Re: [PATCH] audit: add containerid support for IMA-audit

On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:

>>> auxiliary record either by being converted to a syscall auxiliary record >>> by using current->audit_context rather than NULL when calling >>> audit_log_start(), or creating a local audit_context and calling >> ima_parse_rule() is invoked when setting a policy by writing it into >> /sys/kernel/security/ima/policy. We unfortunately don't have the >> current->audit_context in this case. > Sure you do. What process writes to that file? That's the one we care > about, unless it is somehow handed off to a queue and processed later in > a different context. I just printk'd it again. current->audit_context is NULL in this case.

>> If so, which ones? We could probably refactor the current >> integrity_audit_message() and have ima_parse_rule() call into it to get >> those fields as well. I suppose adding new fields to it wouldn't be >> considered breaking user space? > Changing the order of existing fields or inserting fields could break > stuff and is strongly discouraged without a good reason, but appending > fields is usually the right way to add information. > > There are exceptions, and in this case, I'd pick the "more standard" of > the formats for AUDIT_INTEGRITY_RULE (ima_audit_measurement?) and stick > with that, abandoning the other format, renaming the less standard > version of the record (ima_parse_rule?) and perhpas adopting that > abandonned format for the new record type while using > current->audit_context.

1806 would be in sync with INTEGRITY_RULE now for process related info. If this looks good, I'll remove the dependency on your local context creation and post the series. The justification for the change is that the INTEGRITY_RULE, as produced by ima_parse_rule(), is broken.