From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Richard Guy Briggs <rgb@redhat.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>
Subject: Re: Preferred subj= with multiple LSMs
Date: Tue, 16 Jul 2019 14:06:27 -0400 [thread overview]
Message-ID: <2477603.130G60v5SE@x2> (raw)
In-Reply-To: <CAHC9VhSTwvueKcK2yhckwayh9YGou7gt2Gny36DOTaNkrck+Mg@mail.gmail.com>
On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler <casey@schaufler-ca.com>
wrote:
> > On 7/16/2019 10:12 AM, Paul Moore wrote:
> > > On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > >> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> > >>> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> > >>> <casey@schaufler-ca.com>
> > >>
> > >> wrote:
> > >>>> On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> > >>>>> On 2019-07-13 11:08, Steve Grubb wrote:
> > > ...
> > >
> > >>>>> Steve's answer is the obvious one, ideally allocating a seperate
> > >>>>> range
> > >>>>> to each LSM with each message type having its own well defined
> > >>>>> format.
> > >>>>
> > >>>> It doesn't address the issue of success records, or records
> > >>>> generated outside the security modules.
> > >>>
> > >>> Yes, exactly. The individual LSM will presumably will continue to
> > >>> generate their own audit records as they do today and I would imagine
> > >>> that the subject and object fields could remain as they do today for
> > >>> the LSM specific records.
> > >>>
> > >>> The trick is the other records which are not LSM specific but still
> > >>> want to include subject and/or object information. Unfortunately we
> > >>> are stuck with some tough limitations given the current audit record
> > >>> format and Steve's audit userspace tools;
> > >>
> > >> Not really. We just need to approach the problem thinking about how to
> > >> make it work based on how things currently work.
> > >
> > > I suppose it is all somewhat "subjective" - bad joke fully intended :)
> > > - with respect to what one considers good/bad/limiting. My personal
> > > view is that an ideal solution would allow for multiple independent
> > > subj/obj labels without having to multiplex on a single subj/obj
> > > field. My gut feeling is that this would confuse your tools, yes?
> > >
> > >> For example Casey had a list of possible formats. Like this one:
> > >>
> > >> Option 3:
> > >> lsms=selinux,apparmor subj=x:y:z:s:c subj=a
> > >>
> > >> I'd suggest something almost like that. The first field could be a map
> > >> to
> > >> decipher the labels. Then we could have a comma separated list of
> > >> labels.
> > >>
> > >> lsms=selinux,apparmor subj=x:y:z:s:c,a
> > >
> > > Some quick comments:
> > >
> > > * My usual reminder that new fields for existing audit records must be
> > > added to the end of the record.
> > >
> > > * If we are going to multiplex the labels on a single field (more on
> > > that below) I might suggest using "subj_lsms" instead of "lsms" so we
> > > leave ourself some wiggle room in the future.
> > >
> > > * Multiplexing on a single "subj" field is going to be difficult
> > > because picking the label delimiter is going to be a pain. For
> > > example, in the example above a comma is used, which at the very least
> > > is a valid part of a SELinux label and I suspect for Smack as well
> > > (I'm not sure about the other LSMs). I suspect the only way to parse
> > > out the component labels would be to have knowledge of the LSMs in
> > > use, as well as the policies loaded at the time the audit record was
> > > generated.
> > >
> > > This may be a faulty assumption, but assuming your tools will fall
> > > over if they see multiple "subj" fields, could we do something like
> > >
> > > the following (something between option #2 and #3):
> > > subj1_lsm=smack subj1=<smack_label> subj2_lsm=selinux
> > >
> > > subj2=<selinux_label> ...
> >
> > If it's not a subj= field why use the indirection?
> >
> > subj_smack=<smack_label> subj_selinux=<selinux_label>
> >
> > would be easier.
>
> Good point, that looks reasonable to me.
But doing something like this will totally break all parsers. To be honest, I
don't know if I'll ever see more than one labeled security system running at
the same time. And this would be a big penalty to pay for the flexibility that
someone, somewhere just might possibly do this.
-Steve
next prev parent reply other threads:[~2019-07-16 18:06 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-12 16:33 Preferred subj= with multiple LSMs Casey Schaufler
[not found] ` <c46932ec-e38e-ba15-7ceb-70e0fe0ef5dc@schaufler-ca.com>
2019-07-13 15:08 ` Steve Grubb
2019-07-15 19:04 ` Richard Guy Briggs
[not found] ` <1979804.kRvuSoDnao@x2>
[not found] ` <2802ddee-b621-c2eb-9ff3-ea15c4f19d0c@schaufler-ca.com>
[not found] ` <3577098.oGDFHdoSSQ@x2>
2019-07-16 17:16 ` Casey Schaufler
[not found] ` <CAHC9VhSELVZN8feH56zsANqoHu16mPMD04Ww60W=r6tWs+8WnQ@mail.gmail.com>
2019-07-16 17:29 ` Casey Schaufler
2019-07-16 17:43 ` Paul Moore
2019-07-16 17:58 ` Casey Schaufler
2019-07-16 18:06 ` Steve Grubb [this message]
2019-07-16 18:41 ` Casey Schaufler
2019-07-16 21:25 ` Paul Moore
2019-07-16 21:46 ` Steve Grubb
2019-07-16 22:18 ` Casey Schaufler
2019-07-16 23:13 ` Paul Moore
2019-07-16 23:47 ` Casey Schaufler
2019-07-17 12:14 ` Paul Moore
2019-07-17 15:49 ` Casey Schaufler
2019-07-17 16:23 ` Paul Moore
2019-07-17 23:02 ` Casey Schaufler
2019-07-18 13:10 ` Simon McVittie
2019-07-18 16:13 ` Casey Schaufler
2019-07-19 12:15 ` Simon McVittie
2019-07-19 16:29 ` Casey Schaufler
2019-07-19 18:47 ` Simon McVittie
2019-07-19 20:02 ` Dbus and multiple LSMs (was Preferred subj= with multiple LSMs) Casey Schaufler
2019-07-22 11:36 ` Simon McVittie
2019-07-22 16:04 ` Casey Schaufler
2019-07-19 21:21 ` Preferred subj= with multiple LSMs Paul Moore
2019-07-22 20:50 ` James Morris
2019-07-22 22:01 ` Casey Schaufler
2019-07-22 22:30 ` Paul Moore
2019-07-23 0:11 ` Casey Schaufler
2019-07-23 14:06 ` Simon McVittie
2019-07-23 17:32 ` Casey Schaufler
2019-07-23 21:46 ` James Morris
2019-07-16 23:09 ` Paul Moore
2019-07-17 4:36 ` James Morris
2019-07-17 12:23 ` Paul Moore
2019-07-18 15:01 ` William Roberts
2019-07-18 18:48 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2477603.130G60v5SE@x2 \
--to=sgrubb@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).