` Burn Alting
2016-04-05 13:44 ` Greg KH
2016-04-05 14:08 ` Burn Alting
2016-04-05 14:20 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 14:37 ` Burn Alting
2016-04-05 14:42 ` Boyce, Kevin P (AS)
2016-04-05 22:39 ` Burn Alting
2016-04-04 21:37 ` Paul Moore
2016-04-04 21:50 ` Greg KH
2016-04-05 2:54 ` Paul Moore
2016-04-05 3:39 ` Greg KH [this message]
2016-04-05 14:50 ` Paul Moore
2016-04-04 21:37 ` Steve Grubb
2016-04-04 21:54 ` Greg KH
[not found] ` <CALJHwhR-SA7K=fD=DUXE7EFq+4gWKPaY+B5z6jdCj7180wg_vg@mail.gmail.com>
2016-04-05 1:54 ` Wade Mealing
2016-04-05 2:43 ` Greg KH
2016-04-05 2:47 ` Greg KH
2016-04-04 22:10 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160405033905.GA14854@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=wmealing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox