Preferred subj= with multiple LSMs
Paul Moore
paul at paul-moore.com
Wed Jul 17 12:23:57 UTC 2019
On Wed, Jul 17, 2019 at 12:36 AM James Morris <jmorris at namei.org> wrote:
> On Tue, 16 Jul 2019, Paul Moore wrote:
>
> > The subj_X approach is still backwards compatible, the difference is
> > that old versions of the tools get a "?" for the LSM creds which is a
> > rather sane way of indicating something is different.
>
> This will still break existing userspace, right? We can't do that.
Trust me, I don't want to break userspace, I wouldn't be suggesting that.
The subj_X approach would cause userspace to see a "?" for the LSM
creds when looking at logs from a stacked-LSM system. I would argue
this is actually safer than the multiplexed approach as "?" is a safe
sentinel used by the audit subsystem when the value can't be
determined; the multiplexed label in the hands of legacy userspace
tools would be confusing at best, and misleading at worst.
> > Once again, I believe that the subj_X approach is going to be faster
> > than safely parsing the multiplexed format.
>
> What about emitting one audit record for each LSM?
In many of the LSM generated audit events that is what would happen,
and should just work. What we've been discussing in all the cases
where the audit event is generated outside the context of the LSM but
the LSM credentials are still desirable bits of information. While we
are definitely going in the direction of making multiple record events
more common, duplicating the same record, with only changes to the LSM
creds, may end up confusing Steve's tools. It would also end up
bloating the audit log, which I know is something everyone wants to
avoid.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list