From: Richard Guy Briggs <rgb@redhat.com> To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Cc: Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, nhorman@tuxdriver.com, Richard Guy Briggs <rgb@redhat.com> Subject: [PATCH ghak90 V5 04/10] audit: log container info of syscalls Date: Fri, 15 Mar 2019 14:29:52 -0400 [thread overview] Message-ID: <85fcd0a81adef25cb60b2e479bbb380e76dbf999.1552665316.git.rgb@redhat.com> (raw) In-Reply-To: <cover.1552665316.git.rgb@redhat.com> In-Reply-To: <cover.1552665316.git.rgb@redhat.com> Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. A sample raw event: type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid" type=CWD msg=audit(1519924845.499:257): cwd="/root" type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964 type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-userspace/issues/51 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Serge Hallyn <serge@hallyn.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/linux/audit.h | 5 +++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 21 +++++++++++++++++++++ kernel/auditsc.c | 2 ++ 4 files changed, 29 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 301337776193..43438192ca2a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -199,6 +199,8 @@ static inline u64 audit_get_contid(struct task_struct *tsk) return tsk->audit->contid; } +extern void audit_log_contid(struct audit_context *context, u64 contid); + extern u32 audit_enabled; #else /* CONFIG_AUDIT */ static inline int audit_alloc(struct task_struct *task) @@ -265,6 +267,9 @@ static inline u64 audit_get_contid(struct task_struct *tsk) return AUDIT_CID_UNSET; } +static inline void audit_log_contid(struct audit_context *context, u64 contid) +{ } + #define audit_enabled AUDIT_OFF #endif /* CONFIG_AUDIT */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d475cf3b4d7f..a6383e28b2c8 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -115,6 +115,7 @@ #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ +#define AUDIT_CONTAINER_ID 1332 /* Container ID */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.c b/kernel/audit.c index b5c702abeb42..8cc0e88d7f2a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2127,6 +2127,27 @@ void audit_log_session_info(struct audit_buffer *ab) audit_log_format(ab, "auid=%u ses=%u", auid, sessionid); } +/* + * audit_log_contid - report container info + * @context: task or local context for record + * @contid: container ID to report + */ +void audit_log_contid(struct audit_context *context, u64 contid) +{ + struct audit_buffer *ab; + + if (!audit_contid_valid(contid)) + return; + /* Generate AUDIT_CONTAINER_ID record with container ID */ + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID); + if (!ab) + return; + audit_log_format(ab, "contid=%llu", contid); + audit_log_end(ab); + return; +} +EXPORT_SYMBOL(audit_log_contid); + void audit_log_key(struct audit_buffer *ab, char *key) { audit_log_format(ab, " key="); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8090eff7868d..a8c8b44b954d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1548,6 +1548,8 @@ static void audit_log_exit(void) audit_log_proctitle(); + audit_log_contid(context, audit_get_contid(current)); + /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); if (ab) -- 1.8.3.1
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com> To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Cc: nhorman@tuxdriver.com, Richard Guy Briggs <rgb@redhat.com>, dhowells@redhat.com, ebiederm@xmission.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com Subject: [PATCH ghak90 V5 04/10] audit: log container info of syscalls Date: Fri, 15 Mar 2019 14:29:52 -0400 [thread overview] Message-ID: <85fcd0a81adef25cb60b2e479bbb380e76dbf999.1552665316.git.rgb@redhat.com> (raw) In-Reply-To: <cover.1552665316.git.rgb@redhat.com> In-Reply-To: <cover.1552665316.git.rgb@redhat.com> Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. A sample raw event: type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid" type=CWD msg=audit(1519924845.499:257): cwd="/root" type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964 type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-userspace/issues/51 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Serge Hallyn <serge@hallyn.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/linux/audit.h | 5 +++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 21 +++++++++++++++++++++ kernel/auditsc.c | 2 ++ 4 files changed, 29 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 301337776193..43438192ca2a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -199,6 +199,8 @@ static inline u64 audit_get_contid(struct task_struct *tsk) return tsk->audit->contid; } +extern void audit_log_contid(struct audit_context *context, u64 contid); + extern u32 audit_enabled; #else /* CONFIG_AUDIT */ static inline int audit_alloc(struct task_struct *task) @@ -265,6 +267,9 @@ static inline u64 audit_get_contid(struct task_struct *tsk) return AUDIT_CID_UNSET; } +static inline void audit_log_contid(struct audit_context *context, u64 contid) +{ } + #define audit_enabled AUDIT_OFF #endif /* CONFIG_AUDIT */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d475cf3b4d7f..a6383e28b2c8 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -115,6 +115,7 @@ #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ +#define AUDIT_CONTAINER_ID 1332 /* Container ID */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.c b/kernel/audit.c index b5c702abeb42..8cc0e88d7f2a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2127,6 +2127,27 @@ void audit_log_session_info(struct audit_buffer *ab) audit_log_format(ab, "auid=%u ses=%u", auid, sessionid); } +/* + * audit_log_contid - report container info + * @context: task or local context for record + * @contid: container ID to report + */ +void audit_log_contid(struct audit_context *context, u64 contid) +{ + struct audit_buffer *ab; + + if (!audit_contid_valid(contid)) + return; + /* Generate AUDIT_CONTAINER_ID record with container ID */ + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID); + if (!ab) + return; + audit_log_format(ab, "contid=%llu", contid); + audit_log_end(ab); + return; +} +EXPORT_SYMBOL(audit_log_contid); + void audit_log_key(struct audit_buffer *ab, char *key) { audit_log_format(ab, " key="); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8090eff7868d..a8c8b44b954d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1548,6 +1548,8 @@ static void audit_log_exit(void) audit_log_proctitle(); + audit_log_contid(context, audit_get_contid(current)); + /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); if (ab) -- 1.8.3.1
next prev parent reply other threads:[~2019-03-15 18:34 UTC|newest] Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-15 18:29 [PATCH ghak90 V5 00/10] audit: implement container identifier Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 01/10] audit: collect audit task parameters Richard Guy Briggs 2019-03-16 19:57 ` Neil Horman 2019-03-27 20:33 ` Ondrej Mosnacek 2019-03-15 18:29 ` [PATCH ghak90 V5 02/10] audit: add container id Richard Guy Briggs 2019-03-16 20:00 ` Neil Horman 2019-03-27 20:38 ` Ondrej Mosnacek 2019-03-27 20:38 ` Ondrej Mosnacek 2019-03-27 20:44 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 03/10] audit: read container ID of a process Richard Guy Briggs 2019-03-18 11:10 ` Neil Horman 2019-03-18 18:17 ` Richard Guy Briggs 2019-03-18 18:48 ` Neil Horman 2019-03-18 18:54 ` Richard Guy Briggs 2019-03-18 18:54 ` Richard Guy Briggs 2019-03-27 20:44 ` Ondrej Mosnacek 2019-03-15 18:29 ` Richard Guy Briggs [this message] 2019-03-15 18:29 ` [PATCH ghak90 V5 04/10] audit: log container info of syscalls Richard Guy Briggs 2019-03-16 22:44 ` Neil Horman 2019-03-27 21:01 ` Ondrej Mosnacek 2019-03-27 22:10 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 05/10] audit: add containerid support for ptrace and signals Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 19:04 ` Neil Horman 2019-03-18 19:29 ` Richard Guy Briggs 2019-03-18 19:29 ` Richard Guy Briggs 2019-03-27 21:17 ` Ondrej Mosnacek 2019-03-28 2:04 ` Richard Guy Briggs 2019-03-30 12:55 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 06/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 19:34 ` Neil Horman 2019-03-27 21:22 ` Ondrej Mosnacek 2019-04-01 14:49 ` Paul Moore 2019-04-01 17:44 ` Richard Guy Briggs 2019-04-01 17:44 ` Richard Guy Briggs 2019-04-01 18:57 ` Paul Moore 2019-04-01 20:43 ` Richard Guy Briggs 2019-03-15 18:29 ` [PATCH ghak90 V5 07/10] audit: add containerid support for user records Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 19:41 ` Neil Horman 2019-03-27 21:30 ` Ondrej Mosnacek 2019-03-15 18:29 ` [PATCH ghak90 V5 08/10] audit: add containerid filtering Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-18 20:02 ` Ondrej Mosnacek 2019-03-18 23:47 ` Richard Guy Briggs 2019-03-27 21:41 ` Ondrej Mosnacek 2019-03-27 22:00 ` Richard Guy Briggs 2019-03-27 22:00 ` Richard Guy Briggs 2019-03-18 20:39 ` Neil Horman 2019-03-15 18:29 ` [PATCH ghak90 V5 09/10] audit: add support for containerid to network namespaces Richard Guy Briggs 2019-03-18 20:56 ` Neil Horman 2019-03-27 22:42 ` Ondrej Mosnacek 2019-03-28 1:12 ` Richard Guy Briggs 2019-03-28 8:01 ` Ondrej Mosnacek 2019-03-28 8:01 ` Ondrej Mosnacek 2019-03-28 15:46 ` Paul Moore 2019-03-28 21:40 ` Richard Guy Briggs 2019-03-28 22:00 ` Paul Moore 2019-03-31 2:11 ` Neil Horman 2019-03-29 14:50 ` Neil Horman 2019-03-29 14:49 ` Neil Horman 2019-04-01 14:50 ` Paul Moore 2019-04-01 20:41 ` Richard Guy Briggs 2019-04-02 11:31 ` Neil Horman 2019-04-02 13:31 ` Paul Moore 2019-04-02 14:28 ` Neil Horman 2019-04-04 21:40 ` Richard Guy Briggs 2019-04-04 21:40 ` Richard Guy Briggs 2019-04-05 2:06 ` Paul Moore 2019-04-05 11:32 ` Neil Horman 2019-03-15 18:29 ` [PATCH ghak90 V5 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs 2019-03-15 18:29 ` Richard Guy Briggs 2019-03-15 18:43 ` Richard Guy Briggs 2019-03-18 20:58 ` Neil Horman 2019-03-27 22:52 ` Ondrej Mosnacek 2019-04-01 14:50 ` Paul Moore 2019-04-01 17:50 ` Richard Guy Briggs 2019-04-01 17:50 ` Richard Guy Briggs 2019-03-19 22:06 ` [PATCH ghak90 V5 00/10] audit: implement container identifier Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=85fcd0a81adef25cb60b2e479bbb380e76dbf999.1552665316.git.rgb@redhat.com \ --to=rgb@redhat.com \ --cc=containers@lists.linux-foundation.org \ --cc=dhowells@redhat.com \ --cc=ebiederm@xmission.com \ --cc=eparis@parisplace.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-audit@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=omosnace@redhat.com \ --cc=paul@paul-moore.com \ --cc=serge@hallyn.com \ --cc=sgrubb@redhat.com \ --cc=simo@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.