From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lj1-f196.google.com ([209.85.208.196]:34065 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388765AbeGXVpH (ORCPT ); Tue, 24 Jul 2018 17:45:07 -0400 Received: by mail-lj1-f196.google.com with SMTP id f8-v6so4760163ljk.1 for ; Tue, 24 Jul 2018 13:36:54 -0700 (PDT) MIME-Version: 1.0 References: <28ab8ad3c4e5de6f61b928eeb2af030b04a8820b.1528304204.git.rgb@redhat.com> <20180724140721.yyi5e7y3czxsjwug@madcap2.tricolour.ca> In-Reply-To: <20180724140721.yyi5e7y3czxsjwug@madcap2.tricolour.ca> From: Paul Moore Date: Tue, 24 Jul 2018 16:36:42 -0400 Message-ID: Subject: Re: [RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid support for tty_audit To: rgb@redhat.com Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, simo@redhat.com, Eric Paris , serge@hallyn.com Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Jul 24, 2018 at 10:10 AM Richard Guy Briggs wrote: > On 2018-07-20 18:14, Paul Moore wrote: > > On Wed, Jun 6, 2018 at 1:04 PM Richard Guy Briggs wrote: > > > Add audit container identifier auxiliary record to tty logging rule > > > event standalone records. > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > drivers/tty/tty_audit.c | 5 ++++- > > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c > > > index e30aa6b..66bd850 100644 > > > --- a/drivers/tty/tty_audit.c > > > +++ b/drivers/tty/tty_audit.c > > > @@ -66,8 +66,9 @@ static void tty_audit_log(const char *description, dev_t dev, > > > uid_t uid = from_kuid(&init_user_ns, task_uid(tsk)); > > > uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk)); > > > unsigned int sessionid = audit_get_sessionid(tsk); > > > + struct audit_context *context = audit_alloc_local(); > > > > We should be using current's audit_context in tty_audit_log(). > > Actually, we should probably just get rid of the tsk variable in > > tty_audit_log() and use current directly to make things a bit more > > obvious. > > Ok, agreed. At this point, it it current passed in anyways so no harm > other than efficiency. > > > > > > > I did some digging and I have a two year old, half-baked patch that > > cleans up this tsk/current usage as well as a few others. I just > > rebased it against audit/next and surprisingly it seems to pass a > > basic smoke test (kernel boots and audit-testsuite passes); I'll post > > it to the list as a RFC once I'm done reviewing these patches. > > I'll leave this patch the way it is since there should be no difference > and trust this other patch will work its way through the system and > solve that. Yep, that's a merge issue I'll deal with when we get to that point. Although, I would expect that when you post an updated patchset that it applies cleanly to the then-current audit/next tree (or Linus' tree, but audit/next is preferable). In other words, please rebase your development branch before doing your final dev testing and posting. > > > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); > > > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_TTY); > > > if (ab) { > > > char name[sizeof(tsk->comm)]; > > > > > > @@ -80,6 +81,8 @@ static void tty_audit_log(const char *description, dev_t dev, > > > audit_log_n_hex(ab, data, size); > > > audit_log_end(ab); > > > } > > > + audit_log_contid(context, "tty", audit_get_contid(tsk)); > > > + audit_free_context(context); > > > } > > > > -- > > paul moore > > www.paul-moore.com > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 -- paul moore www.paul-moore.com