From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A69DC433DB for ; Mon, 21 Dec 2020 17:13:48 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B324122BF3 for ; Mon, 21 Dec 2020 17:13:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B324122BF3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=containers-bounces@lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 9D4302035D; Mon, 21 Dec 2020 17:13:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgPvvFeEfZk0; Mon, 21 Dec 2020 17:13:46 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id E78482014A; Mon, 21 Dec 2020 17:13:46 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D5900C1825; Mon, 21 Dec 2020 17:13:46 +0000 (UTC) Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 492DAC0893 for ; Mon, 21 Dec 2020 17:13:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 38A6A869AA for ; Mon, 21 Dec 2020 17:13:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbdDmK5ty2iC for ; Mon, 21 Dec 2020 17:13:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by whitealder.osuosl.org (Postfix) with ESMTPS id 70BFB869A3 for ; Mon, 21 Dec 2020 17:13:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608570823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=4PLySA/Utb3TjgLmccCjgpN+8s305Gw/+Z4Bgz4To/E=; b=dofNWq4KBZZeB/RbTGf+33B8h4oeEDIEYKhMAuu80/bPmahraOTWB8EPftyg0RZIF0+Gq1 xFzN3gRyybs06wzMepSVFjA3jyA02aU/yKOyicF+e3m5iNwOVmg4EKayaaXDdWE9e6EXc9 IobWrFCzg2MB0EsSBZoZ4yXVsa4uNQY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-378-SGuY52iQP8GP7KdIMsZh4A-1; Mon, 21 Dec 2020 12:13:39 -0500 X-MC-Unique: SGuY52iQP8GP7KdIMsZh4A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4552C803620; Mon, 21 Dec 2020 17:13:36 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8BAF15D9CA; Mon, 21 Dec 2020 17:13:31 +0000 (UTC) From: Richard Guy Briggs To: Linux Containers List , Linux-Audit Mailing List , LKML Subject: [PATCH ghau51/ghau40 v10 03/11] auditctl: add support for AUDIT_CONTID filter Date: Mon, 21 Dec 2020 12:12:43 -0500 Message-Id: <20201221171251.2610890-4-rgb@redhat.com> In-Reply-To: <20201221171251.2610890-1-rgb@redhat.com> References: <20201221171251.2610890-1-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Cc: Richard Guy Briggs , Eric Paris , mpatel@redhat.com, Neil Horman X-BeenThere: containers@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux Containers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- docs/auditctl.8 | 3 +++ lib/fieldtab.h | 1 + lib/libaudit.c | 35 +++++++++++++++++++++++++++++++++++ lib/libaudit.h | 7 +++++++ src/auditctl-listing.c | 21 +++++++++++++++++++++ 5 files changed, 67 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 09ed2466c5d4..c6a1a62472fe 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -223,6 +223,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4 .B sessionid User's login session ID .TP +.B contid +Process' audit container ID +.TP .B subj_user Program's SE Linux User .TP diff --git a/lib/fieldtab.h b/lib/fieldtab.h index b597cafb2df8..e0a49d0154bb 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" ) _S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) _S(AUDIT_SESSIONID, "sessionid" ) +_S(AUDIT_CONTID, "contid" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index 2c7b16ccf44e..bcef9dc7a2cc 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1779,6 +1779,41 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (rule->values[rule->field_count] >= AF_MAX) return -EAU_FIELDVALTOOBIG; break; + case AUDIT_CONTID: { + unsigned long long val; + + if ((audit_get_features() & + AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) + return -EAU_FIELDNOSUPPORT; + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && + flags != AUDIT_FILTER_EXIT) + return -EAU_FIELDNOFILTER; + if (isdigit((char)*(v))) + val = strtoull(v, NULL, 0); + else if (strlen(v) >= 2 && *(v) == '-' && + (isdigit((char)*(v+1)))) + val = strtoll(v, NULL, 0); + else if (strcmp(v, "unset") == 0) + val = ULLONG_MAX; + else + return -EAU_FIELDVALNUM; + if (errno) + return -EAU_FIELDVALNUM; + vlen = sizeof(unsigned long long); + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } + rule = *rulep; + *(unsigned long long *)(&rule->buf[offset]) = val; + break; + } case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/lib/libaudit.h b/lib/libaudit.h index 3b0b1e8d0d22..a252813d1f72 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -363,6 +363,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 #endif +#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -389,6 +392,10 @@ extern "C" { #define AUDIT_FSTYPE 26 #endif +#ifndef AUDIT_CONTID +#define AUDIT_CONTID 27 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index f43e10c1af1f..710327a2c3da 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r) audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_CONTID) { + unsigned long long val; + + if (r->values[i] == sizeof(unsigned long long)) { + val = *(unsigned long long *)(&r->buf[boffset]); + + if (val != ULLONG_MAX) + printf(" -F %s%s%llu", name, + audit_operator_to_symbol(op), + val); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "unset"); + } else { + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "inval"); + } + boffset += r->values[i]; } else { // The default is signed decimal printf(" -F %s%s%d", name, -- 2.18.4 _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/containers From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDC02C433E9 for ; Mon, 21 Dec 2020 17:15:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C907422BF3 for ; Mon, 21 Dec 2020 17:15:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725997AbgLURPI (ORCPT ); Mon, 21 Dec 2020 12:15:08 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:21833 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725780AbgLURPI (ORCPT ); Mon, 21 Dec 2020 12:15:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608570821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=4PLySA/Utb3TjgLmccCjgpN+8s305Gw/+Z4Bgz4To/E=; b=bLIRFIwg5GzNK4QLE+ryovTmkoPiL5r9lFXYaqfKfAC6vi+KRdbp5pazGJA2JLKuVJFxv+ SUNp1z2BmQhlw6ceWc8x+5QDQ7F55Px71ZXNX+HSXoIzeJHJ4TIlL2UQgqP0MfZA8Wl/Jb Yi9IYtts9D8axdWM04BL9XRBklgbzIU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-378-SGuY52iQP8GP7KdIMsZh4A-1; Mon, 21 Dec 2020 12:13:39 -0500 X-MC-Unique: SGuY52iQP8GP7KdIMsZh4A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4552C803620; Mon, 21 Dec 2020 17:13:36 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8BAF15D9CA; Mon, 21 Dec 2020 17:13:31 +0000 (UTC) From: Richard Guy Briggs To: Linux Containers List , Linux-Audit Mailing List , LKML Cc: Neil Horman , Eric Paris , mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghau51/ghau40 v10 03/11] auditctl: add support for AUDIT_CONTID filter Date: Mon, 21 Dec 2020 12:12:43 -0500 Message-Id: <20201221171251.2610890-4-rgb@redhat.com> In-Reply-To: <20201221171251.2610890-1-rgb@redhat.com> References: <20201221171251.2610890-1-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- docs/auditctl.8 | 3 +++ lib/fieldtab.h | 1 + lib/libaudit.c | 35 +++++++++++++++++++++++++++++++++++ lib/libaudit.h | 7 +++++++ src/auditctl-listing.c | 21 +++++++++++++++++++++ 5 files changed, 67 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 09ed2466c5d4..c6a1a62472fe 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -223,6 +223,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4 .B sessionid User's login session ID .TP +.B contid +Process' audit container ID +.TP .B subj_user Program's SE Linux User .TP diff --git a/lib/fieldtab.h b/lib/fieldtab.h index b597cafb2df8..e0a49d0154bb 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" ) _S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) _S(AUDIT_SESSIONID, "sessionid" ) +_S(AUDIT_CONTID, "contid" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index 2c7b16ccf44e..bcef9dc7a2cc 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1779,6 +1779,41 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (rule->values[rule->field_count] >= AF_MAX) return -EAU_FIELDVALTOOBIG; break; + case AUDIT_CONTID: { + unsigned long long val; + + if ((audit_get_features() & + AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) + return -EAU_FIELDNOSUPPORT; + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && + flags != AUDIT_FILTER_EXIT) + return -EAU_FIELDNOFILTER; + if (isdigit((char)*(v))) + val = strtoull(v, NULL, 0); + else if (strlen(v) >= 2 && *(v) == '-' && + (isdigit((char)*(v+1)))) + val = strtoll(v, NULL, 0); + else if (strcmp(v, "unset") == 0) + val = ULLONG_MAX; + else + return -EAU_FIELDVALNUM; + if (errno) + return -EAU_FIELDVALNUM; + vlen = sizeof(unsigned long long); + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } + rule = *rulep; + *(unsigned long long *)(&rule->buf[offset]) = val; + break; + } case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/lib/libaudit.h b/lib/libaudit.h index 3b0b1e8d0d22..a252813d1f72 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -363,6 +363,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 #endif +#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -389,6 +392,10 @@ extern "C" { #define AUDIT_FSTYPE 26 #endif +#ifndef AUDIT_CONTID +#define AUDIT_CONTID 27 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index f43e10c1af1f..710327a2c3da 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r) audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_CONTID) { + unsigned long long val; + + if (r->values[i] == sizeof(unsigned long long)) { + val = *(unsigned long long *)(&r->buf[boffset]); + + if (val != ULLONG_MAX) + printf(" -F %s%s%llu", name, + audit_operator_to_symbol(op), + val); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "unset"); + } else { + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "inval"); + } + boffset += r->values[i]; } else { // The default is signed decimal printf(" -F %s%s%d", name, -- 2.18.4 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B893C433DB for ; Mon, 21 Dec 2020 17:13:58 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CD4A1207CF for ; Mon, 21 Dec 2020 17:13:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CD4A1207CF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608570836; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=RLx2nihNxO+PS4ZE0sNZRSF+kbwGgaSM+Clej+Ar5ZM=; b=Pc6IJvgm+DGz7Jb9TeLbvVCFZzTH8vKHVdH6B1ChLkbRMBolsLir6WmLIz8Ke5TcYVQrEY /ArLd6nDvVGoLHOvaoYMY+LoakX08W7FVsgs2LkFY2LQ/Y5k4hdbbkanRq0JxYARhQkMTy Mbs1rg9FPu3QopbSoNWet+xXJE4+tuU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-437-JM912ycbOJeq2RxhuQhoPg-1; Mon, 21 Dec 2020 12:13:41 -0500 X-MC-Unique: JM912ycbOJeq2RxhuQhoPg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F3B908144E0; Mon, 21 Dec 2020 17:13:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D9F3E10023AD; Mon, 21 Dec 2020 17:13:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B788D4A7C6; Mon, 21 Dec 2020 17:13:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BLHDa5j018922 for ; Mon, 21 Dec 2020 12:13:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id 25BF55D9D3; Mon, 21 Dec 2020 17:13:36 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8BAF15D9CA; Mon, 21 Dec 2020 17:13:31 +0000 (UTC) From: Richard Guy Briggs To: Linux Containers List , Linux-Audit Mailing List , LKML Subject: [PATCH ghau51/ghau40 v10 03/11] auditctl: add support for AUDIT_CONTID filter Date: Mon, 21 Dec 2020 12:12:43 -0500 Message-Id: <20201221171251.2610890-4-rgb@redhat.com> In-Reply-To: <20201221171251.2610890-1-rgb@redhat.com> References: <20201221171251.2610890-1-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: Richard Guy Briggs , Eric Paris , mpatel@redhat.com, Neil Horman X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- docs/auditctl.8 | 3 +++ lib/fieldtab.h | 1 + lib/libaudit.c | 35 +++++++++++++++++++++++++++++++++++ lib/libaudit.h | 7 +++++++ src/auditctl-listing.c | 21 +++++++++++++++++++++ 5 files changed, 67 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 09ed2466c5d4..c6a1a62472fe 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -223,6 +223,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4 .B sessionid User's login session ID .TP +.B contid +Process' audit container ID +.TP .B subj_user Program's SE Linux User .TP diff --git a/lib/fieldtab.h b/lib/fieldtab.h index b597cafb2df8..e0a49d0154bb 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" ) _S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) _S(AUDIT_SESSIONID, "sessionid" ) +_S(AUDIT_CONTID, "contid" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index 2c7b16ccf44e..bcef9dc7a2cc 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1779,6 +1779,41 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (rule->values[rule->field_count] >= AF_MAX) return -EAU_FIELDVALTOOBIG; break; + case AUDIT_CONTID: { + unsigned long long val; + + if ((audit_get_features() & + AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) + return -EAU_FIELDNOSUPPORT; + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && + flags != AUDIT_FILTER_EXIT) + return -EAU_FIELDNOFILTER; + if (isdigit((char)*(v))) + val = strtoull(v, NULL, 0); + else if (strlen(v) >= 2 && *(v) == '-' && + (isdigit((char)*(v+1)))) + val = strtoll(v, NULL, 0); + else if (strcmp(v, "unset") == 0) + val = ULLONG_MAX; + else + return -EAU_FIELDVALNUM; + if (errno) + return -EAU_FIELDVALNUM; + vlen = sizeof(unsigned long long); + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } + rule = *rulep; + *(unsigned long long *)(&rule->buf[offset]) = val; + break; + } case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/lib/libaudit.h b/lib/libaudit.h index 3b0b1e8d0d22..a252813d1f72 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -363,6 +363,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 #endif +#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -389,6 +392,10 @@ extern "C" { #define AUDIT_FSTYPE 26 #endif +#ifndef AUDIT_CONTID +#define AUDIT_CONTID 27 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index f43e10c1af1f..710327a2c3da 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r) audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_CONTID) { + unsigned long long val; + + if (r->values[i] == sizeof(unsigned long long)) { + val = *(unsigned long long *)(&r->buf[boffset]); + + if (val != ULLONG_MAX) + printf(" -F %s%s%llu", name, + audit_operator_to_symbol(op), + val); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "unset"); + } else { + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "inval"); + } + boffset += r->values[i]; } else { // The default is signed decimal printf(" -F %s%s%d", name, -- 2.18.4 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit