From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2C66C4338F for ; Wed, 18 Aug 2021 21:59:53 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 50A41610FF for ; Wed, 18 Aug 2021 21:59:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 50A41610FF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-258-szVr9KC8MDGAek-0EJPJbg-1; Wed, 18 Aug 2021 17:59:50 -0400 X-MC-Unique: szVr9KC8MDGAek-0EJPJbg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id ADF5092504; Wed, 18 Aug 2021 21:59:46 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 445506091B; Wed, 18 Aug 2021 21:59:46 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 55C8E4BB7C; Wed, 18 Aug 2021 21:59:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 17ILxgTI020934 for ; Wed, 18 Aug 2021 17:59:42 -0400 Received: by smtp.corp.redhat.com (Postfix) id E961610D18D8; Wed, 18 Aug 2021 21:59:41 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E52C411701F9 for ; Wed, 18 Aug 2021 21:59:38 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8277E800677 for ; Wed, 18 Aug 2021 21:59:38 +0000 (UTC) Received: from sonic314-27.consmr.mail.ne1.yahoo.com (sonic314-27.consmr.mail.ne1.yahoo.com [66.163.189.153]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-212-7T1fXsYtMpKCAGYc0b1YxA-1; Wed, 18 Aug 2021 17:59:36 -0400 X-MC-Unique: 7T1fXsYtMpKCAGYc0b1YxA-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1629323975; bh=PPUkspLdV4rsG5XczA0CxsIibcnza0vLeB3MfL05NKY=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=PMbk5Vd1mHL1/9NR8tThjI5oDOkkp+G51EC7PjR6Y+rXsastzbBUVyiATLA4hHkThIygeD5uyNjFWh4N24Xly3MFb0H8pxOUDZuuyhTKiqh+D91I9vBFo2d1u/8Y6FSXNPNIqLKqWkyOl1a3XZOyw262/xyvO9LJQ6FOMVihG6pzM8xxcfzjY5VZ5K1bdbOQ2lVmlo5NhjccjN34pXsQK+Arm9paf0Ww/5shherT58m8kJUDtcQmftYxHFnfgi/4QDHWywBjyYxsXd9AEZVKSutW9uNqxbzJooHtB9RNSKYm5ZEKzwdozvxdNHJPLoXGefOTbFuLxU2pdrDElSrqjg== X-YMail-OSG: CYzPlzYVM1mqumdfHiUEKOjHeZuld4xAJebnywy4157IDApYdBbaZM5HdNK1_fP YoTaKiVmblOuG.KqmVJhzOK599fBKEs4uLnjc641bVYNuH0CwpmTaICWv..GEn43__8GZC10Yr3e mraB1IfiKDwSotkaIoTBjo4v.3QwdB00D_NrbRi8ypkIxJNRnCiqRJAsvr8TX8qnM9XTeA_eEQbC q1hAi8DsdIemKAhuRn.XXa3fh9RCfndQ7Cbd8CSFdoQVMzJ2zQvScJJpheE4._usG9x3sda2lbbq DaKBATJ.3CYcnGHzxdt6jiqxJZeScvNdefyRMJNlKaTrJgR.6jngAoSv0zgNah3gOoESr3FCvxpo 2L3abdoKF8PD7UKbORiuRl1R_S8TLh3OkHcHX279VsSOilHfwKHX_0mPrW1MXU_dBEM42wiftchP zUPBgF8l9gLd6Un6hxiseEHS088pwF7tYP777Xe0shEQq050JwLlfJ9S6MvT9g5.5sSDgNrmwtXz bT_Ksu1hVCmD.OM9ewAqdVPHaAwnMUCmitTt2mZwYMy9kOseNPCv0BGDf9zonWq8eVV7Rd.OPDqy TXe0rQpzGKEcHKLGuR_A7OKdJCGlgAQYj5Nx_CueIx38CjLyfe1vGoYxKZ0KQBrEBkKJD1ZT5nci .Eck_Kp.nGc7qJlGDMytpuS2L02.JQD0kVTYwzsafzflFDlQlyMxazSbRKZQBrSFLPDhKYl1iKI. Vptba50f7j6myo2NWKqVRzpahD.79S8rvvBXKPckdcyecXsryLMh_Nb8xIdRZWGJjfP45KG3SSJH JdbIrBv337Y.IOUrk.6_9t9mHe.n50o7tckaCVpgnb2nfIcwjCEc8hGTo9.yYr2o5FVeA06Tkgeq lcW_u2eA57OpR41Nld5i1kbJNTxD9_GKJfQiN.nt5G9X7FQAOHS1IvGqdC2JNMkVxcs4m8_iNQu1 BiESt36BjcjWVgLiJp1..7mv.kx8ZQcMQ78Z.jiSJiQJwsKgwCD9Qnfp4BPuz2X22sGuwjOF5xYY 6dRSJKxK8GRnelaLGGmVNbH2.Hr8LTHqFnlVezg9TJJiK_Tz84nCzxrAVKLpOj823Vqi2in9t9UW 7f2c15YMlxs8KWXK51uVsTf0Wjv5WBCU3RsLuFZ_BNsRGIwR_KDKYe3I8WEl9CR7OWjL3a0auqRC e0TZLR5FTZbNXqZA4PPaCdzTGIDwWc5VMJAjLWeXLOCQFFUy7MtRD9UizrVjwL7GdtYCSnJ6Bc03 La6xCl8phRZNlEv4rEwz7ALjpnXUjDCSkdsFsUek.zSMfSifjg_gTYjtuYjo9OT9CGFgIUcqjzcG jFkj2gYzUMdEpNPGrWPw_wU7XxcxD3LomxajqLxp.AUSjd81nxHHuQtYWXKvDp2HWu8.1Ua9BcuQ 7NdG57bK7uWOBJhCeorMSNoHddhGG.hRugEoB4iaOTs_.EyzehdAgtWuUAjeu_vUtWbLgUm6wzen bWbKuSeHXKBK7mv3yplPCHt6nfqEgrca3oMInMsNLMFA3iME1jo7ZEUkpR.XH2TWN81ls0dxBY1R tq0k6WoVktaNliV10OCmMdr_ZD89_TCetKV1gT2EEJ82v.lIpGzUmkcRr2BtGwHLXZgoD4Q7_lT_ tQSpCC_L1m0Ms1jtjy4n7WFyY3QmYcOz65XNTfD5eOg18RuEvlD2fKUb3aFsco.tWFy5MYiyLSLU xMzYzbggu7kZ1tnORKNDLN4xOKow_GGoLNajGA9LH31kkBrTuTdN0gZ9_uaPppVrHU9VNJ.fuK08 Be1ZhueH0pKTPn3x0YyfNBv2JsGnPhNU3fSWHt5Rf8yuVTYh9JMJ0v0hL.Ooy9vtXh9dV29khB3y iHzbbwuZ8kM0czLfGUOUv1aYqp2FeicJ90.YI5.ovv7oMecBNjOoPmn4Euey0IsEyUGOppzuyI7U 0hLfQbgZJfB5utG4I2ek_oZAcWOYrkPvs3BDWKqqWOkVg5MSPZ5PMeBOFfhxn8THqH_UvA1w3uxl q0es2IMS7Hn5hUrbo3QTO6kX93fmZhQB5jScu0IwV4lLK7QQWlBt4S.S.8fQddYbxNBWaU.GYNgk jRX_5NPSr_AT2jtHvd8..LaeulFxpsdyNZu6t0X3.v36N4Hp5OcPoGItdQs.gRC31xBa87W8yI5j xzfW8PiNI3jBnXxhUeRCkDRKIliil5lDTFh6fiqFETyukGj.Mv0TNRAIPxCZxJOA8VDVzrjA54Zj O7xBkS0kc6LR1heWHnxxV8Jct0fIXhP3p7LCIzRH5EGk98nTlK2LSK8aMnPRvavjfp1PgmoBpaN4 iPJ6E.5uw.AfVO_KKnKb6e9NVZm1wSJO04GL.pDVETrQi2D4r6j_aRw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Wed, 18 Aug 2021 21:59:35 +0000 Received: by kubenode528.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 217b5544d85edfe7e42d0af03f2f1fbd; Wed, 18 Aug 2021 21:59:32 +0000 (UTC) Subject: Re: [PATCH v28 22/25] Audit: Add record for multiple process LSM attributes To: Paul Moore References: <20210722004758.12371-1-casey@schaufler-ca.com> <20210722004758.12371-23-casey@schaufler-ca.com> <3ebad75f-1887-bb31-db23-353bfc9c0b4a@schaufler-ca.com> From: Casey Schaufler Message-ID: <062ba5f9-e4e8-31f4-7815-826f44b35654@schaufler-ca.com> Date: Wed, 18 Aug 2021 14:59:31 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 17ILxgTI020934 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, selinux@vger.kernel.org, James Morris , linux-security-module@vger.kernel.org, linux-audit@redhat.com, casey.schaufler@intel.com, Stephen Smalley X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 8/16/2021 11:57 AM, Paul Moore wrote: > On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler wrote: >> On 8/13/2021 1:43 PM, Paul Moore wrote: ... > Yeah, the thought occurred to me, but we are clearly already in the > maybe-the-assumptions-are-wrong stage so I'm not going to rely on that > being 100%. We definitely need to track this down before we start > making to many more guesses about what is working and what is not. I've been tracking down where the audit context isn't set where we'd expect it to be, I've identified 5 cases: 1000 AUDIT_GET - Get Status 1001 AUDIT_SET - Set status enable/disable/auditd 1010 AUDIT_SIGNAL_INFO 1130 AUDIT_SERVICE_START 1131 AUDIT_SEVICE_STOP These are all events that relate to the audit system itself. It seems plausible that these really aren't syscalls and hence shouldn't be expected to have an audit_context. I will create a patch that treats these as the special cases I believe them to be. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit