From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A69DC433DB for ; Mon, 21 Dec 2020 17:13:48 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B324122BF3 for ; Mon, 21 Dec 2020 17:13:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B324122BF3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=containers-bounces@lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 9D4302035D; Mon, 21 Dec 2020 17:13:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgPvvFeEfZk0; Mon, 21 Dec 2020 17:13:46 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id E78482014A; Mon, 21 Dec 2020 17:13:46 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D5900C1825; Mon, 21 Dec 2020 17:13:46 +0000 (UTC) Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 492DAC0893 for ; Mon, 21 Dec 2020 17:13:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 38A6A869AA for ; Mon, 21 Dec 2020 17:13:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbdDmK5ty2iC for ; Mon, 21 Dec 2020 17:13:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by whitealder.osuosl.org (Postfix) with ESMTPS id 70BFB869A3 for ; Mon, 21 Dec 2020 17:13:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608570823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=4PLySA/Utb3TjgLmccCjgpN+8s305Gw/+Z4Bgz4To/E=; b=dofNWq4KBZZeB/RbTGf+33B8h4oeEDIEYKhMAuu80/bPmahraOTWB8EPftyg0RZIF0+Gq1 xFzN3gRyybs06wzMepSVFjA3jyA02aU/yKOyicF+e3m5iNwOVmg4EKayaaXDdWE9e6EXc9 IobWrFCzg2MB0EsSBZoZ4yXVsa4uNQY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-378-SGuY52iQP8GP7KdIMsZh4A-1; Mon, 21 Dec 2020 12:13:39 -0500 X-MC-Unique: SGuY52iQP8GP7KdIMsZh4A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4552C803620; Mon, 21 Dec 2020 17:13:36 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8BAF15D9CA; Mon, 21 Dec 2020 17:13:31 +0000 (UTC) From: Richard Guy Briggs To: Linux Containers List , Linux-Audit Mailing List , LKML Subject: [PATCH ghau51/ghau40 v10 03/11] auditctl: add support for AUDIT_CONTID filter Date: Mon, 21 Dec 2020 12:12:43 -0500 Message-Id: <20201221171251.2610890-4-rgb@redhat.com> In-Reply-To: <20201221171251.2610890-1-rgb@redhat.com> References: <20201221171251.2610890-1-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Cc: Richard Guy Briggs , Eric Paris , mpatel@redhat.com, Neil Horman X-BeenThere: containers@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux Containers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- docs/auditctl.8 | 3 +++ lib/fieldtab.h | 1 + lib/libaudit.c | 35 +++++++++++++++++++++++++++++++++++ lib/libaudit.h | 7 +++++++ src/auditctl-listing.c | 21 +++++++++++++++++++++ 5 files changed, 67 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 09ed2466c5d4..c6a1a62472fe 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -223,6 +223,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4 .B sessionid User's login session ID .TP +.B contid +Process' audit container ID +.TP .B subj_user Program's SE Linux User .TP diff --git a/lib/fieldtab.h b/lib/fieldtab.h index b597cafb2df8..e0a49d0154bb 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" ) _S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) _S(AUDIT_SESSIONID, "sessionid" ) +_S(AUDIT_CONTID, "contid" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index 2c7b16ccf44e..bcef9dc7a2cc 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1779,6 +1779,41 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (rule->values[rule->field_count] >= AF_MAX) return -EAU_FIELDVALTOOBIG; break; + case AUDIT_CONTID: { + unsigned long long val; + + if ((audit_get_features() & + AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) + return -EAU_FIELDNOSUPPORT; + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && + flags != AUDIT_FILTER_EXIT) + return -EAU_FIELDNOFILTER; + if (isdigit((char)*(v))) + val = strtoull(v, NULL, 0); + else if (strlen(v) >= 2 && *(v) == '-' && + (isdigit((char)*(v+1)))) + val = strtoll(v, NULL, 0); + else if (strcmp(v, "unset") == 0) + val = ULLONG_MAX; + else + return -EAU_FIELDVALNUM; + if (errno) + return -EAU_FIELDVALNUM; + vlen = sizeof(unsigned long long); + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } + rule = *rulep; + *(unsigned long long *)(&rule->buf[offset]) = val; + break; + } case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/lib/libaudit.h b/lib/libaudit.h index 3b0b1e8d0d22..a252813d1f72 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -363,6 +363,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 #endif +#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -389,6 +392,10 @@ extern "C" { #define AUDIT_FSTYPE 26 #endif +#ifndef AUDIT_CONTID +#define AUDIT_CONTID 27 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index f43e10c1af1f..710327a2c3da 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r) audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_CONTID) { + unsigned long long val; + + if (r->values[i] == sizeof(unsigned long long)) { + val = *(unsigned long long *)(&r->buf[boffset]); + + if (val != ULLONG_MAX) + printf(" -F %s%s%llu", name, + audit_operator_to_symbol(op), + val); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "unset"); + } else { + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "inval"); + } + boffset += r->values[i]; } else { // The default is signed decimal printf(" -F %s%s%d", name, -- 2.18.4 _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/containers