lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3623738.X9Kq6ePK5C@sifl>
Date:	Tue, 21 Oct 2014 17:56:36 -0400
From:	Paul Moore <pmoore@...hat.com>
To:	Steve Grubb <sgrubb@...hat.com>
Cc:	Eric Paris <eparis@...hat.com>,
	Richard Guy Briggs <rgb@...hat.com>, linux-audit@...hat.com,
	linux-kernel@...r.kernel.org, aviro@...hat.com
Subject: Re: [PATCH V5 0/5] audit by executable name

On Monday, October 20, 2014 07:33:39 PM Steve Grubb wrote:
> On Monday, October 20, 2014 07:02:33 PM Paul Moore wrote:
> > On Monday, October 20, 2014 06:47:27 PM Eric Paris wrote:
> > > On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> > > > On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > > > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > > > audit by executable name.
> > > > 
> > > > Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> > > > AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel
> > > > supports it when issuing commands. Also, if its conceivable that
> > > > kernels
> > > > may pick and choose what features could be backported to a curated
> > > > kernel, should AUDIT_VERSION_ be a number that is incremented or a bit
> > > > mask?
> > > 
> > > Right now the value is 2. So this is your last hope if you want to make
> > > it a bitmask. I'll leave that up to paul/richard to (over) design.
> > 
> > Audit is nothing if not over-designed.  I want to make sure we're
> > consistent with the previous design methodologies ;)
> > 
> > I've been thinking about this for about the past half-hour while I've been
> > going through some other mail and I'm not really enthused about using the
> > version number to encode capabilities.  What sort of problems would we
> > have if we introduced a new audit netlink command to query the kernel for
> > audit capabilities?
> 
> I thought that is what we were getting in this patch:
> https://www.redhat.com/archives/linux-audit/2014-January/msg00054.html

That patch, and the simple name "version", looks more like a version number 
and not a capabilities bitmap.  However, as Eric previously pointed out, since 
we are only at version 2, all is not lost.

> As I understood it, I send an AUDIT_GET command on netlink and then look in
> status.version to see what we have. I really think that in the mainline
> kernel, there will be a steady increment of capabilities. However, for
> distributions, they may want to pick and choose which capabilities to
> backport to their shipping kernel. Meaning in practice, a bitmap may be
> better to allow cherry picking capabilities and user space being able to
> make informed decisions.

If we are intending to use this as a way of checking for functionality then it 
really should be a bitmap and not a version number.  Regardless of if we are 
talking about an upstream or distribution kernel.

> I really don't mind if this is done by a new netlink command (but if we do,
> what happens to status.version?) or if we just keep going with
> status.version. Just tell me which it is.

No, let's stick with what we have now.  I mistakenly assumed that since the 
struct field and userspace #defines included "version" that the value was 
actually a version number ... silly me, I have no idea why I thought that.

So, with this in mind, I think a couple of small tweaks are in order (sorry 
Richard), in no particular order:

* Change the audit_status.version field comment in include/uapi/linux/audit.h 
to "/* audit functionality bitmap */", or similar.  We can't really change the 
structure now, but the comment is fair game.

* Change AUDIT_VERSION_LATEST to a bitmask instead of a number.  For example, 
it should be 3 given the current code, not 2.  In a perfect world this 
wouldn't even be in the uapi header, but it is so we need to keep it updated.  
Bumping it higher should be backwards compatible.

Can anyone think of anything else that might be affected by this?

-- 
paul moore
security and virtualization @ redhat

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ