linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Fan Wu <wufan@linux.microsoft.com>
Cc: Steve Grubb <sgrubb@redhat.com>,
	corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
	serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
	axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
	eparis@redhat.com, linux-audit@redhat.com, dm-devel@redhat.com,
	linux-doc@vger.kernel.org,
	Deven Bowers <deven.desai@linux.microsoft.com>,
	roberto.sassu@huawei.com, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
	linux-fscrypt@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support
Date: Tue, 11 Apr 2023 19:07:57 -0400	[thread overview]
Message-ID: <CAHC9VhQxxrDnzJmUitMid3fk-VwNRU3NWoqjpj1=rhrtpoE=7w@mail.gmail.com> (raw)
In-Reply-To: <20230316225340.GB22567@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net>

On Thu, Mar 16, 2023 at 6:53 PM Fan Wu <wufan@linux.microsoft.com> wrote:
> On Thu, Mar 02, 2023 at 02:05:33PM -0500, Paul Moore wrote:
> > On Tue, Jan 31, 2023 at 12:11???PM Steve Grubb <sgrubb@redhat.com> wrote:
> > >
> > > Hello,
> > >
> > > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote:
> > > > From: Deven Bowers <deven.desai@linux.microsoft.com>
> > > >
> > > > Users of IPE require a way to identify when and why an operation fails,
> > > > allowing them to both respond to violations of policy and be notified
> > > > of potentially malicious actions on their systens with respect to IPE
> > > > itself.
> > > >
> > > > The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a policy
> > > > evaulation of a resource. The other two events, AUDIT_MAC_POLICY_LOAD,
> > > > and AUDIT_MAC_CONFIG_CHANGE represent a new policy was loaded into the
> > > > kernel and the currently active policy changed, respectively.
> > >
> > > Typically when you reuse an existing record type, it is expected to maintain
> > > the same fields in the same order. Also, it is expect that fields that are
> > > common across diferent records have the same meaning. To aid in this, we have
> > > a field dictionary here:
> > >
> > > https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/
> > > field-dictionary.csv
> > >
> > > For example, dev is expected to be 2 hex numbers separated by a colon which
> > > are the device major and minor numbers. But down a couple lines from here, we
> > > find dev="tmpfs". But isn't that a filesystem type?
> >
> > What Steve said.
> >
> > I'll also add an administrative note, we just moved upstream Linux
> > audit development to a new mailing list, audit@vger.kernel.org, please
> > use that in future patch submissions.  As a positive, it's a fully
> > open list so you won't run into moderation delays/notifications/etc.
> >
> Thanks for the info, I will update the address.
>
> > > > This patch also adds support for success auditing, allowing users to
> > > > identify how a resource passed policy. It is recommended to use this
> > > > option with caution, as it is quite noisy.
> > > >
> > > > This patch adds the following audit records:
> > > >
> > > >   audit: AUDIT1420 path="/tmp/tmpwxmam366/deny/bin/hello" dev="tmpfs"
> > > >     ino=72 rule="DEFAULT op=EXECUTE action=DENY"
> > >
> > > Do we really need to log the whole rule?
> >
> > Fan, would it be reasonable to list the properties which caused the
> > access denial?  That seems like it might be more helpful than the
> > specific rule, or am I missing something?
>
> Audit the whole rule can let the user find the reason of a policy decision.
> We need the whole rule because an allow/block is not caused by a specific
> property, but the combination of all property conditions in a rule.

Okay, that's a reasonable argument for logging the rule along with the
decision.  I think it helps that the IPE policy rules are not
particularly long.

> We could also add a verbose switch such that we only audit
> the whole rule when a user turned the verbose switch on.

I'm not sure that's necessary, and honestly it might be annoying as we
would still need to output a 'rule="?"' field in the audit record as
it is considered good practice to not have fields magically appear and
disappear from the record format.  However, if there are concerns
about record sizes, that could be a potential mitigation.

-- 
paul-moore.com

  reply	other threads:[~2023-04-11 23:08 UTC|newest]

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-30 22:57 [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 01/16] security: add ipe lsm Fan Wu
2023-03-02 19:00   ` Paul Moore
2023-04-06 19:20     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 02/16] ipe: add policy parser Fan Wu
2023-01-31 10:53   ` Roberto Sassu
2023-02-01 22:38     ` Fan Wu
2023-03-02 19:02   ` Paul Moore
2023-04-06 20:00     ` Fan Wu
2023-04-11 19:13       ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider Fan Wu
2023-01-31 10:29   ` Roberto Sassu
2023-01-31 15:49   ` Roberto Sassu
2023-02-10 23:21     ` Fan Wu
2023-03-02  2:33       ` Paul Moore
2023-03-02 19:03   ` Paul Moore
2023-04-10 18:53     ` Fan Wu
2023-04-11 20:32       ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 04/16] security: add new securityfs delete function Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 05/16] ipe: add userspace interface Fan Wu
2023-01-31 10:49   ` Roberto Sassu
2023-02-01 19:46     ` Fan Wu
2023-03-02 19:04   ` Paul Moore
2023-04-10 19:10     ` Fan Wu
2023-04-11 21:45       ` Paul Moore
2023-04-12 23:36         ` Fan Wu
2023-04-13 18:45           ` Paul Moore
2023-04-17 18:06             ` Fan Wu
2023-04-17 20:16               ` Paul Moore
2023-04-17 21:18                 ` Fan Wu
2023-04-17 21:31                   ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-01-31 12:51   ` Roberto Sassu
2023-02-09 22:42     ` Fan Wu
2023-03-02 19:05   ` Paul Moore
2023-04-10 21:22     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-01-31 12:57   ` Roberto Sassu
2023-01-31 17:10   ` Steve Grubb
2023-03-02 19:05     ` Paul Moore
2023-03-16 22:53       ` Fan Wu
2023-04-11 23:07         ` Paul Moore [this message]
2023-04-11 23:21       ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 08/16] ipe: add permissive toggle Fan Wu
2023-03-02 19:06   ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Fan Wu
2023-01-31  8:53   ` Christoph Hellwig
2023-01-31 23:01     ` Fan Wu
2023-03-02 19:07   ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-01-31 13:22   ` Roberto Sassu
2023-02-01 23:26     ` Fan Wu
2023-02-02  8:21       ` Roberto Sassu
2023-02-07 23:52         ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider Fan Wu
2023-03-02 19:08   ` Paul Moore
2023-03-16 22:10     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook Fan Wu
2023-02-09  3:30   ` Eric Biggers
2023-02-09 22:21     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-01-31 14:00   ` Roberto Sassu
2023-02-01 23:50     ` Fan Wu
2023-02-02  9:51       ` Roberto Sassu
2023-02-08  0:16         ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 14/16] scripts: add boot policy generation program Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 15/16] ipe: kunit test for parser Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 16/16] documentation: add ipe documentation Fan Wu
2023-01-31  3:59   ` Bagas Sanjaya
2023-02-02  0:19     ` Fan Wu
2023-01-31 14:22 ` [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Roberto Sassu
2023-02-01  0:48   ` Fan Wu
2023-02-02 10:48     ` Roberto Sassu
2023-02-08  0:31       ` Fan Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhQxxrDnzJmUitMid3fk-VwNRU3NWoqjpj1=rhrtpoE=7w@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=agk@redhat.com \
    --cc=axboe@kernel.dk \
    --cc=corbet@lwn.net \
    --cc=deven.desai@linux.microsoft.com \
    --cc=dm-devel@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=eparis@redhat.com \
    --cc=jmorris@namei.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=sgrubb@redhat.com \
    --cc=snitzer@kernel.org \
    --cc=tytso@mit.edu \
    --cc=wufan@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).