From: Richard Guy Briggs <rgb@redhat.com> To: Paul Moore <paul@paul-moore.com> Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris <eparis@parisplace.org>, Serge Hallyn <serge@hallyn.com>, ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh <dwalsh@redhat.com>, mpatel@redhat.com Subject: Re: [PATCH ghak90 V8 05/16] audit: log drop of contid on exit of last task Date: Tue, 4 Feb 2020 18:02:35 -0500 [thread overview] Message-ID: <20200204230235.dwunh76dum4kkssp@madcap2.tricolour.ca> (raw) In-Reply-To: <CAHC9VhQ=+4P6Rr1S1-sNb2X-CbYYKMQMJDGP=bBr8GG3xLD8qQ@mail.gmail.com> On 2020-01-22 16:28, Paul Moore wrote: > On Tue, Dec 31, 2019 at 2:50 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > > > Since we are tracking the life of each audit container indentifier, we > > can match the creation event with the destruction event. Log the > > destruction of the audit container identifier when the last process in > > that container exits. > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > kernel/audit.c | 17 +++++++++++++++++ > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 2 ++ > > 3 files changed, 21 insertions(+) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 4bab20f5f781..fa8f1aa3a605 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2502,6 +2502,23 @@ int audit_set_contid(struct task_struct *task, u64 contid) > > return rc; > > } > > > > +void audit_log_container_drop(void) > > +{ > > + struct audit_buffer *ab; > > + > > + if (!current->audit || !current->audit->cont || > > + refcount_read(¤t->audit->cont->refcount) > 1) > > + return; > > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); > > + if (!ab) > > + return; > > + > > + audit_log_format(ab, "op=drop opid=%d contid=%llu old-contid=%llu", > > + task_tgid_nr(current), audit_get_contid(current), > > + audit_get_contid(current)); > > + audit_log_end(ab); > > +} > > Assumine we are careful about where we call it in audit_free(...), you > are confident we can't do this as part of _audit_contobj_put(...), > yes? We need audit_log_container_drop in audit_free_syscall() due to needing context, which gets freed in audit_free_syscall() called from audit_free(). We need audit_log_container_drop in audit_log_exit() due to having that record included before the EOE record at the end of audit_log_exit(). We could put in _contobj_put() if we drop context and any attempt to connect it with a syscall record, which I strongly discourage. The syscall record contains info about subject, container_id record only contains info about container object other than subj pid. > > /** > > * audit_log_end - end one audit record > > * @ab: the audit_buffer > > diff --git a/kernel/audit.h b/kernel/audit.h > > index e4a31aa92dfe..162de8366b32 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -255,6 +255,8 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > > extern struct tty_struct *audit_get_tty(void); > > extern void audit_put_tty(struct tty_struct *tty); > > > > +extern void audit_log_container_drop(void); > > + > > /* audit watch/mark/tree functions */ > > #ifdef CONFIG_AUDITSYSCALL > > extern unsigned int audit_serial(void); > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 0e2d50533959..bd855794ad26 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -1568,6 +1568,8 @@ static void audit_log_exit(void) > > > > audit_log_proctitle(); > > > > + audit_log_container_drop(); > > + > > /* Send end of event record to help user space know we are finished */ > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); > > if (ab) > > -- > > 1.8.3.1 > > > > -- > paul moore > www.paul-moore.com > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> To: Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org> Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux-Audit Mailing List <linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, netfilter-devel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, omosnace-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>, Serge Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org, nhorman-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org, Dan Walsh <dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, mpatel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Subject: Re: [PATCH ghak90 V8 05/16] audit: log drop of contid on exit of last task Date: Tue, 4 Feb 2020 18:02:35 -0500 [thread overview] Message-ID: <20200204230235.dwunh76dum4kkssp@madcap2.tricolour.ca> (raw) In-Reply-To: <CAHC9VhQ=+4P6Rr1S1-sNb2X-CbYYKMQMJDGP=bBr8GG3xLD8qQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> On 2020-01-22 16:28, Paul Moore wrote: > On Tue, Dec 31, 2019 at 2:50 PM Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote: > > > > Since we are tracking the life of each audit container indentifier, we > > can match the creation event with the destruction event. Log the > > destruction of the audit container identifier when the last process in > > that container exits. > > > > Signed-off-by: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > > --- > > kernel/audit.c | 17 +++++++++++++++++ > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 2 ++ > > 3 files changed, 21 insertions(+) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 4bab20f5f781..fa8f1aa3a605 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2502,6 +2502,23 @@ int audit_set_contid(struct task_struct *task, u64 contid) > > return rc; > > } > > > > +void audit_log_container_drop(void) > > +{ > > + struct audit_buffer *ab; > > + > > + if (!current->audit || !current->audit->cont || > > + refcount_read(¤t->audit->cont->refcount) > 1) > > + return; > > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); > > + if (!ab) > > + return; > > + > > + audit_log_format(ab, "op=drop opid=%d contid=%llu old-contid=%llu", > > + task_tgid_nr(current), audit_get_contid(current), > > + audit_get_contid(current)); > > + audit_log_end(ab); > > +} > > Assumine we are careful about where we call it in audit_free(...), you > are confident we can't do this as part of _audit_contobj_put(...), > yes? We need audit_log_container_drop in audit_free_syscall() due to needing context, which gets freed in audit_free_syscall() called from audit_free(). We need audit_log_container_drop in audit_log_exit() due to having that record included before the EOE record at the end of audit_log_exit(). We could put in _contobj_put() if we drop context and any attempt to connect it with a syscall record, which I strongly discourage. The syscall record contains info about subject, container_id record only contains info about container object other than subj pid. > > /** > > * audit_log_end - end one audit record > > * @ab: the audit_buffer > > diff --git a/kernel/audit.h b/kernel/audit.h > > index e4a31aa92dfe..162de8366b32 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -255,6 +255,8 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > > extern struct tty_struct *audit_get_tty(void); > > extern void audit_put_tty(struct tty_struct *tty); > > > > +extern void audit_log_container_drop(void); > > + > > /* audit watch/mark/tree functions */ > > #ifdef CONFIG_AUDITSYSCALL > > extern unsigned int audit_serial(void); > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 0e2d50533959..bd855794ad26 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -1568,6 +1568,8 @@ static void audit_log_exit(void) > > > > audit_log_proctitle(); > > > > + audit_log_container_drop(); > > + > > /* Send end of event record to help user space know we are finished */ > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); > > if (ab) > > -- > > 1.8.3.1 > > > > -- > paul moore > www.paul-moore.com > - RGB
next prev parent reply other threads:[~2020-02-04 23:02 UTC|newest] Thread overview: 168+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-12-31 19:48 [PATCH ghak90 V8 00/16] audit: implement container identifier Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 01/16] audit: collect audit task parameters Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 02/16] audit: add container id Richard Guy Briggs 2020-01-22 21:28 ` Paul Moore 2020-01-22 21:28 ` Paul Moore 2020-01-30 17:53 ` Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 03/16] audit: read container ID of a process Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 04/16] audit: convert to contid list to check for orch/engine ownership Richard Guy Briggs 2020-01-22 21:28 ` Paul Moore 2020-01-22 21:28 ` Paul Moore 2020-02-04 22:51 ` Richard Guy Briggs 2020-02-04 22:51 ` Richard Guy Briggs 2020-02-05 22:40 ` Paul Moore 2020-02-05 22:40 ` Paul Moore 2019-12-31 19:48 ` [PATCH ghak90 V8 05/16] audit: log drop of contid on exit of last task Richard Guy Briggs 2020-01-22 21:28 ` Paul Moore 2020-02-04 23:02 ` Richard Guy Briggs [this message] 2020-02-04 23:02 ` Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 06/16] audit: log container info of syscalls Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 07/16] audit: add contid support for signalling the audit daemon Richard Guy Briggs 2020-01-22 21:28 ` Paul Moore 2020-01-22 21:28 ` Paul Moore 2020-01-23 16:29 ` Richard Guy Briggs 2020-01-23 17:09 ` Paul Moore 2020-01-23 20:04 ` Richard Guy Briggs 2020-01-23 21:35 ` Paul Moore 2020-02-04 23:14 ` Richard Guy Briggs 2020-02-05 22:50 ` Paul Moore 2020-02-05 22:50 ` Paul Moore 2020-02-12 22:38 ` Steve Grubb 2020-02-13 0:09 ` Paul Moore 2020-02-13 21:44 ` Paul Moore 2020-03-12 19:30 ` Richard Guy Briggs 2020-03-12 19:30 ` Richard Guy Briggs 2020-03-13 16:29 ` Paul Moore 2020-03-13 16:29 ` Paul Moore 2020-03-13 18:59 ` Richard Guy Briggs 2020-03-13 18:59 ` Richard Guy Briggs 2020-03-18 20:56 ` Paul Moore 2020-03-18 20:56 ` Paul Moore 2020-03-18 21:26 ` Richard Guy Briggs 2020-03-18 21:26 ` Richard Guy Briggs 2020-03-18 21:42 ` Paul Moore 2020-03-18 21:42 ` Paul Moore 2020-03-18 21:55 ` Richard Guy Briggs 2020-03-18 21:55 ` Richard Guy Briggs 2020-03-18 22:06 ` Paul Moore 2020-03-18 22:06 ` Paul Moore 2020-03-19 22:02 ` Richard Guy Briggs 2020-03-19 22:02 ` Richard Guy Briggs 2020-03-24 0:16 ` Paul Moore 2020-03-24 0:16 ` Paul Moore 2020-03-24 21:01 ` Richard Guy Briggs 2020-03-24 21:01 ` Richard Guy Briggs 2020-03-29 3:11 ` Paul Moore 2020-03-29 3:11 ` Paul Moore 2020-03-30 13:47 ` Richard Guy Briggs 2020-03-30 13:47 ` Richard Guy Briggs 2020-03-30 14:26 ` Paul Moore 2020-03-30 14:26 ` Paul Moore 2020-03-30 16:21 ` Richard Guy Briggs 2020-03-30 16:21 ` Richard Guy Briggs 2020-03-30 17:34 ` Paul Moore 2020-03-30 17:34 ` Paul Moore 2020-03-30 17:49 ` Richard Guy Briggs 2020-03-30 17:49 ` Richard Guy Briggs 2020-03-30 19:55 ` Paul Moore 2020-03-30 19:55 ` Paul Moore 2020-04-16 20:33 ` Eric W. Biederman 2020-04-16 20:33 ` Eric W. Biederman 2020-04-16 21:53 ` Paul Moore 2020-04-16 21:53 ` Paul Moore 2020-04-17 22:23 ` Eric W. Biederman 2020-04-17 22:23 ` Eric W. Biederman 2020-04-22 17:24 ` Paul Moore 2020-04-22 17:24 ` Paul Moore 2020-06-08 18:03 ` Richard Guy Briggs 2020-06-08 18:03 ` Richard Guy Briggs 2020-06-17 21:33 ` Paul Moore 2020-06-17 21:33 ` Paul Moore 2020-06-19 15:22 ` Richard Guy Briggs 2020-06-19 15:22 ` Richard Guy Briggs 2020-03-12 20:27 ` Richard Guy Briggs 2020-03-12 20:27 ` Richard Guy Briggs 2020-03-13 16:42 ` Paul Moore 2020-03-13 16:42 ` Paul Moore 2020-03-13 16:45 ` Steve Grubb 2020-03-13 16:45 ` Steve Grubb 2020-03-13 16:49 ` Paul Moore 2020-03-13 16:49 ` Paul Moore 2020-03-13 19:23 ` Richard Guy Briggs 2020-03-13 19:23 ` Richard Guy Briggs 2020-03-18 21:01 ` Paul Moore 2020-03-18 21:01 ` Paul Moore 2020-03-18 21:41 ` Richard Guy Briggs 2020-03-18 21:41 ` Richard Guy Briggs 2020-03-18 21:47 ` Paul Moore 2020-03-18 21:47 ` Paul Moore 2020-03-19 21:47 ` Richard Guy Briggs 2020-03-19 21:47 ` Richard Guy Briggs 2020-03-20 21:56 ` Paul Moore 2020-03-20 21:56 ` Paul Moore 2020-03-25 12:29 ` Richard Guy Briggs 2020-03-25 12:29 ` Richard Guy Briggs 2020-03-29 3:17 ` Paul Moore 2020-03-29 3:17 ` Paul Moore 2020-03-30 15:23 ` Richard Guy Briggs 2020-03-30 15:23 ` Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 08/16] audit: add support for non-syscall auxiliary records Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 09/16] audit: add containerid support for user records Richard Guy Briggs 2019-12-31 19:48 ` Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 10/16] audit: add containerid filtering Richard Guy Briggs 2019-12-31 19:48 ` Richard Guy Briggs 2019-12-31 19:48 ` [PATCH ghak90 V8 11/16] audit: add support for containerid to network namespaces Richard Guy Briggs 2019-12-31 19:48 ` Richard Guy Briggs 2020-01-22 21:28 ` Paul Moore 2020-01-22 21:28 ` Paul Moore 2020-02-04 23:42 ` Richard Guy Briggs 2020-02-05 22:51 ` Paul Moore 2019-12-31 19:48 ` [PATCH ghak90 V8 12/16] audit: contid check descendancy and nesting Richard Guy Briggs 2019-12-31 19:48 ` Richard Guy Briggs 2020-01-22 21:29 ` Paul Moore 2020-01-22 21:29 ` Paul Moore 2020-01-23 21:02 ` Richard Guy Briggs 2020-01-23 21:47 ` Paul Moore 2019-12-31 19:48 ` [PATCH ghak90 V8 13/16] audit: track container nesting Richard Guy Briggs 2019-12-31 19:48 ` Richard Guy Briggs 2020-01-22 21:29 ` Paul Moore 2020-01-22 21:29 ` Paul Moore 2020-01-30 19:27 ` Richard Guy Briggs 2020-02-05 23:05 ` Paul Moore 2020-02-05 23:50 ` Richard Guy Briggs 2020-02-13 21:49 ` Paul Moore 2020-03-12 20:51 ` Richard Guy Briggs 2020-03-12 20:51 ` Richard Guy Briggs 2020-03-13 16:47 ` Paul Moore 2020-03-13 16:47 ` Paul Moore 2020-03-14 22:42 ` Richard Guy Briggs 2020-03-14 22:42 ` Richard Guy Briggs 2020-03-17 18:28 ` Richard Guy Briggs 2020-03-17 18:28 ` Richard Guy Briggs 2020-03-18 21:08 ` Paul Moore 2020-03-18 21:08 ` Paul Moore 2020-01-31 14:50 ` Steve Grubb 2020-02-04 13:19 ` Richard Guy Briggs 2020-02-04 15:47 ` Steve Grubb 2020-02-04 15:47 ` Steve Grubb 2020-02-04 15:52 ` Paul Moore 2020-02-04 15:52 ` Paul Moore 2020-02-04 18:12 ` Steve Grubb 2020-02-05 22:57 ` Paul Moore 2020-02-05 22:57 ` Paul Moore 2019-12-31 19:48 ` [PATCH ghak90 V8 14/16] audit: check contid depth and add limit config param Richard Guy Briggs 2020-01-22 21:29 ` Paul Moore 2020-01-22 21:29 ` Paul Moore 2019-12-31 19:48 ` [PATCH ghak90 V8 15/16] audit: check contid count per netns and add config param limit Richard Guy Briggs 2020-01-22 21:29 ` Paul Moore 2020-01-22 21:29 ` Paul Moore 2019-12-31 19:48 ` [PATCH ghak90 V8 16/16] audit: add capcontid to set contid outside init_user_ns Richard Guy Briggs 2020-01-22 21:29 ` Paul Moore 2020-01-22 21:29 ` Paul Moore 2020-02-05 0:39 ` Richard Guy Briggs 2020-02-05 22:56 ` Paul Moore 2020-02-06 12:51 ` Richard Guy Briggs 2020-02-13 21:58 ` Paul Moore 2020-02-13 21:58 ` Paul Moore 2020-03-12 21:58 ` Richard Guy Briggs 2020-03-12 21:58 ` Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200204230235.dwunh76dum4kkssp@madcap2.tricolour.ca \ --to=rgb@redhat.com \ --cc=containers@lists.linux-foundation.org \ --cc=dhowells@redhat.com \ --cc=dwalsh@redhat.com \ --cc=ebiederm@xmission.com \ --cc=eparis@parisplace.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-audit@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mpatel@redhat.com \ --cc=netdev@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=omosnace@redhat.com \ --cc=paul@paul-moore.com \ --cc=serge@hallyn.com \ --cc=sgrubb@redhat.com \ --cc=simo@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.