From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org,
jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com,
viro@zeniv.linux.org.uk, simo@redhat.com,
Eric Paris <eparis@parisplace.org>,
serge@hallyn.com
Subject: Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals
Date: Thu, 19 Apr 2018 21:03:20 -0400 [thread overview]
Message-ID: <20180420010320.panie6mtdafxl65y@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAHC9VhTy4fX1hYfD5tppbP-fRaVRMXOfeJ=Et96J_rc7Jw12Bw@mail.gmail.com>
On 2018-04-18 20:32, Paul Moore wrote:
> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > Add container ID support to ptrace and signals. In particular, the "op"
> > field provides a way to label the auxiliary record to which it is
> > associated.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > include/linux/audit.h | 16 +++++++++++-----
> > kernel/audit.c | 12 ++++++++----
> > kernel/audit.h | 2 ++
> > kernel/auditsc.c | 19 +++++++++++++++----
> > 4 files changed, 36 insertions(+), 13 deletions(-)
>
> ...
>
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index a12f21f..b238be5 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -142,6 +142,7 @@ struct audit_net {
> > kuid_t audit_sig_uid = INVALID_UID;
> > pid_t audit_sig_pid = -1;
> > u32 audit_sig_sid = 0;
> > +u64 audit_sig_cid = INVALID_CID;
> >
> > /* Records can be lost in several ways:
> > 0) [suppressed in audit_alloc]
> > @@ -1438,6 +1439,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > memcpy(sig_data->ctx, ctx, len);
> > security_release_secctx(ctx, len);
> > }
> > + sig_data->cid = audit_sig_cid;
> > audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
> > sig_data, sizeof(*sig_data) + len);
> > kfree(sig_data);
> > @@ -2051,20 +2053,22 @@ void audit_log_session_info(struct audit_buffer *ab)
> >
> > /*
> > * audit_log_container_info - report container info
> > - * @tsk: task to be recorded
> > * @context: task or local context for record
> > + * @op: containerid string description
> > + * @containerid: container ID to report
> > */
> > -int audit_log_container_info(struct task_struct *tsk, struct audit_context *context)
> > +int audit_log_container_info(struct audit_context *context,
> > + char *op, u64 containerid)
> > {
> > struct audit_buffer *ab;
> >
> > - if (!audit_containerid_set(tsk))
> > + if (!cid_valid(containerid))
> > return 0;
> > /* Generate AUDIT_CONTAINER_INFO with container ID */
> > ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_INFO);
> > if (!ab)
> > return -ENOMEM;
> > - audit_log_format(ab, "contid=%llu", audit_get_containerid(tsk));
> > + audit_log_format(ab, "op=%s contid=%llu", op, containerid);
> > audit_log_end(ab);
> > return 0;
> > }
>
> Let's get these changes into the first patch where
> audit_log_container_info() is defined. Why? This inserts a new field
> into the record which is a no-no. Yes, it is one single patchset, but
> they are still separate patches and who knows which patches a given
> distribution and/or tree may decide to backport.
Fair enough. That first thought went through my mind... Would it be
sufficient to move that field addition to the first patch and leave the
rest here to support trace and signals?
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 2bba324..2932ef1 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -113,6 +113,7 @@ struct audit_aux_data_pids {
> > kuid_t target_uid[AUDIT_AUX_PIDS];
> > unsigned int target_sessionid[AUDIT_AUX_PIDS];
> > u32 target_sid[AUDIT_AUX_PIDS];
> > + u64 target_cid[AUDIT_AUX_PIDS];
> > char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
> > int pid_count;
> > };
> > @@ -1422,21 +1423,27 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
> > for (aux = context->aux_pids; aux; aux = aux->next) {
> > struct audit_aux_data_pids *axs = (void *)aux;
> >
> > - for (i = 0; i < axs->pid_count; i++)
> > + for (i = 0; i < axs->pid_count; i++) {
> > + char axsn[sizeof("aux0xN ")];
> > +
> > + sprintf(axsn, "aux0x%x", i);
> > if (audit_log_pid_context(context, axs->target_pid[i],
> > axs->target_auid[i],
> > axs->target_uid[i],
> > axs->target_sessionid[i],
> > axs->target_sid[i],
> > - axs->target_comm[i]))
> > + axs->target_comm[i])
> > + && audit_log_container_info(context, axsn, axs->target_cid[i]))
>
> Shouldn't this be an OR instead of an AND?
Yes. Bash-brain...
> > call_panic = 1;
> > + }
> > }
> >
> > if (context->target_pid &&
> > audit_log_pid_context(context, context->target_pid,
> > context->target_auid, context->target_uid,
> > context->target_sessionid,
> > - context->target_sid, context->target_comm))
> > + context->target_sid, context->target_comm)
> > + && audit_log_container_info(context, "target", context->target_cid))
>
> Same question.
Yes.
> > call_panic = 1;
> >
> > if (context->pwd.dentry && context->pwd.mnt) {
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2018-04-20 1:09 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 9:00 [RFC PATCH ghak32 V2 00/13] audit: implement container id Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 01/13] audit: add " Richard Guy Briggs
2018-03-28 18:39 ` Jonathan Corbet
2018-03-29 9:01 ` Richard Guy Briggs
2018-03-29 13:03 ` Jonathan Corbet
2018-03-30 5:06 ` Richard Guy Briggs
2018-04-18 23:47 ` Paul Moore
2018-04-19 0:41 ` Casey Schaufler
2018-04-19 0:46 ` Paul Moore
2018-04-19 1:15 ` Casey Schaufler
2018-04-21 14:34 ` Richard Guy Briggs
2018-04-23 23:15 ` Paul Moore
2018-04-24 2:02 ` Richard Guy Briggs
2018-04-24 19:01 ` Paul Moore
2018-04-25 0:40 ` Richard Guy Briggs
2018-04-26 22:47 ` Paul Moore
2018-05-06 16:51 ` Richard Guy Briggs
2018-05-17 21:00 ` Steve Grubb
2018-05-17 21:56 ` Richard Guy Briggs
2018-05-18 13:56 ` Steve Grubb
2018-05-18 15:21 ` Richard Guy Briggs
2018-05-18 15:38 ` Steve Grubb
2018-06-01 21:04 ` Richard Guy Briggs
2018-06-04 16:09 ` Steve Grubb
2018-06-04 20:23 ` Richard Guy Briggs
2018-06-04 20:30 ` Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid Richard Guy Briggs
2018-04-19 0:11 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls Richard Guy Briggs
2018-05-17 21:09 ` Steve Grubb
2018-05-17 21:41 ` Richard Guy Briggs
2018-05-21 19:19 ` Steve Grubb
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering Richard Guy Briggs
2018-04-19 0:24 ` Paul Moore
2018-04-19 12:17 ` Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-04-19 0:32 ` Paul Moore
2018-04-20 1:03 ` Richard Guy Briggs [this message]
2018-04-20 16:13 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-04-19 0:39 ` Paul Moore
2018-04-20 1:23 ` Richard Guy Briggs
2018-04-20 16:21 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark Richard Guy Briggs
2018-04-19 0:42 ` Paul Moore
2018-04-19 12:24 ` Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 08/13] audit: add containerid support for tty_audit Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records Richard Guy Briggs
2018-04-19 1:27 ` Paul Moore
2018-04-19 12:31 ` Richard Guy Briggs
2018-04-19 12:59 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records Richard Guy Briggs
2018-04-19 1:31 ` Paul Moore
2018-04-20 0:42 ` Richard Guy Briggs
2018-04-20 16:11 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces Richard Guy Briggs
2018-04-19 1:46 ` Paul Moore
2018-04-20 20:02 ` Richard Guy Briggs
2018-04-20 20:22 ` Paul Moore
2018-04-20 20:42 ` Richard Guy Briggs
2018-04-21 12:10 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2018-04-19 2:10 ` Paul Moore
2018-04-19 12:45 ` Richard Guy Briggs
2018-04-19 13:13 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process Richard Guy Briggs
2018-05-21 19:16 ` Steve Grubb
2018-05-21 19:19 ` Eric W. Biederman
2018-05-21 20:06 ` Paul Moore
2018-05-22 17:35 ` Richard Guy Briggs
2018-05-22 18:59 ` Paul Moore
2018-05-30 13:20 ` [RFC PATCH ghak32 V2 00/13] audit: implement container id Steve Grubb
2018-05-30 17:33 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180420010320.panie6mtdafxl65y@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=carlos@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=simo@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).