Re: [RFC PATCH v9 05/16] ipe: add userspace interface

2023-04-13 Thread Paul Moore 
On Wed, Apr 12, 2023 at 7:36 PM Fan Wu  wrote:
> On Tue, Apr 11, 2023 at 05:45:41PM -0400, Paul Moore wrote:
> > On Mon, Apr 10, 2023 at 3:10???PM Fan Wu  wrote:
> > > On Thu, Mar 02, 2023 at 02:04:42PM -0500, Paul Moore wrote:
> > > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu  
> > > > wrote:

...

> > I guess this does make me wonder about keeping a non-active policy
> > loaded in the kernel, what purpose does that serve?
> >
>
> The non-active policy doesn't serve anything unless it is activated. User can
> even delete a policy if that is no longer needed. Non-active is just the 
> default
> state when a new policy is loaded.
>
> If IPE supports namespace, there is another use case where different 
> containers
> can select different policies as the active policy from among multiple loaded
> policies. Deven has presented a demo of this during LSS 2021. But this goes
> beyond the scope of this version.

Do you plan to add namespace support at some point in the
not-too-distant future?  If so, I'm okay with keeping support for
multiple policies, but if you think you're only going to support one
active policy at a time, it might be better to remove support for
multiple (inactive) policies.

-- 
paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: small patch for issue with rules that have been (incorrecly) copied from Windows

2023-04-13 Thread Paul Moore 
On Thu, Apr 13, 2023 at 12:25 PM Carlos De Avillez
 wrote:
>
> Hello again,
>
> Just checking is there is interest in the below.

I noticed that your email ended up in my spam folder, likely because
it was not plaintext, but who knows for sure.  You might want to try
posting your patch as a GitHub PR since it looks like Steve checks
both the mailing list and GitHub for patches.

* https://github.com/linux-audit/audit-userspace

-- 
paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: small patch for issue with rules that have been (incorrecly) copied from Windows

2023-04-13 Thread Carlos De Avillez 
Hello again,

Just checking is there is interest in the below.

Cheers,


Carlos de Avillez

Senior Escalation Engineer
Microsoft Azure Technical Support
Customer Service and Support

Office: +1 (469) 7753777

cadea...@microsoft.com

Working hours: 10:00-19:00 US Central Time

Next days off during August 2020:  3, 10, 17, 24, 31

If you need to work with another Support Engineer outside of my working hours, 
please send email to azur...@microsoft.com with 
your case number, and availability.

We are always interested to hear your feedback. Please feel free to reach my 
manager regarding the level of service you have received -  
spo...@microsoft.com
[X]
Microsoft Azure | Azure 
Status | Support 
Plans | Create a 
Case | Privacy 
Policy




From: Linux-audit  on behalf of Carlos De 
Avillez 
Sent: Friday, February 10, 2023 17:37
To: linux-audit@redhat.com 
Subject: [EXTERNAL] small patch for issue with rules that have been 
(incorrecly) copied from Windows

Hello,

We have had at least a few instances where customers configured audit rules on 
Windows, and then incorrectly
moved the resulting '.rules' files to Linux.

These files still had the Windows  line terminator (CRLF). 'augenrules' read 
them without issues and generated the
/etc/audit/audit.rules file.

But on loading the new audit.rules, 'auditctl -R' will receive a bad return 
code, and stop loading the rules. The
resulting error is a bit on the cryptic side, and our customers do not seem to 
catch it easily.

The proposed fix is simple, and resolves the issue when using 'augenrules'. Of 
course, if someone generates
/etc/audit/audit.rules directly, it could still fail, but I understand that we 
are moving to using 'augenrules' by
default.

Patch (against current head) is below.

Cheers,

..Carlos..

>From 4ccae6353500d3870d4da8905ed01d18d36b066a Mon Sep 17 00:00:00 2001
From: C de-Avillez 
Date: Fri, 10 Feb 2023 17:16:09 -0600
Subject: [PATCH] augenrules: make sure no lines in *.rules ends in CRLF,
 otherwise 'auditctl -R' will then fail to fully load the rules.

---
 init.d/augenrules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/init.d/augenrules b/init.d/augenrules
index edb2199..f74c6e2 100644
--- a/init.d/augenrules
+++ b/init.d/augenrules
@@ -84,6 +84,7 @@ BEGIN   {
 minus_b = "";
 rest = 0;
 } {
+sub(/\r$/, "");
 if (length($0) < 1) { next; }
 if (match($0, "^\\s*#")) { next; }
 if (match($0, "^\\s*-e")) { minus_e = $0; next; }
--
2.34.1







Carlos
  de Avillez








Senior
  Escalation Engineer

  Microsoft Azure Technical Support

  Customer Service and Support






Office: +1 (469) 7753777


cadea...@microsoft.com


Working
  hours: 10:00-19:00
  US Central Time


Next days off during August 2020:  3, 10, 17, 24, 31







If you need to work with another Support Engineer outside of my
working hours, please send email to azur...@microsoft.com with
your case number, and availability.
We are always interested to hear your feedback. Please feel free
to reach my manager regarding the level of service you have received -  
spo...@microsoft.com

Microsoft
Azure | Azure
Status | Support
Plans | Create
a Case | Privacy
Policy



--
Linux-audit mailing list
Linux-audit@redhat.com
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman.redhat.com%2Fmailman%2Flistinfo%2Flinux-audit=05%7C01%7Ccarlos.deavillez%40microsoft.com%7C0d78e8a8334d4fcc044e08db0d4b362c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638118388923975931%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=cKyVRKjwU5Rxd0xocsYa03Mjz39VYtmyWqsAjsgUipQ%3D=0

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: [RFC PATCH v9 05/16] ipe: add userspace interface

2023-04-13 Thread Fan Wu 
On Tue, Apr 11, 2023 at 05:45:41PM -0400, Paul Moore wrote:
> On Mon, Apr 10, 2023 at 3:10???PM Fan Wu  wrote:
> > On Thu, Mar 02, 2023 at 02:04:42PM -0500, Paul Moore wrote:
> > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu  
> > > wrote:
> > > >
> > > > From: Deven Bowers 
> > > >
> > > > As is typical with LSMs, IPE uses securityfs as its interface with
> > > > userspace. for a complete list of the interfaces and the respective
> > > > inputs/outputs, please see the documentation under
> > > > admin-guide/LSM/ipe.rst
> > > >
> > > > Signed-off-by: Deven Bowers 
> > > > Signed-off-by: Fan Wu 
> > >
> > > ...
> > >
> > > > ---
> > > >  security/ipe/Makefile|   2 +
> > > >  security/ipe/fs.c| 101 +
> > > >  security/ipe/fs.h|  17 ++
> > > >  security/ipe/ipe.c   |   3 +
> > > >  security/ipe/ipe.h   |   2 +
> > > >  security/ipe/policy.c| 135 
> > > >  security/ipe/policy.h|   7 +
> > > >  security/ipe/policy_fs.c | 459 +++
> > > >  8 files changed, 726 insertions(+)
> > > >  create mode 100644 security/ipe/fs.c
> > > >  create mode 100644 security/ipe/fs.h
> > > >  create mode 100644 security/ipe/policy_fs.c
> 
> ...
> 
> > > > +/**
> > > > + * ipe_update_policy - parse a new policy and replace @old with it.
> > > > + * @addr: Supplies a pointer to the i_private for saving policy.
> > > > + * @text: Supplies a pointer to the plain text policy.
> > > > + * @textlen: Supplies the length of @text.
> > > > + * @pkcs7: Supplies a pointer to a buffer containing a pkcs7 message.
> > > > + * @pkcs7len: Supplies the length of @pkcs7len.
> > > > + *
> > > > + * @text/@textlen is mutually exclusive with @pkcs7/@pkcs7len - see
> > > > + * ipe_new_policy.
> > > > + *
> > > > + * Return:
> > > > + * * !IS_ERR   - OK
> > > > + * * -ENOENT   - Policy doesn't exist
> > > > + * * -EINVAL   - New policy is invalid
> > > > + */
> > > > +struct ipe_policy *ipe_update_policy(struct ipe_policy __rcu **addr,
> > > > +const char *text, size_t textlen,
> > > > +const char *pkcs7, size_t pkcs7len)
> > > > +{
> > > > +   int rc = 0;
> > > > +   struct ipe_policy *old, *new;
> > > > +
> > > > +   old = ipe_get_policy_rcu(*addr);
> > > > +   if (!old) {
> > > > +   rc = -ENOENT;
> > > > +   goto err;
> > > > +   }
> > > > +
> > > > +   new = ipe_new_policy(text, textlen, pkcs7, pkcs7len);
> > > > +   if (IS_ERR(new)) {
> > > > +   rc = PTR_ERR(new);
> > > > +   goto err;
> > > > +   }
> > > > +
> > > > +   if (strcmp(new->parsed->name, old->parsed->name)) {
> > > > +   rc = -EINVAL;
> > > > +   goto err;
> > > > +   }
> > > > +
> > > > +   if (ver_to_u64(old) > ver_to_u64(new)) {
> > > > +   rc = -EINVAL;
> > > > +   goto err;
> > > > +   }
> > > > +
> > > > +   if (ipe_is_policy_active(old)) {
> > >
> > > I don't understand the is-active check, you want to make @new the new
> > > active policy regardless, right?  Could this is-active check ever be
> > > false?
> >
> > Actually this is needed. Policy updates can be applied to any deployed
> > policy, which may be saved in two places: the securityfs file node
> > and the ipe_active_policy pointer. To update a policy, this function first
> > checks if the policy saved in the securityfs file node is currently active.
> > If so, it updates the ipe_active_policy pointer to point to the new policy,
> > and finally updates the policy pointer in the securityfs to the new policy.
> 
> Ah, okay.  I must have forgotten, or not realized, that multiple
> policies could be loaded and not active.
> 
> I guess this does make me wonder about keeping a non-active policy
> loaded in the kernel, what purpose does that serve?
> 

The non-active policy doesn't serve anything unless it is activated. User can
even delete a policy if that is no longer needed. Non-active is just the default
state when a new policy is loaded.

If IPE supports namespace, there is another use case where different containers
can select different policies as the active policy from among multiple loaded
policies. Deven has presented a demo of this during LSS 2021. But this goes
beyond the scope of this version.

-Fan

> -- 
> paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit