From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43764 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932436AbeCEDgG (ORCPT ); Sun, 4 Mar 2018 22:36:06 -0500 Date: Sun, 4 Mar 2018 22:31:28 -0500 From: Richard Guy Briggs To: Mimi Zohar Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, mszeredi@redhat.com, ebiederm@xmission.com, simo@redhat.com, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, luto@kernel.org, eparis@parisplace.org, trondmy@primarydata.com, serge@hallyn.com Subject: Re: [RFC PATCH V1 00/12] audit: implement container id Message-ID: <20180305033128.6sqreoo5olqwq5og@madcap2.tricolour.ca> References: <1520200557.10396.257.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1520200557.10396.257.camel@linux.vnet.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On 2018-03-04 16:55, Mimi Zohar wrote: > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote: > > Implement audit kernel container ID. > > > > This patchset is a preliminary RFC based on the proposal document (V3) > > posted: > > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > > > The first patch implements the proc fs write to set the audit container > > ID of a process, emitting an AUDIT_CONTAINER record. > > > > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO > > if a container ID is present on a task. > > > > The third adds filtering to the exit, exclude and user lists. > > > > The 4th, implements reading the container ID from the proc filesystem > > for debugging. This isn't planned for upstream inclusion. > > > > The 5th adds signal and ptrace support. > > > > The 6th attempts to create a local audit context to be able to bind a > > standalone record with the container ID record. > > > > The 7th, 8th, 9th, 10th patches add container ID records to standalone > > records. Some of these may end up being syscall auxiliary records and > > won't need this specific support since they'll be supported via > > syscalls. > > > > The 11th is a temporary workaround due to the AUDIT_CONTAINER records > > not showing up as do AUDIT_LOGIN records. I suspect this is due to its > > range (1000 vs 1300), but the intent is to solve it. > > > > The 12th adds debug information not intended for upstream for those > > brave souls wanting to tinker with it in this early state. > > > > Feedback please! > > Which tree can this patch set be applied to? git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next > Mimi > > > Here's a quick and dirty test script: > > echo 123455 > /proc/$$/containerid; echo $? > > sleep 4& > > child=$!; sleep 1 > > echo 18446744073709551615 > /proc/$child/containerid; echo $? > > echo 123456 > /proc/$child/containerid; echo $? > > echo 123457 > /proc/$child/containerid; echo $? > > sleep 1 > > ausearch -ts recent |grep " contid=18446744073709551615"; echo $? > > ausearch -ts recent |grep " contid=123456"; echo $? > > ausearch -ts recent |grep " contid=123457"; echo $? > > echo self:$$ contid:$( cat /proc/$$/containerid) > > echo child:$child contid:$( cat /proc/$child/containerid) > > > > containerid=123458 > > key=tmpcontainerid > > auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule > > bash -c "sleep 1; echo test > /tmp/$key"& > > child=$! > > echo $containerid > /proc/$child/containerid > > sleep 2 > > rm -f /tmp/$key > > ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record > > auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule > > > > See: > > https://github.com/linux-audit/audit-kernel/issues/32 > > https://github.com/linux-audit/audit-userspace/issues/40 > > https://github.com/linux-audit/audit-testsuite/issues/64 > > > > Richard Guy Briggs (12): > > audit: add container id > > audit: log container info of syscalls > > audit: add containerid filtering > > audit: read container ID of a process > > audit: add containerid support for ptrace and signals > > audit: add support for non-syscall auxiliary records > > audit: add container aux record to watch/tree/mark > > audit: add containerid support for tty_audit > > audit: add containerid support for config/feature/user records > > audit: add containerid support for seccomp and anom_abend records > > debug audit: add container id > > debug! audit: add container id > > > > drivers/tty/tty_audit.c | 5 +- > > fs/proc/base.c | 63 +++++++++++++++++++ > > include/linux/audit.h | 36 +++++++++++ > > include/linux/init_task.h | 4 +- > > include/linux/sched.h | 1 + > > include/uapi/linux/audit.h | 9 ++- > > kernel/audit.c | 74 +++++++++++++++++++--- > > kernel/audit.h | 3 + > > kernel/audit_fsnotify.c | 5 +- > > kernel/audit_tree.c | 5 +- > > kernel/audit_watch.c | 33 +++++----- > > kernel/auditfilter.c | 52 ++++++++++++++- > > kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++-- > > 13 files changed, 408 insertions(+), 36 deletions(-) > > > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635