linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: audit@vger.kernel.org,
	linux-security-module <linux-security-module@vger.kernel.org>,
	linux-audit@redhat.com,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] audit: add task history record
Date: Tue, 22 Aug 2023 07:23:16 +0900	[thread overview]
Message-ID: <5db92f8f-44c6-b6da-edeb-d7edf86d7ad3@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <20230821160446.GA1317178@mail.hallyn.com>

On 2023/08/22 1:04, Serge E. Hallyn wrote:
> On Sat, Aug 19, 2023 at 04:09:46PM +0900, Tetsuo Handa wrote:
>> Anyway, enabling TOMOYO in Fedora/RHEL kernels won't solve the problem
>> this patch is trying to solve, for TOMOYO cannot utilize TOMOYO's process
>> history information because LSM hook for sending signals does not allow
>> TOMOYO to sleep...
> 
> Hang on a tick - I think perhaps you should have led with this.  The
> main argument against this has been (iiuc) that it is a subset of
> tomoyo functionality.  In that case, I'm on the fence about whether it
> should be included.
> 
> But here you say that tomoyo cannot do this.  If that's the case, and
> this is simply completely new functionality, that changes things.

This information is duplicated upon fork() and updated upon execve().
That is how TOMOYO defines TOMOYO's process history information.
Therefore, I'm saying "TOMOYO-like task history information".
But this information provided by this patch is different from TOMOYO's
process history information provided by TOMOYO in two ways.

One is that TOMOYO embeds pathname of a program passed to execve() into
TOMOYO's task history information because it is used for describing access
control rules, whereas this patch embeds comm name and pid and time of execve()
into task history information because it is used for helping administrators
understand system events.

The other is that TOMOYO can check and generate logs with TOMOYO's task history
information for only operations that can sleep (e.g. open()/execve()), whereas
this patch can check and generate logs with task history information for both
sleepable (e.g. open()/execve()) and non-sleepable (e.g. kill()) operations.

Since one of use cases of this task history information is to identify who sent
a signal that caused an unexpected process termination, TOMOYO cannot be do it.

Also, system calls are not the only source of sending signals. There are signals
delivered without security checks via LSM modules. In that case, inserting a
SystemTap script helps catching such signals. But SystemTap scripts are loaded
too late to emulate task history information from boot.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


  reply	other threads:[~2023-08-21 22:25 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-11 10:58 [PATCH] audit: add task history record Tetsuo Handa
2023-08-11 17:50 ` Richard Guy Briggs
2023-08-12 10:08   ` Tetsuo Handa
2023-08-15 18:44 ` Paul Moore
2023-08-16 10:10   ` Tetsuo Handa
2023-08-16 13:53     ` Paul Moore
2023-08-18 10:29       ` Tetsuo Handa
2023-08-18 14:59         ` Paul Moore
2023-08-19  7:09           ` Tetsuo Handa
2023-08-21 16:04             ` Serge E. Hallyn
2023-08-21 22:23               ` Tetsuo Handa [this message]
2023-08-21 16:35             ` Paul Moore
2023-08-23 14:18               ` Tetsuo Handa
2023-08-23 14:48                 ` Paul Moore
2023-08-24 13:21                   ` Tetsuo Handa
2023-08-24 13:30                     ` Paul Moore
2023-08-24 13:39                       ` Tetsuo Handa
2023-08-24 13:47                         ` Tetsuo Handa
2023-08-24 14:26                           ` Paul Moore
2023-08-24 22:24                             ` Tetsuo Handa
2023-08-25  3:36                               ` Paul Moore
2023-08-26  6:38                                 ` Tetsuo Handa
2023-08-26 14:47                                   ` Paul Moore
2023-08-24 14:24                         ` Paul Moore
2023-08-24 15:55                       ` Steve Grubb
2023-08-24 17:02                         ` Paul Moore
2023-08-22 16:29       ` Steve Grubb
2023-08-22 17:58         ` Paul Moore
2023-08-21 17:29 ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5db92f8f-44c6-b6da-edeb-d7edf86d7ad3@I-love.SAKURA.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=audit@vger.kernel.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).