From: John Johansen <john.johansen@canonical.com>
To: Eric Paris <eparis@parisplace.org>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 02/13] AppArmor: basic auditing infrastructure.
Date: Thu, 15 Jul 2010 09:36:46 -0700 [thread overview]
Message-ID: <4C3F391E.5060408@canonical.com> (raw)
In-Reply-To: <AANLkTimGhmUiCMMWaDs5aV4Hg86QvQJs3ZFUSqAdlKAt@mail.gmail.com>
On 07/15/2010 08:18 AM, Eric Paris wrote:
> On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
> <john.johansen@canonical.com> wrote:
>> Update lsm_audit for AppArmor specific data, and add the core routines for
>> AppArmor uses for auditing.
>>
>> Signed-off-by: John Johansen <john.johansen@canonical.com>
>
>> + * Currently AppArmor auditing is fed straight into the audit framework.
>> + *
>> + * TODO:
>> + * convert to LSM audit
>
>
oops, I missed that one, it should have been removed.
>> + if (sa->aad.profile) {
>> + struct aa_profile *profile = sa->aad.profile;
>> + pid_t pid;
>> + rcu_read_lock();
>> + pid = tsk->real_parent->pid;
>> + rcu_read_unlock();
>> + audit_log_format(ab, " parent=%d", pid);
>> + audit_log_format(ab, " profile=");
>> + if (profile->ns != root_ns) {
>> + audit_log_format(ab, ":");
>> + audit_log_untrustedstring(ab, profile->ns->base.hname);
>> + audit_log_format(ab, "://");
>> + }
>> + audit_log_untrustedstring(ab, profile->base.hname);
>> + }
>
> what does this message look like? I don't think it fits the nice
> key=value rules of the audit system.... Are you sure this is what
> you want?
>
it looks like
profile=:ns_name://profile_name
which could be fed straight back in as a valid profile name. Profile names can
be expressed relative to the namespace, or absolute with the profile namespace name
prepended. In this case relative namespace reporting is used only for the root_ns
because that is what was traditionally done.
So it is a single value following the rules.
The alternative of outputting the profile namespace name as a separate is also valid,
and I am actually indifferent as to which way it is reported.
>> +#define COMMON_AUDIT_DATA_INIT_NONE(_d) \
>> + do { \
>> + memset((_d), 0, sizeof(struct common_audit_data)); \
>> + (_d)->type = LSM_AUDIT_DATA_NONE; \
>> + } while (0)
>> +
>> +#endif /* __AA_AUDIT_H */
>
> Why are you redefining this? You should just use
> COMMON_AUDIT_DATA_INIT(sa, NONE);
oops, I actually have that patch, and missed applying to the branch, this was
originally added when COMMON_AUDIT_DATA_INIT(sa, NONE) didn't work.
thanks Eric
next prev parent reply other threads:[~2010-07-15 16:36 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-15 0:43 [AppArmor #5 0/13] AppArmor security module John Johansen
2010-07-15 0:43 ` [PATCH 01/13] AppArmor: misc. base functions and defines John Johansen
2010-07-15 0:43 ` [PATCH 02/13] AppArmor: basic auditing infrastructure John Johansen
2010-07-15 15:18 ` Eric Paris
2010-07-15 16:36 ` John Johansen [this message]
2010-07-15 17:36 ` Eric Paris
2010-07-15 18:07 ` John Johansen
2010-07-15 0:43 ` [PATCH 03/13] AppArmor: contexts used in attaching policy to system objects John Johansen
2010-07-15 0:43 ` [PATCH 04/13] AppArmor: core policy routines John Johansen
2010-07-15 15:33 ` Eric Paris
2010-07-15 16:40 ` John Johansen
2010-07-15 0:43 ` [PATCH 05/13] AppArmor: dfa match engine John Johansen
2010-07-15 0:43 ` [PATCH 06/13] AppArmor: policy routines for loading and unpacking policy John Johansen
2010-07-15 0:43 ` [PATCH 07/13] AppArmor: userspace interfaces John Johansen
2010-07-15 0:43 ` [PATCH 08/13] AppArmor: file enforcement routines John Johansen
2010-07-15 0:43 ` [PATCH 09/13] AppArmor: mediation of non file objects John Johansen
2010-07-15 0:43 ` [PATCH 10/13] AppArmor: domain functions for domain transition John Johansen
2010-07-15 0:43 ` [PATCH 11/13] AppArmor: LSM interface, and security module initialization John Johansen
2010-07-15 17:27 ` Serge E. Hallyn
2010-07-15 18:04 ` John Johansen
2010-07-15 0:43 ` [PATCH 12/13] AppArmor: Enable configuring and building of the AppArmor security module John Johansen
2010-07-15 0:43 ` [PATCH 13/13] AppArmor: update Maintainer and Documentation/kernel-parameters.txt John Johansen
2010-07-15 13:06 ` [AppArmor #5 0/13] AppArmor security module Miklos Szeredi
2010-07-16 5:21 ` Tetsuo Handa
2010-07-16 16:37 ` John Johansen
2010-07-17 7:41 ` Tetsuo Handa
-- strict thread matches above, loose matches on Subject: below --
2010-07-27 2:57 [AppArmor #6 " John Johansen
2010-07-27 2:57 ` [PATCH 02/13] AppArmor: basic auditing infrastructure John Johansen
2010-07-29 21:47 [AppArmor #7 0/13] AppArmor security module John Johansen
2010-07-29 21:47 ` [PATCH 02/13] AppArmor: basic auditing infrastructure John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C3F391E.5060408@canonical.com \
--to=john.johansen@canonical.com \
--cc=eparis@parisplace.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox