From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65B0CC2B9F4 for ; Mon, 14 Jun 2021 19:39:43 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E32C561185 for ; Mon, 14 Jun 2021 19:39:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E32C561185 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-556-bP8FnGPtMeqfmgz26mFXUg-1; Mon, 14 Jun 2021 15:39:38 -0400 X-MC-Unique: bP8FnGPtMeqfmgz26mFXUg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4E638195D58C; Mon, 14 Jun 2021 19:39:34 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8545734B26; Mon, 14 Jun 2021 19:39:32 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 09BA746F81; Mon, 14 Jun 2021 19:39:30 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15EJYhZF003407 for ; Mon, 14 Jun 2021 15:34:43 -0400 Received: by smtp.corp.redhat.com (Postfix) id 520E6205D6DF; Mon, 14 Jun 2021 19:34:43 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4DC51205D6DD for ; Mon, 14 Jun 2021 19:34:41 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EE7EF857AA4 for ; Mon, 14 Jun 2021 19:34:40 +0000 (UTC) Received: from sonic307-15.consmr.mail.ne1.yahoo.com (sonic307-15.consmr.mail.ne1.yahoo.com [66.163.190.38]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-585-Xx_vfi08N1uIK4Laj-paKQ-1; Mon, 14 Jun 2021 15:34:38 -0400 X-MC-Unique: Xx_vfi08N1uIK4Laj-paKQ-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623699278; bh=XMkbOBVmn2c1DURwKwLRRpWHo9CHv7bxLUdbpXyCsN+=; h=X-Sonic-MF:To:From:Subject:Date:From:Subject; b=GpW/InAZATwlho61cTu6BC19XW0ozX9XAZLGHze6ATerM6JUi4lr8odZ/0+thWaGdmadTDhEj9thMkjo7lkvm7IG7aw82KcKnAT1p9gx/ENzU9+xzzqeldbGyzYNjJFkUDb7W8LnCfyiTFgnHAccIGIceDdB60ABTBsAx1ho+OzYwbW18ZRkBwmFbALkYu7p591kEUUjrCMKy5SYX5GbBvnO5IgmL0LZvC2eRj0UKox6wQYeKtflKAaN4f/xByG0RS+275zJP4dTgQ0ZCB2QWG0XVQxNQgZ6vYNnZqADKShxY8TdsElXtTqsH+iSJKcspPGEYsSfHVIiiDo4+BICiA== X-YMail-OSG: jZ4x2m4VM1kGh1r6mqFIS.coIkWOU2Dfve42xDdvWyOiaFPPpVAK_O1RbXeuvqb fHgSXdg_42iRMmdDLhrDaZK8GL694roFtV9s0w3h5HWpgtAj4jP6wn1dMHecBRUjfDKK1q0LX9YC neeniHWBCt4lGHzFVnZOk0eqAJR8V4t153L40U_CUgAJfQGhqKhIDuox9Sjqw30HwnrQyh61sjjW GK8dzLP3l2gB8pwPdEzVE6X0Zt6JG5tcdF6ScK9Vs_PLN_okr7SudpP0.rALjwFMXsbtDaxTSnGY PjNV45iMi1A1FqiDoBqskNJHZM9XwDK2AakqYj13YmkAqbMsZnyfkSEkunNem.6yDJmRFBwqzr3n ZDiXRFJsI1Z7uAeWOdaEyUhdRpXdFU4TqDd7ES_lp0yKUwBfqkupUgsVOcaqdFRI_TFZ.Evi4QTB MmyDLkKxm3o2HRgb7D9pDQe3K8rwLqdPclLUwOOE_3Zn34MmBGXljiBwnDDxBFYDnZJB_Fxy8o.. DF_ojLalU4mneTaC2_Y3Ul6IuCIL6ddBAVy8BJO67Zj31yI9ewVp8MB3NaR.jkF6c_U4vqxabNjt h45p6wQwxT5njQuklbWAXYmeORIJKSqsfbKEaUCg3GlTA904EKXJjfOhocZd1hBa4qMFyALCiUDr ojeCSaHbBAiFnzPVgzephuDprb.XSKDHD5qYVTaGxwJJWBfUt7j_lxJ6zYLDu6wuDz5LI8lLc2t2 1GQYCK9P4UTZ_6mEWb8WUaIXGIZb7Bd0ADK8bmCl802mnfE1aL2Gu8RYur9xGGzyN_TWMQ7dXIF4 d.AJgfepMzh7e270U7XSytNsrpQmo3KUEWISmchK.nEcu4BtIlF.iLI8WuVmhSbwJTIaZ8hSaiVx 3bf6ndX9x3xQvPInktbodYPK.OY3rUwNqFiYCtdG2g.YB2xup5HjnIkZZ3QaOH8Vgc6H__f9L2uh Gh45URwW78lj_QTgIr5_j75c3c_cWaLZiTjY8Qoo5IDbdl.EMTQNqCCMXFsmI7m.UyDhH_Rfh5Bt 645D9PfpD0H1rzjMdkOhtaapHWL067m4n1TC0z1LajKhbv.Lzfn2_5v1WJWOhb_JPDhk46N.cFTR LSONLSVCDczoEbFvzTql8bMfduZJ1LvReLmgI8vfT70SFyCz9BN.13GvirEMck8LsGLnaz4smWHY KQrUtsrFvu.GFDpg35d4.ubs0Q8LHDJhy5jP.ujDDjwid_Le4oblIGqavwoi5osM7MhxjX3aIKsG A2RQebViEONncUxZHXdBboXQomzP1u1yLGuw6.jM7bExYhNSx8zIl9tK0LQ3JBp60xxikech9EDS ZoMBqkEn9IzIRkOmbiP7dWKXJHKCLz3O8vaY4IWxUsRKBaPQ9nYAfl7GfGGUarJlm7w3YpfVyvKT 80l0uUw6l_pRcLr4Ymnlsh2NOEzeb0qWAEpmDhEosZU1PdpU5oslKKrQpybuYF9kC26yXvYj7aOM L4FQoKNEocp0DyyjlLjsKr7uWcc80a.vRZQFLsWlo.BLxbfGfkRXJYv_OC7ZyB2R3l2vEc3B49lY FKYpHYYQb01xZdRev_Xfb0huSxSTE6yBWEMIjBvnR7mME57NB5BdXBYop3_IwqreR_UKaq9FxDTI exZRDZpCF9VNFf2lprUEGrwqBBRwcowW7cIYlwj96KgLDGe.BFahm6EJvAiCtOy_iDWheRWWSq12 L6KvZfFTL6Kk2zSMBeyKlI9e8.JkNHVEFvHxqlg7S1T1IjrxZG9Qlzof1A.KH3.zwNMHFCscqZnH yEKmkgUWwKGeGZwdyENRG27FNPN85CCYsb5rubZOhZeQEUuOoyhM6PdUM7gPt62haZwFHgR0KDk2 F24.9DBnRibupbo_BVMr6noJpod1OjtuEOYcYE6ggEHmXDI9eIZYw1xl7fDPBb3fYCEw6av0_gGf Rd4nOed7l0.fNbqhB_HUQRI0nqbs67.WWIizl34vI0HQK7_krXDD4JOWb5Hcl4kjhhuPnGy5U9cw 66.Q6MJ7N_8SQ.VBOKthOrNylplRqpgdkOSMd3un_geQehP6sovU0XePuO_dR_dKC4m8_QFXstZ_ qg6Sqrqeb_giGuuQaPhUy0TRD6KoHjJQe8I0CTUWQCLOG7mcLyUiZOK8YE_Zp7uLafqdg_duOa2b zRwXKVF.3u2P2.4Cnr.FjSXEOrNYT6JWqaKRnmPgeGpVyi7OxIywYqPofxBznmf8EqTM_gESHw8s K7pUU3uVYqXT.i2BgmmVO4bKHWgsqwyhQ_pLqdm3OqRiGrKWcHXV.pP2R1qfHx1fXGgTPq92gnj0 O97PeyHk3bkmp0oXLYgDnduua_cKYGSDRtMCVd023T4je1m0pQZU8a9G6sX9sVMJds0A2lvD4TNx 0vE2uSfB.BAsqQ3FCDnCVppcNrNDvUrHoiXmoP2TGnPxV8Q1BJeF7pcHvphBXtWZH9jO8ytIjb4P do9JD0YTqw2Vjv3j74C3eHJnEcB_GM8z5yZBdw.MVuq1nk7DxiLNgU.qq0l9Pmns9nbjB_uzrfS9 IOWqU68YXGQZ78R18goihxS9Hc.ModPnaDlc_p_4nb26jf2qkHTysoUZ7.xojSPsU40HbMZnuX0s RXVbUiHSJ1YiZujSqqvDcRg1VSCmrCFocF9A1eRbllbH_0tKPlXz87E.vsupfufLM8nzduqcMSvx 5Fg-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Mon, 14 Jun 2021 19:34:38 +0000 Received: by kubenode540.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 848f8f5b8bc2776c1a8b0321d1c5a08c; Mon, 14 Jun 2021 19:34:34 +0000 (UTC) To: Steve Grubb From: Casey Schaufler Subject: Adding support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS to userspace. Message-ID: Date: Mon, 14 Jun 2021 12:34:33 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 References: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15EJYhZF003407 X-loop: linux-audit@redhat.com Cc: "linux-audit@redhat.com" X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I'm looking at the audit userspace implications of adding two new kernel audit records. AUDIT_MAC_TASK_CONTEXTS and AUDIT_MAC_OBJ_CONTEXTS are used when there are multiple security modules with a "security context" active on the system. This design has been discussed here at length. The records will look like: AUDIT_MAC_TASK_CONTEXTS subj_=value subj_=value ... Looking at the audit user-space code I see several things that have me concerned. The first is the use of WITH_APPARMOR. Going forward what behavior would we want if subj_apparmor=something shows up on a system that has not got WITH_APPARMOR defined? The code is inconsistent in that it does not use WITH_SELINUX, but that's hardly a surprise given its origins. There is also no WITH_SMACK, but that's unlikely to be an issue since Smack's use of audit is very much like SELinux's. The question is what to do about filtering when subj=foo is specified. I suggest that if any of subj_selinux, subj_smack or subj_something is "foo", it is a match. But the SELinux components of a label (level, user, ...) are also available for filtering. If someone wrote a simple Bell & LaPadula LSM filtering by some of those fields could be useful there, too. I would like guidance on whether I ought to go the route of more extensive use of WITH_APPARMOR (and WITH_SMACK, WITH_MUMBLE) or take the path of greater generalization. Or, whether I should treat each case individually and give it my best whack. Thank you. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit