From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: [PATCH V6 08/10] fork: audit on creation of new namespace(s) Date: Fri, 17 Apr 2015 03:35:55 -0400 Message-ID: <1b4723533470b0acdc5ff663093ad13de3baf46d.1429252659.git.rgb__5234.67603275112$1429256248$gmane$org@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: In-Reply-To: References: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Cc: pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org, sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org List-Id: containers.vger.kernel.org When clone(2) is called to fork a new process creating one or more namespaces, audit the event to tie the new pid with the namespace IDs. Signed-off-by: Richard Guy Briggs --- kernel/fork.c | 3 +++ kernel/nsproxy.c | 1 + 2 files changed, 4 insertions(+), 0 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 6a13c46..2ea1225 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1624,6 +1624,9 @@ long do_fork(unsigned long clone_flags, get_task_struct(p); } + if (unlikely(clone_flags & CLONE_NEW_MASK_ALL)) + audit_log_ns_info(p); + wake_up_new_task(p); /* forking complete and child started to run, tell ptracer */ diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 8e78110..d5353c2 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -25,6 +25,7 @@ #include #include #include +#include static struct kmem_cache *nsproxy_cachep; -- 1.7.1