From: Richard Guy Briggs <rgb@redhat.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
Paul Moore <paul@paul-moore.com>,
sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com,
simo@redhat.com, eparis@parisplace.org, serge@hallyn.com,
ebiederm@xmission.com
Subject: Re: [PATCH ghak90 V5 05/10] audit: add containerid support for ptrace and signals
Date: Mon, 18 Mar 2019 15:29:44 -0400 [thread overview]
Message-ID: <20190318192944.snmolq6zcawltrvv@madcap2.tricolour.ca> (raw)
In-Reply-To: <20190318190415.GB4111@hmswarspite.think-freely.org>
On 2019-03-18 15:04, Neil Horman wrote:
> On Fri, Mar 15, 2019 at 02:29:53PM -0400, Richard Guy Briggs wrote:
> > Add audit container identifier support to ptrace and signals. In
> > particular, the "ref" field provides a way to label the auxiliary record
> > to which it is associated.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > Acked-by: Serge Hallyn <serge@hallyn.com>
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > include/linux/audit.h | 1 +
> > kernel/audit.c | 2 ++
> > kernel/audit.h | 2 ++
> > kernel/auditsc.c | 23 +++++++++++++++++------
> > 4 files changed, 22 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 43438192ca2a..ebd6625ca80e 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -35,6 +35,7 @@ struct audit_sig_info {
> > uid_t uid;
> > pid_t pid;
> > char ctx[0];
> > + u64 cid;
> > };
> Sorry, just noticed this. How does this work? Given that ctx[] is a variable
> length array, one assumes that the receiver of this message (userspace
> applications by the looks of it, presume that the ctx data occupies the skb from
> the byte following pid to the end of the transmitted buffer. How are they to
> know that the last byte is actually the cid value? Wouldn't it be better to
> move cid above ctx[0], so that the semantics of the variable length data are
> preserved?
>
> Or am I missing something?
Nope you're not missing anything, but I am! That's a bug. Thanks for
spotting that!
> otherwise this looks ok to me.
> Neil
>
> >
> > struct audit_buffer;
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 8cc0e88d7f2a..cfa659b3f6c4 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -138,6 +138,7 @@ struct audit_net {
> > kuid_t audit_sig_uid = INVALID_UID;
> > pid_t audit_sig_pid = -1;
> > u32 audit_sig_sid = 0;
> > +u64 audit_sig_cid = AUDIT_CID_UNSET;
> >
> > /* Records can be lost in several ways:
> > 0) [suppressed in audit_alloc]
> > @@ -1515,6 +1516,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > memcpy(sig_data->ctx, ctx, len);
> > security_release_secctx(ctx, len);
> > }
> > + sig_data->cid = audit_sig_cid;
> > audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
> > sig_data, sizeof(*sig_data) + len);
> > kfree(sig_data);
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index c00e2ee3c6b3..c5ac6436317e 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -148,6 +148,7 @@ struct audit_context {
> > kuid_t target_uid;
> > unsigned int target_sessionid;
> > u32 target_sid;
> > + u64 target_cid;
> > char target_comm[TASK_COMM_LEN];
> >
> > struct audit_tree_refs *trees, *first_trees;
> > @@ -344,6 +345,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
> > extern pid_t audit_sig_pid;
> > extern kuid_t audit_sig_uid;
> > extern u32 audit_sig_sid;
> > +extern u64 audit_sig_cid;
> >
> > extern int audit_filter(int msgtype, unsigned int listtype);
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index a8c8b44b954d..f04e115df5dc 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -113,6 +113,7 @@ struct audit_aux_data_pids {
> > kuid_t target_uid[AUDIT_AUX_PIDS];
> > unsigned int target_sessionid[AUDIT_AUX_PIDS];
> > u32 target_sid[AUDIT_AUX_PIDS];
> > + u64 target_cid[AUDIT_AUX_PIDS];
> > char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
> > int pid_count;
> > };
> > @@ -1514,7 +1515,7 @@ static void audit_log_exit(void)
> > for (aux = context->aux_pids; aux; aux = aux->next) {
> > struct audit_aux_data_pids *axs = (void *)aux;
> >
> > - for (i = 0; i < axs->pid_count; i++)
> > + for (i = 0; i < axs->pid_count; i++) {
> > if (audit_log_pid_context(context, axs->target_pid[i],
> > axs->target_auid[i],
> > axs->target_uid[i],
> > @@ -1522,14 +1523,20 @@ static void audit_log_exit(void)
> > axs->target_sid[i],
> > axs->target_comm[i]))
> > call_panic = 1;
> > + audit_log_contid(context, axs->target_cid[i]);
> > + }
> > }
> >
> > - if (context->target_pid &&
> > - audit_log_pid_context(context, context->target_pid,
> > - context->target_auid, context->target_uid,
> > - context->target_sessionid,
> > - context->target_sid, context->target_comm))
> > + if (context->target_pid) {
> > + if (audit_log_pid_context(context, context->target_pid,
> > + context->target_auid,
> > + context->target_uid,
> > + context->target_sessionid,
> > + context->target_sid,
> > + context->target_comm))
> > call_panic = 1;
> > + audit_log_contid(context, context->target_cid);
> > + }
> >
> > if (context->pwd.dentry && context->pwd.mnt) {
> > ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
> > @@ -2360,6 +2367,7 @@ void __audit_ptrace(struct task_struct *t)
> > context->target_uid = task_uid(t);
> > context->target_sessionid = audit_get_sessionid(t);
> > security_task_getsecid(t, &context->target_sid);
> > + context->target_cid = audit_get_contid(t);
> > memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
> > }
> >
> > @@ -2387,6 +2395,7 @@ int audit_signal_info(int sig, struct task_struct *t)
> > else
> > audit_sig_uid = uid;
> > security_task_getsecid(current, &audit_sig_sid);
> > + audit_sig_cid = audit_get_contid(current);
> > }
> >
> > if (!audit_signals || audit_dummy_context())
> > @@ -2400,6 +2409,7 @@ int audit_signal_info(int sig, struct task_struct *t)
> > ctx->target_uid = t_uid;
> > ctx->target_sessionid = audit_get_sessionid(t);
> > security_task_getsecid(t, &ctx->target_sid);
> > + ctx->target_cid = audit_get_contid(t);
> > memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
> > return 0;
> > }
> > @@ -2421,6 +2431,7 @@ int audit_signal_info(int sig, struct task_struct *t)
> > axp->target_uid[axp->pid_count] = t_uid;
> > axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
> > security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
> > + axp->target_cid[axp->pid_count] = audit_get_contid(t);
> > memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
> > axp->pid_count++;
> >
> > --
> > 1.8.3.1
> >
> >
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2019-03-18 19:30 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-15 18:29 [PATCH ghak90 V5 00/10] audit: implement container identifier Richard Guy Briggs
2019-03-15 18:29 ` [PATCH ghak90 V5 01/10] audit: collect audit task parameters Richard Guy Briggs
2019-03-16 19:57 ` Neil Horman
2019-03-27 20:33 ` Ondrej Mosnacek
2019-03-15 18:29 ` [PATCH ghak90 V5 02/10] audit: add container id Richard Guy Briggs
2019-03-16 20:00 ` Neil Horman
2019-03-27 20:38 ` Ondrej Mosnacek
2019-03-27 20:44 ` Richard Guy Briggs
2019-03-15 18:29 ` [PATCH ghak90 V5 03/10] audit: read container ID of a process Richard Guy Briggs
2019-03-18 11:10 ` Neil Horman
2019-03-18 18:17 ` Richard Guy Briggs
2019-03-18 18:48 ` Neil Horman
2019-03-18 18:54 ` Richard Guy Briggs
2019-03-27 20:44 ` Ondrej Mosnacek
2019-03-15 18:29 ` [PATCH ghak90 V5 04/10] audit: log container info of syscalls Richard Guy Briggs
2019-03-16 22:44 ` Neil Horman
2019-03-27 21:01 ` Ondrej Mosnacek
2019-03-27 22:10 ` Richard Guy Briggs
2019-03-15 18:29 ` [PATCH ghak90 V5 05/10] audit: add containerid support for ptrace and signals Richard Guy Briggs
2019-03-18 19:04 ` Neil Horman
2019-03-18 19:29 ` Richard Guy Briggs [this message]
2019-03-27 21:17 ` Ondrej Mosnacek
2019-03-28 2:04 ` Richard Guy Briggs
2019-03-30 12:55 ` Richard Guy Briggs
2019-03-15 18:29 ` [PATCH ghak90 V5 06/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2019-03-18 19:34 ` Neil Horman
2019-03-27 21:22 ` Ondrej Mosnacek
2019-04-01 14:49 ` Paul Moore
2019-04-01 17:44 ` Richard Guy Briggs
2019-04-01 18:57 ` Paul Moore
2019-04-01 20:43 ` Richard Guy Briggs
2019-03-15 18:29 ` [PATCH ghak90 V5 07/10] audit: add containerid support for user records Richard Guy Briggs
2019-03-18 19:41 ` Neil Horman
2019-03-27 21:30 ` Ondrej Mosnacek
2019-03-15 18:29 ` [PATCH ghak90 V5 08/10] audit: add containerid filtering Richard Guy Briggs
2019-03-18 20:02 ` Ondrej Mosnacek
2019-03-18 23:47 ` Richard Guy Briggs
2019-03-27 21:41 ` Ondrej Mosnacek
2019-03-27 22:00 ` Richard Guy Briggs
2019-03-18 20:39 ` Neil Horman
2019-03-15 18:29 ` [PATCH ghak90 V5 09/10] audit: add support for containerid to network namespaces Richard Guy Briggs
2019-03-18 20:56 ` Neil Horman
2019-03-27 22:42 ` Ondrej Mosnacek
2019-03-28 1:12 ` Richard Guy Briggs
2019-03-28 8:01 ` Ondrej Mosnacek
2019-03-28 15:46 ` Paul Moore
2019-03-28 21:40 ` Richard Guy Briggs
2019-03-28 22:00 ` Paul Moore
2019-03-31 2:11 ` Neil Horman
2019-03-29 14:50 ` Neil Horman
2019-03-29 14:49 ` Neil Horman
2019-04-01 14:50 ` Paul Moore
2019-04-01 20:41 ` Richard Guy Briggs
2019-04-02 11:31 ` Neil Horman
2019-04-02 13:31 ` Paul Moore
2019-04-02 14:28 ` Neil Horman
2019-04-04 21:40 ` Richard Guy Briggs
2019-04-05 2:06 ` Paul Moore
2019-04-05 11:32 ` Neil Horman
2019-03-15 18:29 ` [PATCH ghak90 V5 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2019-03-18 20:58 ` Neil Horman
2019-03-27 22:52 ` Ondrej Mosnacek
2019-04-01 14:50 ` Paul Moore
2019-04-01 17:50 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190318192944.snmolq6zcawltrvv@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).