From: Paul Moore <paul@paul-moore.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Richard Guy Briggs <rgb@redhat.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>
Subject: Re: Preferred subj= with multiple LSMs
Date: Tue, 16 Jul 2019 19:09:25 -0400 [thread overview]
Message-ID: <CAHC9VhS-WGuKYzG5AU01BN8tk8nzp+7qxk7Sz-hbHQGL+UXOfg@mail.gmail.com> (raw)
In-Reply-To: <2517266.eHZzEmjMsX@x2>
On Tue, Jul 16, 2019 at 5:46 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, July 16, 2019 5:25:21 PM EDT Paul Moore wrote:
...
> > Agreed. While I'm not going to be on a specific Linux release, I do
> > believe that at some point in the future the LSM stacking work is
> > going to land in Linus' tree. Perhaps you'll never see it Steve, but
> > we need to prepare the code to handle it when it happens.
>
> And I agree with that. I'm saying that if we push it all in subj= then it is
> not a big penalty.
I'm going to disagree on that quite severely. As I mentioned
previously there isn't an easy or sane way to delimit between the
different LSM labels which means sorting out the multiplexed "subj"
field is going to be a post processing nightmare.
> It saves major breakage. Every single event is required to
> have a subj= field if its a MAC system.
All of the options we've discussed still record the LSM credentials in
the audit record; no one is talking about *not* recording the LSM
credentials. What we are discussing is *how* they are recorded.
> By changing it to lsm_subj= it changes
> the layout of every single event. And it make more to parse. And searching
> the labels is worse because it has to iterate over a list of *_subj to match
> it. This will hurt performance because it is for every single event.
I can almost guarantee that looking for subj/subj_X is going to be
much easier than safely parsing a multiplexed subj field. Not to
mention the multiplexed approach is just awful to read compared to
some of the other suggestions.
> > For my own sanity, here is a quick summary of the constraints as I
> > currently see them, please feel free to add/disagree:
> >
> > * We can't have multiple "subj" fields in a single audit record.
> > * The different LSMs all have different label formats and allowed
> > characters. Further, a given label format may not be unique for a
> > given LSM; for example, Smack could be configured with a subset of
> > SELinux labels.
> > * Steve's audit tools appear to require a "subj" and "obj" fields for
> > LSM information or else they break into tiny little pieces.
>
> It changes all knowledge of where to look for things. And considering
> considering that events could be aggregated from systems of different ages/
> distributions, audit userspace will always have to be backwards compatible.
The subj_X approach is still backwards compatible, the difference is
that old versions of the tools get a "?" for the LSM creds which is a
rather sane way of indicating something is different. The multiplexed
approach would result in effectively garbage for the LSM creds unless
the higher layers of audit tooling are updated to understand the new
multiplexed format *and* *continuously* *updated* as new LSMs are
stacked because you need to understand each LSMs label format if you
are going to safely parse the multiplexed format. With the subj_X
approach the higher layer tooling simply needs to look for subj_X
fields when it sees "subj=?", and then it can safely extract/parse
each LSM's label without needing to understand or inspect the labels
themselves.
> > What if we preserved the existing subj/obj fields in the case where
> > there is only one "major" LSM (SELinux, Smack, AppArmor, etc.):
> >
> > subj=<lsm_label>
> >
> > ... and in the case of multiple major LSMs we set the subj value to
> > "?" and introduce new subj_X fields (as necessary) as discussed above:
> >
> > subj=? subj_smack=<smack_label> subj_selinux=<selinux_label> ...
> >
> > ... I believe that Steve's old/existing userspace tools would simply
> > report "?"/unknown LSM credentials where new multi-LSM tools could
> > report the multiple different labels.
>
> Common Criteria as well as other standards require subject labels to be
> searchable. So, changing behavior based on how many modules will still cause
> problems with performance because I'll always have to assume it could be
> either way and try both.
Once again, I believe that the subj_X approach is going to be faster
than safely parsing the multiplexed format.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2019-07-16 23:09 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-12 16:33 Preferred subj= with multiple LSMs Casey Schaufler
[not found] ` <c46932ec-e38e-ba15-7ceb-70e0fe0ef5dc@schaufler-ca.com>
2019-07-13 15:08 ` Steve Grubb
2019-07-15 19:04 ` Richard Guy Briggs
[not found] ` <1979804.kRvuSoDnao@x2>
[not found] ` <2802ddee-b621-c2eb-9ff3-ea15c4f19d0c@schaufler-ca.com>
[not found] ` <3577098.oGDFHdoSSQ@x2>
2019-07-16 17:16 ` Casey Schaufler
[not found] ` <CAHC9VhSELVZN8feH56zsANqoHu16mPMD04Ww60W=r6tWs+8WnQ@mail.gmail.com>
2019-07-16 17:29 ` Casey Schaufler
2019-07-16 17:43 ` Paul Moore
2019-07-16 17:58 ` Casey Schaufler
2019-07-16 18:06 ` Steve Grubb
2019-07-16 18:41 ` Casey Schaufler
2019-07-16 21:25 ` Paul Moore
2019-07-16 21:46 ` Steve Grubb
2019-07-16 22:18 ` Casey Schaufler
2019-07-16 23:13 ` Paul Moore
2019-07-16 23:47 ` Casey Schaufler
2019-07-17 12:14 ` Paul Moore
2019-07-17 15:49 ` Casey Schaufler
2019-07-17 16:23 ` Paul Moore
2019-07-17 23:02 ` Casey Schaufler
2019-07-18 13:10 ` Simon McVittie
2019-07-18 16:13 ` Casey Schaufler
2019-07-19 12:15 ` Simon McVittie
2019-07-19 16:29 ` Casey Schaufler
2019-07-19 18:47 ` Simon McVittie
2019-07-19 20:02 ` Dbus and multiple LSMs (was Preferred subj= with multiple LSMs) Casey Schaufler
2019-07-22 11:36 ` Simon McVittie
2019-07-22 16:04 ` Casey Schaufler
2019-07-19 21:21 ` Preferred subj= with multiple LSMs Paul Moore
2019-07-22 20:50 ` James Morris
2019-07-22 22:01 ` Casey Schaufler
2019-07-22 22:30 ` Paul Moore
2019-07-23 0:11 ` Casey Schaufler
2019-07-23 14:06 ` Simon McVittie
2019-07-23 17:32 ` Casey Schaufler
2019-07-23 21:46 ` James Morris
2019-07-16 23:09 ` Paul Moore [this message]
2019-07-17 4:36 ` James Morris
2019-07-17 12:23 ` Paul Moore
2019-07-18 15:01 ` William Roberts
2019-07-18 18:48 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhS-WGuKYzG5AU01BN8tk8nzp+7qxk7Sz-hbHQGL+UXOfg@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).