lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 15 Jul 2010 09:36:46 -0700
From:	John Johansen <john.johansen@...onical.com>
To:	Eric Paris <eparis@...isplace.org>
CC:	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH 02/13] AppArmor: basic auditing infrastructure.

On 07/15/2010 08:18 AM, Eric Paris wrote:
> On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
> <john.johansen@...onical.com> wrote:
>> Update lsm_audit for AppArmor specific data, and add the core routines for
>> AppArmor uses for auditing.
>>
>> Signed-off-by: John Johansen <john.johansen@...onical.com>
> 
>> + * Currently AppArmor auditing is fed straight into the audit framework.
>> + *
>> + * TODO:
>> + * convert to LSM audit
> 
> 
oops, I missed that one, it should have been removed.

>> +       if (sa->aad.profile) {
>> +               struct aa_profile *profile = sa->aad.profile;
>> +               pid_t pid;
>> +               rcu_read_lock();
>> +               pid = tsk->real_parent->pid;
>> +               rcu_read_unlock();
>> +               audit_log_format(ab, " parent=%d", pid);
>> +               audit_log_format(ab, " profile=");
>> +               if (profile->ns != root_ns) {
>> +                       audit_log_format(ab, ":");
>> +                       audit_log_untrustedstring(ab, profile->ns->base.hname);
>> +                       audit_log_format(ab, "://");
>> +               }
>> +               audit_log_untrustedstring(ab, profile->base.hname);
>> +       }
> 
> what does this message look like?  I don't think it fits the nice
> key=value rules of the audit system....   Are you sure this is what
> you want?
>
it looks like
profile=:ns_name://profile_name

which could be fed straight back in as a valid profile name.  Profile names can
be expressed relative to the namespace, or absolute with the profile namespace name
prepended.  In this case relative namespace reporting is used only for the root_ns
because that is what was traditionally done.

So it is a single value following the rules.

The alternative of outputting the profile namespace name as a separate is also valid,
and I am actually indifferent as to which way it is reported.


>> +#define COMMON_AUDIT_DATA_INIT_NONE(_d) \
>> +       do { \
>> +               memset((_d), 0, sizeof(struct common_audit_data)); \
>> +               (_d)->type = LSM_AUDIT_DATA_NONE; \
>> +       } while (0)
>> +
>> +#endif /* __AA_AUDIT_H */
> 
> Why are you redefining this?  You should just use
> COMMON_AUDIT_DATA_INIT(sa, NONE);

oops, I actually have that patch, and missed applying to the branch, this was
originally added when COMMON_AUDIT_DATA_INIT(sa, NONE) didn't work.  

thanks Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ