* Re: [PATCH] ima: Rename internal audit rule functions
[not found] <20200629153037.337349-1-tyhicks@linux.microsoft.com>
@ 2020-06-29 21:30 ` Mimi Zohar
2020-07-10 19:42 ` Tyler Hicks
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2020-06-29 21:30 UTC (permalink / raw)
To: Tyler Hicks, Dmitry Kasatkin
Cc: linux-kernel, James Morris, linux-security-module, linux-audit,
linux-integrity, Serge E . Hallyn
[Cc'ing the audit mailing list]
On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote:
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ff2bf57ff0c7..5d62ee8319f4 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
> /* LSM based policy rules require audit */
> #ifdef CONFIG_IMA_LSM_RULES
>
> -#define security_filter_rule_init security_audit_rule_init
> -#define security_filter_rule_free security_audit_rule_free
> -#define security_filter_rule_match security_audit_rule_match
> +#define ima_audit_rule_init security_audit_rule_init
> +#define ima_audit_rule_free security_audit_rule_free
> +#define ima_audit_rule_match security_audit_rule_match
Instead of defining an entirely new method of identifying files, IMA
piggybacks on top of the existing audit rule syntax. IMA policy rules
"filter" based on this information.
IMA already audits security/integrity related events. Using the word
"audit" here will make things even more confusing than they currently
are. Renaming these functions as ima_audit_rule_XXX provides no
benefit. At that point, IMA might as well call the
security_audit_rule prefixed function names directly. As a quick fix,
rename them as "ima_filter_rule".
The correct solution would probably be to rename these prefixed
"security_audit_rule" functions as "security_filter_rule", so that
both the audit subsystem and IMA could use them.
Mimi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Rename internal audit rule functions
2020-06-29 21:30 ` [PATCH] ima: Rename internal audit rule functions Mimi Zohar
@ 2020-07-10 19:42 ` Tyler Hicks
2020-07-16 14:23 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: Tyler Hicks @ 2020-07-10 19:42 UTC (permalink / raw)
To: Mimi Zohar
Cc: Dmitry Kasatkin, James Morris, linux-kernel,
linux-security-module, linux-audit, linux-integrity,
Serge E . Hallyn
On 2020-06-29 17:30:03, Mimi Zohar wrote:
> [Cc'ing the audit mailing list]
>
> On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote:
> >
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index ff2bf57ff0c7..5d62ee8319f4 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
> > /* LSM based policy rules require audit */
> > #ifdef CONFIG_IMA_LSM_RULES
> >
> > -#define security_filter_rule_init security_audit_rule_init
> > -#define security_filter_rule_free security_audit_rule_free
> > -#define security_filter_rule_match security_audit_rule_match
> > +#define ima_audit_rule_init security_audit_rule_init
> > +#define ima_audit_rule_free security_audit_rule_free
> > +#define ima_audit_rule_match security_audit_rule_match
>
> Instead of defining an entirely new method of identifying files, IMA
> piggybacks on top of the existing audit rule syntax. IMA policy rules
> "filter" based on this information.
>
> IMA already audits security/integrity related events. Using the word
> "audit" here will make things even more confusing than they currently
> are. Renaming these functions as ima_audit_rule_XXX provides no
> benefit. At that point, IMA might as well call the
> security_audit_rule prefixed function names directly. As a quick fix,
> rename them as "ima_filter_rule".
>
> The correct solution would probably be to rename these prefixed
> "security_audit_rule" functions as "security_filter_rule", so that
> both the audit subsystem and IMA could use them.
There doesn't seem to be any interest, from the audit side, in re-using
these. I don't quite understand why they would want to use them since
they're just simple wrappers around the security_audit_rule_*()
functions.
I'll go the "quick fix" route of renaming them as ima_filter_rule_*().
Tyler
>
> Mimi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Rename internal audit rule functions
2020-07-10 19:42 ` Tyler Hicks
@ 2020-07-16 14:23 ` Mimi Zohar
0 siblings, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2020-07-16 14:23 UTC (permalink / raw)
To: Tyler Hicks
Cc: Dmitry Kasatkin, James Morris, linux-kernel,
linux-security-module, linux-audit, linux-integrity,
Serge E . Hallyn
On Fri, 2020-07-10 at 14:42 -0500, Tyler Hicks wrote:
> On 2020-06-29 17:30:03, Mimi Zohar wrote:
> > [Cc'ing the audit mailing list]
> >
> > On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote:
> > >
> > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > > index ff2bf57ff0c7..5d62ee8319f4 100644
> > > --- a/security/integrity/ima/ima.h
> > > +++ b/security/integrity/ima/ima.h
> > > @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
> > > /* LSM based policy rules require audit */
> > > #ifdef CONFIG_IMA_LSM_RULES
> > >
> > > -#define security_filter_rule_init security_audit_rule_init
> > > -#define security_filter_rule_free security_audit_rule_free
> > > -#define security_filter_rule_match security_audit_rule_match
> > > +#define ima_audit_rule_init security_audit_rule_init
> > > +#define ima_audit_rule_free security_audit_rule_free
> > > +#define ima_audit_rule_match security_audit_rule_match
> >
> > Instead of defining an entirely new method of identifying files, IMA
> > piggybacks on top of the existing audit rule syntax. IMA policy rules
> > "filter" based on this information.
> >
> > IMA already audits security/integrity related events. Using the word
> > "audit" here will make things even more confusing than they currently
> > are. Renaming these functions as ima_audit_rule_XXX provides no
> > benefit. At that point, IMA might as well call the
> > security_audit_rule prefixed function names directly. As a quick fix,
> > rename them as "ima_filter_rule".
> >
> > The correct solution would probably be to rename these prefixed
> > "security_audit_rule" functions as "security_filter_rule", so that
> > both the audit subsystem and IMA could use them.
>
> There doesn't seem to be any interest, from the audit side, in re-using
> these. I don't quite understand why they would want to use them since
> they're just simple wrappers around the security_audit_rule_*()
> functions.
The security_filter_rule_* wasn't meant to be in addition, but as a
replacement for security_audit_rule_*
>
> I'll go the "quick fix" route of renaming them as ima_filter_rule_*().
That's fine.
Mimi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-16 14:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200629153037.337349-1-tyhicks@linux.microsoft.com>
2020-06-29 21:30 ` [PATCH] ima: Rename internal audit rule functions Mimi Zohar
2020-07-10 19:42 ` Tyler Hicks
2020-07-16 14:23 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).