Re: [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions
From: Mimi Zohar
Date: Wed Jun 06 2018 - 10:52:47 EST
On Tue, 2018-06-05 at 18:18 -0400, Paul Moore wrote:
> On Tue, Jun 5, 2018 at 10:15 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > Hi Paul,
> >
> > On Mon, 2018-06-04 at 20:21 -0400, Paul Moore wrote:
> >> On Mon, Jun 4, 2018 at 4:54 PM, Stefan Berger
> >> <stefanb@xxxxxxxxxxxxxxxxxx> wrote:
> >> > The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
> >> > the IMA "audit" policy action. This patch defines
> >> > AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.
> >> >
> >> > Since we defined a new message type we can now also pass the
> >> > audit_context and get an associated SYSCALL record. This now produces
> >> > the following records when parsing IMA policy's rules:
> >>
> >> Aaand now I see you included the current->audit_context pointer I
> >> mentioned in my comments for 3/4 ;)
> >>
> >> So basically this should be fine, although I should point out that you
> >> do not need to define a new message type to associate records
> >> together. The fact that we don't associate all connected records is
> >> basically a bug.
> >>
> >> Anyway, patches 3/4 and 4/4 look good to me. Considering this is
> >> likely going in during the *next* merge window, I would ask that you
> >> convert from "current->audit_context" to "audit_context()" as soon as
> >> this merge window closes.
> >>
> >> Thanks!
> >
> > Thanks, Paul. I'd like to start queueing patches for the next open
> > window now, instead of scrambling later. Can I add your Ack now, and
> > remember to make this change when rebasing?
>
> Sure, go ahead and add my ACK to both 3/4 and 4/4 as long as you
> double pinky swear you'll do the audit_context() fix-up during the
> merge :)
>
> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Sure, it will be really hard to miss. ÂThe next-integrity-queued
branch has:
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
*** Remember replace current->audit_context with call to audit_context() ***
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>