Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits

[Paul Moore <paul@paul-moore.com>]

On Wed, May 30, 2018 at 8:17 AM, Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
> On 05/29/2018 05:19 PM, Paul Moore wrote:
>>
>> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
>> <stefanb@linux.vnet.ibm.com> wrote:
>>>
>>> Use the new public audit functions to add the exe= and tty=
>>> parts to the integrity audit records. We place them before
>>> res=.
>>>
>>> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
>>> Suggested-by: Steve Grubb <sgrubb@redhat.com>
>>> ---
>>>   security/integrity/integrity_audit.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/security/integrity/integrity_audit.c
>>> b/security/integrity/integrity_audit.c
>>> index db30763d5525..8d25d3c4dcca 100644
>>> --- a/security/integrity/integrity_audit.c
>>> +++ b/security/integrity/integrity_audit.c
>>> @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
>>> *inode,
>>>                  audit_log_untrustedstring(ab, inode->i_sb->s_id);
>>>                  audit_log_format(ab, " ino=%lu", inode->i_ino);
>>>          }
>>> +       audit_log_d_path_exe(ab, current->mm);
>>> +       audit_log_tty(ab, current);
>>
>> NACK
>>
>> Please add the new fields to the end of the audit record, thank you.
>
> I put it there since Steve said '"res" is traditionally the last field in
> any event' (https://lkml.org/lkml/2018/5/22/539). I don't mind breaking with
> this tradition...

Unfortunately Steve and I don't see eye-to-eye on everything, and this
is perhaps one of the more prominent issues.

I'll save you several years of arguments, on and off-list, and simply
say that the "safe" option, and the only option I'm likely to ACK,
would be to add new fields at the end of existing records.  We have
made exceptions in the past, but those were pretty extreme cases.

-- 
paul moore
www.paul-moore.com