From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: <containers@lists.linux-foundation.org>,
<linux-api@vger.kernel.org>, <linux-audit@redhat.com>,
<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>,
<ebiederm@xmission.com>, <luto@kernel.org>, <carlos@redhat.com>,
<dhowells@redhat.com>, <viro@zeniv.linux.org.uk>,
<simo@redhat.com>, Eric Paris <eparis@parisplace.org>,
Serge Hallyn <serge@hallyn.com>
Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Date: Thu, 25 Oct 2018 07:13:07 +0100 [thread overview]
Message-ID: <166a9dae538.280e.85c95baa4474aabc7814e68940a78392@paul-moore.com> (raw)
In-Reply-To: <20181025004255.zl7p7j6gztouh2hh@madcap2.tricolour.ca>
On October 25, 2018 1:43:16 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2018-10-24 16:55, Paul Moore wrote:
>> On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>>> On 2018-10-19 19:16, Paul Moore wrote:
>>>> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>
...
>
>>>> However, I do care about the "op" field in this record. It just
>>>> doesn't make any sense; the way you are using it it is more of a
>>>> context field than an operations field, and even then why is the
>>>> context important from a logging and/or security perspective? Drop it
>>>> please.
>>>
>>> I'll rename it to whatever you like. I'd suggest "ref=". The reason I
>>> think it is important is there are multiple sources that aren't always
>>> obvious from the other records to which it is associated. In the case
>>> of ptrace and signals, there can be many target tasks listed (OBJ_PID)
>>> with no other way to distinguish the matching audit container identifier
>>> records all for one event. This is in addition to the default syscall
>>> container identifier record. I'm not currently happy with the text
>>> content to link the two, but that should be solvable (most obvious is
>>> taret PID). Throwing away this information seems shortsighted.
>>
>> It would be helpful if you could generate real audit events
>> demonstrating the problems you are describing, as well as a more
>> standard syscall event, so we can discuss some possible solutions.
>
> If the auditted process is in a container and it ptraces or signals
> another process in a container, there will be two AUDIT_CONTAINER
> records for the same event that won't be identified as to which record
> belongs to which process or other record (SYSCALL vs 1+ OBJ_PID
> records). There could be many signals recorded, each with their own
> OBJ_PID record. The first is stored in the audit context and additional
> ones are stored in a chained struct that can accommodate 16 entries each.
>
> (See audit_signal_info(), __audit_ptrace().)
>
> (As a side note, on code inspection it appears that a signal target
> would get overwritten by a ptrace action if they were to happen in that
> order.)
As requested above, please respond with real audit events generated by this patchset so that we can discuss possible solutions.
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: <containers@lists.linux-foundation.org>,
<linux-api@vger.kernel.org>, <linux-audit@redhat.com>,
<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>,
<ebiederm@xmission.com>, <luto@kernel.org>, <carlos@redhat.com>,
<dhowells@redhat.com>, <viro@zeniv.linux.org.uk>,
<simo@redhat.com>, Eric Paris <eparis@parisplace.org>,
Serge Hallyn <serge@hallyn.com>
Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Date: Thu, 25 Oct 2018 07:13:07 +0100 [thread overview]
Message-ID: <166a9dae538.280e.85c95baa4474aabc7814e68940a78392@paul-moore.com> (raw)
In-Reply-To: <20181025004255.zl7p7j6gztouh2hh@madcap2.tricolour.ca>
On October 25, 2018 1:43:16 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2018-10-24 16:55, Paul Moore wrote:
>> On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>>> On 2018-10-19 19:16, Paul Moore wrote:
>>>> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>
...
>
>>>> However, I do care about the "op" field in this record. It just
>>>> doesn't make any sense; the way you are using it it is more of a
>>>> context field than an operations field, and even then why is the
>>>> context important from a logging and/or security perspective? Drop it
>>>> please.
>>>
>>> I'll rename it to whatever you like. I'd suggest "ref=". The reason I
>>> think it is important is there are multiple sources that aren't always
>>> obvious from the other records to which it is associated. In the case
>>> of ptrace and signals, there can be many target tasks listed (OBJ_PID)
>>> with no other way to distinguish the matching audit container identifier
>>> records all for one event. This is in addition to the default syscall
>>> container identifier record. I'm not currently happy with the text
>>> content to link the two, but that should be solvable (most obvious is
>>> taret PID). Throwing away this information seems shortsighted.
>>
>> It would be helpful if you could generate real audit events
>> demonstrating the problems you are describing, as well as a more
>> standard syscall event, so we can discuss some possible solutions.
>
> If the auditted process is in a container and it ptraces or signals
> another process in a container, there will be two AUDIT_CONTAINER
> records for the same event that won't be identified as to which record
> belongs to which process or other record (SYSCALL vs 1+ OBJ_PID
> records). There could be many signals recorded, each with their own
> OBJ_PID record. The first is stored in the audit context and additional
> ones are stored in a chained struct that can accommodate 16 entries each.
>
> (See audit_signal_info(), __audit_ptrace().)
>
> (As a side note, on code inspection it appears that a signal target
> would get overwritten by a ptrace action if they were to happen in that
> order.)
As requested above, please respond with real audit events generated by this patchset so that we can discuss possible solutions.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
linux-audit@redhat.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, ebiederm@xmission.com,
luto@kernel.org, carlos@redhat.com, dhowells@redhat.com,
viro@zeniv.linux.org.uk, simo@redhat.com,
Eric Paris <eparis@parisplace.org>,
Serge Hallyn <serge@hallyn.com>
Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Date: Thu, 25 Oct 2018 07:13:07 +0100 [thread overview]
Message-ID: <166a9dae538.280e.85c95baa4474aabc7814e68940a78392@paul-moore.com> (raw)
In-Reply-To: <20181025004255.zl7p7j6gztouh2hh@madcap2.tricolour.ca>
On October 25, 2018 1:43:16 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2018-10-24 16:55, Paul Moore wrote:
>> On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>>> On 2018-10-19 19:16, Paul Moore wrote:
>>>> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>
...
>
>>>> However, I do care about the "op" field in this record. It just
>>>> doesn't make any sense; the way you are using it it is more of a
>>>> context field than an operations field, and even then why is the
>>>> context important from a logging and/or security perspective? Drop it
>>>> please.
>>>
>>> I'll rename it to whatever you like. I'd suggest "ref=". The reason I
>>> think it is important is there are multiple sources that aren't always
>>> obvious from the other records to which it is associated. In the case
>>> of ptrace and signals, there can be many target tasks listed (OBJ_PID)
>>> with no other way to distinguish the matching audit container identifier
>>> records all for one event. This is in addition to the default syscall
>>> container identifier record. I'm not currently happy with the text
>>> content to link the two, but that should be solvable (most obvious is
>>> taret PID). Throwing away this information seems shortsighted.
>>
>> It would be helpful if you could generate real audit events
>> demonstrating the problems you are describing, as well as a more
>> standard syscall event, so we can discuss some possible solutions.
>
> If the auditted process is in a container and it ptraces or signals
> another process in a container, there will be two AUDIT_CONTAINER
> records for the same event that won't be identified as to which record
> belongs to which process or other record (SYSCALL vs 1+ OBJ_PID
> records). There could be many signals recorded, each with their own
> OBJ_PID record. The first is stored in the audit context and additional
> ones are stored in a chained struct that can accommodate 16 entries each.
>
> (See audit_signal_info(), __audit_ptrace().)
>
> (As a side note, on code inspection it appears that a signal target
> would get overwritten by a ptrace action if they were to happen in that
> order.)
As requested above, please respond with real audit events generated by this patchset so that we can discuss possible solutions.
next prev parent reply other threads:[~2018-10-25 6:13 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-31 20:07 [PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier Richard Guy Briggs
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 01/10] audit: collect audit task parameters Richard Guy Briggs
2018-10-19 23:15 ` Paul Moore
2018-10-19 23:15 ` Paul Moore
2018-11-01 22:07 ` Richard Guy Briggs
2019-01-03 20:10 ` Paul Moore
2019-01-03 20:29 ` Richard Guy Briggs
2019-01-03 20:29 ` Richard Guy Briggs
2019-01-03 20:33 ` Paul Moore
2019-01-03 20:38 ` Richard Guy Briggs
2019-01-24 20:36 ` Richard Guy Briggs
2019-01-04 2:50 ` Guenter Roeck
2019-01-04 14:57 ` Richard Guy Briggs
2019-01-04 22:04 ` Guenter Roeck
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 02/10] audit: add container id Richard Guy Briggs
2018-07-31 20:07 ` Richard Guy Briggs
2018-08-24 16:01 ` Steve Grubb
2018-10-19 19:38 ` Paul Moore
2018-10-19 19:40 ` Paul Moore
2018-10-19 21:50 ` Richard Guy Briggs
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls Richard Guy Briggs
2018-08-24 16:01 ` Steve Grubb
2018-08-24 16:01 ` Steve Grubb
2018-10-19 23:16 ` Paul Moore
2018-10-24 15:14 ` Richard Guy Briggs
2018-10-24 20:55 ` Paul Moore
2018-10-25 0:42 ` Richard Guy Briggs
2018-10-25 6:06 ` Steve Grubb
2018-10-25 10:49 ` Paul Moore
2018-10-25 12:27 ` Richard Guy Briggs
2018-10-25 12:27 ` Richard Guy Briggs
2018-10-25 15:57 ` Steve Grubb
2018-10-25 17:38 ` Richard Guy Briggs
2018-10-25 20:40 ` Paul Moore
2018-10-25 21:55 ` Steve Grubb
2018-10-26 8:09 ` Casey Schaufler
2018-10-28 7:53 ` Paul Moore
2018-10-25 6:13 ` Paul Moore [this message]
2018-10-25 6:13 ` Paul Moore
2018-10-25 6:13 ` Paul Moore
2018-10-25 12:22 ` Richard Guy Briggs
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 04/10] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-10-19 23:16 ` Paul Moore
2018-10-26 22:15 ` Richard Guy Briggs
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 05/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-10-19 23:17 ` Paul Moore
2018-11-01 18:48 ` Richard Guy Briggs
2019-01-03 20:10 ` Paul Moore
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 06/10] audit: add containerid support for tty_audit Richard Guy Briggs
2018-10-19 23:17 ` Paul Moore
2018-10-31 21:17 ` Richard Guy Briggs
2019-01-03 20:11 ` Paul Moore
2019-01-10 22:58 ` Richard Guy Briggs
2019-01-11 1:12 ` Paul Moore
2019-01-11 3:38 ` Richard Guy Briggs
2019-01-11 23:16 ` Paul Moore
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 07/10] audit: add containerid filtering Richard Guy Briggs
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 08/10] audit: add support for containerid to network namespaces Richard Guy Briggs
2018-07-31 20:07 ` Richard Guy Briggs
2018-10-19 23:18 ` Paul Moore
2018-10-19 23:18 ` Paul Moore
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 09/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2018-10-19 23:18 ` Paul Moore
2018-10-31 19:30 ` Richard Guy Briggs
2018-12-27 15:33 ` Richard Guy Briggs
2018-12-27 22:54 ` Paul Moore
2018-07-31 20:07 ` [PATCH ghak90 (was ghak32) V4 10/10] debug audit: read container ID of a process Richard Guy Briggs
2019-01-03 16:15 ` [PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier Guenter Roeck
2019-01-03 17:36 ` Richard Guy Briggs
2019-01-03 18:58 ` Guenter Roeck
2019-01-03 20:20 ` Richard Guy Briggs
2019-01-03 20:12 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=166a9dae538.280e.85c95baa4474aabc7814e68940a78392@paul-moore.com \
--to=paul@paul-moore.com \
--cc=carlos@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=simo@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.