From: Richard Guy Briggs <rgb@redhat.com> To: Neil Horman <nhorman@tuxdriver.com> Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com Subject: Re: [PATCH ghak90 V5 05/10] audit: add containerid support for ptrace and signals Date: Mon, 18 Mar 2019 15:29:44 -0400 [thread overview] Message-ID: <20190318192944.snmolq6zcawltrvv@madcap2.tricolour.ca> (raw) In-Reply-To: <20190318190415.GB4111@hmswarspite.think-freely.org> On 2019-03-18 15:04, Neil Horman wrote: > On Fri, Mar 15, 2019 at 02:29:53PM -0400, Richard Guy Briggs wrote: > > Add audit container identifier support to ptrace and signals. In > > particular, the "ref" field provides a way to label the auxiliary record > > to which it is associated. > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Acked-by: Serge Hallyn <serge@hallyn.com> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > include/linux/audit.h | 1 + > > kernel/audit.c | 2 ++ > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 23 +++++++++++++++++------ > > 4 files changed, 22 insertions(+), 6 deletions(-) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 43438192ca2a..ebd6625ca80e 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -35,6 +35,7 @@ struct audit_sig_info { > > uid_t uid; > > pid_t pid; > > char ctx[0]; > > + u64 cid; > > }; > Sorry, just noticed this. How does this work? Given that ctx[] is a variable > length array, one assumes that the receiver of this message (userspace > applications by the looks of it, presume that the ctx data occupies the skb from > the byte following pid to the end of the transmitted buffer. How are they to > know that the last byte is actually the cid value? Wouldn't it be better to > move cid above ctx[0], so that the semantics of the variable length data are > preserved? > > Or am I missing something? Nope you're not missing anything, but I am! That's a bug. Thanks for spotting that! > otherwise this looks ok to me. > Neil > > > > > struct audit_buffer; > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 8cc0e88d7f2a..cfa659b3f6c4 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -138,6 +138,7 @@ struct audit_net { > > kuid_t audit_sig_uid = INVALID_UID; > > pid_t audit_sig_pid = -1; > > u32 audit_sig_sid = 0; > > +u64 audit_sig_cid = AUDIT_CID_UNSET; > > > > /* Records can be lost in several ways: > > 0) [suppressed in audit_alloc] > > @@ -1515,6 +1516,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > > memcpy(sig_data->ctx, ctx, len); > > security_release_secctx(ctx, len); > > } > > + sig_data->cid = audit_sig_cid; > > audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, > > sig_data, sizeof(*sig_data) + len); > > kfree(sig_data); > > diff --git a/kernel/audit.h b/kernel/audit.h > > index c00e2ee3c6b3..c5ac6436317e 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -148,6 +148,7 @@ struct audit_context { > > kuid_t target_uid; > > unsigned int target_sessionid; > > u32 target_sid; > > + u64 target_cid; > > char target_comm[TASK_COMM_LEN]; > > > > struct audit_tree_refs *trees, *first_trees; > > @@ -344,6 +345,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, > > extern pid_t audit_sig_pid; > > extern kuid_t audit_sig_uid; > > extern u32 audit_sig_sid; > > +extern u64 audit_sig_cid; > > > > extern int audit_filter(int msgtype, unsigned int listtype); > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index a8c8b44b954d..f04e115df5dc 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -113,6 +113,7 @@ struct audit_aux_data_pids { > > kuid_t target_uid[AUDIT_AUX_PIDS]; > > unsigned int target_sessionid[AUDIT_AUX_PIDS]; > > u32 target_sid[AUDIT_AUX_PIDS]; > > + u64 target_cid[AUDIT_AUX_PIDS]; > > char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; > > int pid_count; > > }; > > @@ -1514,7 +1515,7 @@ static void audit_log_exit(void) > > for (aux = context->aux_pids; aux; aux = aux->next) { > > struct audit_aux_data_pids *axs = (void *)aux; > > > > - for (i = 0; i < axs->pid_count; i++) > > + for (i = 0; i < axs->pid_count; i++) { > > if (audit_log_pid_context(context, axs->target_pid[i], > > axs->target_auid[i], > > axs->target_uid[i], > > @@ -1522,14 +1523,20 @@ static void audit_log_exit(void) > > axs->target_sid[i], > > axs->target_comm[i])) > > call_panic = 1; > > + audit_log_contid(context, axs->target_cid[i]); > > + } > > } > > > > - if (context->target_pid && > > - audit_log_pid_context(context, context->target_pid, > > - context->target_auid, context->target_uid, > > - context->target_sessionid, > > - context->target_sid, context->target_comm)) > > + if (context->target_pid) { > > + if (audit_log_pid_context(context, context->target_pid, > > + context->target_auid, > > + context->target_uid, > > + context->target_sessionid, > > + context->target_sid, > > + context->target_comm)) > > call_panic = 1; > > + audit_log_contid(context, context->target_cid); > > + } > > > > if (context->pwd.dentry && context->pwd.mnt) { > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); > > @@ -2360,6 +2367,7 @@ void __audit_ptrace(struct task_struct *t) > > context->target_uid = task_uid(t); > > context->target_sessionid = audit_get_sessionid(t); > > security_task_getsecid(t, &context->target_sid); > > + context->target_cid = audit_get_contid(t); > > memcpy(context->target_comm, t->comm, TASK_COMM_LEN); > > } > > > > @@ -2387,6 +2395,7 @@ int audit_signal_info(int sig, struct task_struct *t) > > else > > audit_sig_uid = uid; > > security_task_getsecid(current, &audit_sig_sid); > > + audit_sig_cid = audit_get_contid(current); > > } > > > > if (!audit_signals || audit_dummy_context()) > > @@ -2400,6 +2409,7 @@ int audit_signal_info(int sig, struct task_struct *t) > > ctx->target_uid = t_uid; > > ctx->target_sessionid = audit_get_sessionid(t); > > security_task_getsecid(t, &ctx->target_sid); > > + ctx->target_cid = audit_get_contid(t); > > memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); > > return 0; > > } > > @@ -2421,6 +2431,7 @@ int audit_signal_info(int sig, struct task_struct *t) > > axp->target_uid[axp->pid_count] = t_uid; > > axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); > > security_task_getsecid(t, &axp->target_sid[axp->pid_count]); > > + axp->target_cid[axp->pid_count] = audit_get_contid(t); > > memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); > > axp->pid_count++; > > > > -- > > 1.8.3.1 > > > > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com> To: Neil Horman <nhorman@tuxdriver.com> Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com Subject: Re: [PATCH ghak90 V5 05/10] audit: add containerid support for ptrace and signals Date: Mon, 18 Mar 2019 15:29:44 -0400 [thread overview] Message-ID: <20190318192944.snmolq6zcawltrvv@madcap2.tricolour.ca> (raw) In-Reply-To: <20190318190415.GB4111@hmswarspite.think-freely.org> On 2019-03-18 15:04, Neil Horman wrote: > On Fri, Mar 15, 2019 at 02:29:53PM -0400, Richard Guy Briggs wrote: > > Add audit container identifier support to ptrace and signals. In > > particular, the "ref" field provides a way to label the auxiliary record > > to which it is associated. > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Acked-by: Serge Hallyn <serge@hallyn.com> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > include/linux/audit.h | 1 + > > kernel/audit.c | 2 ++ > > kernel/audit.h | 2 ++ > > kernel/auditsc.c | 23 +++++++++++++++++------ > > 4 files changed, 22 insertions(+), 6 deletions(-) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 43438192ca2a..ebd6625ca80e 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -35,6 +35,7 @@ struct audit_sig_info { > > uid_t uid; > > pid_t pid; > > char ctx[0]; > > + u64 cid; > > }; > Sorry, just noticed this. How does this work? Given that ctx[] is a variable > length array, one assumes that the receiver of this message (userspace > applications by the looks of it, presume that the ctx data occupies the skb from > the byte following pid to the end of the transmitted buffer. How are they to > know that the last byte is actually the cid value? Wouldn't it be better to > move cid above ctx[0], so that the semantics of the variable length data are > preserved? > > Or am I missing something? Nope you're not missing anything, but I am! That's a bug. Thanks for spotting that! > otherwise this looks ok to me. > Neil > > > > > struct audit_buffer; > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 8cc0e88d7f2a..cfa659b3f6c4 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -138,6 +138,7 @@ struct audit_net { > > kuid_t audit_sig_uid = INVALID_UID; > > pid_t audit_sig_pid = -1; > > u32 audit_sig_sid = 0; > > +u64 audit_sig_cid = AUDIT_CID_UNSET; > > > > /* Records can be lost in several ways: > > 0) [suppressed in audit_alloc] > > @@ -1515,6 +1516,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > > memcpy(sig_data->ctx, ctx, len); > > security_release_secctx(ctx, len); > > } > > + sig_data->cid = audit_sig_cid; > > audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, > > sig_data, sizeof(*sig_data) + len); > > kfree(sig_data); > > diff --git a/kernel/audit.h b/kernel/audit.h > > index c00e2ee3c6b3..c5ac6436317e 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -148,6 +148,7 @@ struct audit_context { > > kuid_t target_uid; > > unsigned int target_sessionid; > > u32 target_sid; > > + u64 target_cid; > > char target_comm[TASK_COMM_LEN]; > > > > struct audit_tree_refs *trees, *first_trees; > > @@ -344,6 +345,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, > > extern pid_t audit_sig_pid; > > extern kuid_t audit_sig_uid; > > extern u32 audit_sig_sid; > > +extern u64 audit_sig_cid; > > > > extern int audit_filter(int msgtype, unsigned int listtype); > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index a8c8b44b954d..f04e115df5dc 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -113,6 +113,7 @@ struct audit_aux_data_pids { > > kuid_t target_uid[AUDIT_AUX_PIDS]; > > unsigned int target_sessionid[AUDIT_AUX_PIDS]; > > u32 target_sid[AUDIT_AUX_PIDS]; > > + u64 target_cid[AUDIT_AUX_PIDS]; > > char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; > > int pid_count; > > }; > > @@ -1514,7 +1515,7 @@ static void audit_log_exit(void) > > for (aux = context->aux_pids; aux; aux = aux->next) { > > struct audit_aux_data_pids *axs = (void *)aux; > > > > - for (i = 0; i < axs->pid_count; i++) > > + for (i = 0; i < axs->pid_count; i++) { > > if (audit_log_pid_context(context, axs->target_pid[i], > > axs->target_auid[i], > > axs->target_uid[i], > > @@ -1522,14 +1523,20 @@ static void audit_log_exit(void) > > axs->target_sid[i], > > axs->target_comm[i])) > > call_panic = 1; > > + audit_log_contid(context, axs->target_cid[i]); > > + } > > } > > > > - if (context->target_pid && > > - audit_log_pid_context(context, context->target_pid, > > - context->target_auid, context->target_uid, > > - context->target_sessionid, > > - context->target_sid, context->target_comm)) > > + if (context->target_pid) { > > + if (audit_log_pid_context(context, context->target_pid, > > + context->target_auid, > > + context->target_uid, > > + context->target_sessionid, > > + context->target_sid, > > + context->target_comm)) > > call_panic = 1; > > + audit_log_contid(context, context->target_cid); > > + } > > > > if (context->pwd.dentry && context->pwd.mnt) { > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); > > @@ -2360,6 +2367,7 @@ void __audit_ptrace(struct task_struct *t) > > context->target_uid = task_uid(t); > > context->target_sessionid = audit_get_sessionid(t); > > security_task_getsecid(t, &context->target_sid); > > + context->target_cid = audit_get_contid(t); > > memcpy(context->target_comm, t->comm, TASK_COMM_LEN); > > } > > > > @@ -2387,6 +2395,7 @@ int audit_signal_info(int sig, struct task_struct *t) > > else > > audit_sig_uid = uid; > > security_task_getsecid(current, &audit_sig_sid); > > + audit_sig_cid = audit_get_contid(current); > > } > > > > if (!audit_signals || audit_dummy_context()) > > @@ -2400,6 +2409,7 @@ int audit_signal_info(int sig, struct task_struct *t) > > ctx->target_uid = t_uid; > > ctx->target_sessionid = audit_get_sessionid(t); > > security_task_getsecid(t, &ctx->target_sid); > > + ctx->target_cid = audit_get_contid(t); > > memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); > > return 0; > > } > > @@ -2421,6 +2431,7 @@ int audit_signal_info(int sig, struct task_struct *t) > > axp->target_uid[axp->pid_count] = t_uid; > > axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); > > security_task_getsecid(t, &axp->target_sid[axp->pid_count]); > > + axp->target_cid[axp->pid_count] = audit_get_contid(t); > > memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); > > axp->pid_count++; > > > > -- > > 1.8.3.1 > > > > - RGB
next prev parent reply other threads:[~2019-03-18 19:30 UTC|newest] Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-15 18:29 [PATCH ghak90 V5 00/10] audit: implement container identifier Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 01/10] audit: collect audit task parameters Richard Guy Briggs 2019-03-16 19:57 ` Neil Horman 2019-03-27 20:33 ` Ondrej Mosnacek 2019-03-15 18:29 ` [PATCH ghak90 V5 02/10] audit: add container id Richard Guy Briggs 2019-03-16 20:00 ` Neil Horman 2019-03-27 20:38 ` Ondrej Mosnacek 2019-03-27 20:38 ` Ondrej Mosnacek 2019-03-27 20:44 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 03/10] audit: read container ID of a process Richard Guy Briggs 2019-03-18 11:10 ` Neil Horman 2019-03-18 18:17 ` Richard Guy Briggs 2019-03-18 18:48 ` Neil Horman 2019-03-18 18:54 ` Richard Guy Briggs 2019-03-18 18:54 ` Richard Guy Briggs 2019-03-27 20:44 ` Ondrej Mosnacek 2019-03-15 18:29 ` [PATCH ghak90 V5 04/10] audit: log container info of syscalls Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-16 22:44 ` Neil Horman 2019-03-27 21:01 ` Ondrej Mosnacek 2019-03-27 22:10 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 05/10] audit: add containerid support for ptrace and signals Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 19:04 ` Neil Horman 2019-03-18 19:29 ` Richard Guy Briggs [this message] 2019-03-18 19:29 ` Richard Guy Briggs 2019-03-27 21:17 ` Ondrej Mosnacek 2019-03-28 2:04 ` Richard Guy Briggs 2019-03-30 12:55 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 06/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 19:34 ` Neil Horman 2019-03-27 21:22 ` Ondrej Mosnacek 2019-04-01 14:49 ` Paul Moore 2019-04-01 17:44 ` Richard Guy Briggs 2019-04-01 17:44 ` Richard Guy Briggs 2019-04-01 18:57 ` Paul Moore 2019-04-01 20:43 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 07/10] audit: add containerid support for user records Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 19:41 ` Neil Horman 2019-03-27 21:30 ` Ondrej Mosnacek 2019-03-15 18:29 ` [PATCH ghak90 V5 08/10] audit: add containerid filtering Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 20:02 ` Ondrej Mosnacek 2019-03-18 23:47 ` Richard Guy Briggs 2019-03-27 21:41 ` Ondrej Mosnacek 2019-03-27 22:00 ` Richard Guy Briggs 2019-03-27 22:00 ` Richard Guy Briggs 2019-03-18 20:39 ` Neil Horman 2019-03-15 18:29 ` [PATCH ghak90 V5 09/10] audit: add support for containerid to network namespaces Richard Guy Briggs 2019-03-18 20:56 ` Neil Horman 2019-03-27 22:42 ` Ondrej Mosnacek 2019-03-28 1:12 ` Richard Guy Briggs 2019-03-28 8:01 ` Ondrej Mosnacek 2019-03-28 8:01 ` Ondrej Mosnacek 2019-03-28 15:46 ` Paul Moore 2019-03-28 21:40 ` Richard Guy Briggs 2019-03-28 22:00 ` Paul Moore 2019-03-31 2:11 ` Neil Horman 2019-03-29 14:50 ` Neil Horman 2019-03-29 14:49 ` Neil Horman 2019-04-01 14:50 ` Paul Moore 2019-04-01 20:41 ` Richard Guy Briggs 2019-04-02 11:31 ` Neil Horman 2019-04-02 13:31 ` Paul Moore 2019-04-02 14:28 ` Neil Horman 2019-04-04 21:40 ` Richard Guy Briggs 2019-04-04 21:40 ` Richard Guy Briggs 2019-04-05 2:06 ` Paul Moore 2019-04-05 11:32 ` Neil Horman 2019-03-15 18:29 ` [PATCH ghak90 V5 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-15 18:43 ` Richard Guy Briggs 2019-03-18 20:58 ` Neil Horman 2019-03-27 22:52 ` Ondrej Mosnacek 2019-04-01 14:50 ` Paul Moore 2019-04-01 17:50 ` Richard Guy Briggs 2019-04-01 17:50 ` Richard Guy Briggs 2019-03-19 22:06 ` [PATCH ghak90 V5 00/10] audit: implement container identifier Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190318192944.snmolq6zcawltrvv@madcap2.tricolour.ca \ --to=rgb@redhat.com \ --cc=containers@lists.linux-foundation.org \ --cc=dhowells@redhat.com \ --cc=ebiederm@xmission.com \ --cc=eparis@parisplace.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-audit@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=omosnace@redhat.com \ --cc=paul@paul-moore.com \ --cc=serge@hallyn.com \ --cc=sgrubb@redhat.com \ --cc=simo@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.