linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC PATCH ghak32 V2 00/13] audit: implement container id
@ 2018-03-16  9:00 Richard Guy Briggs
  2018-03-16  9:00 ` [RFC PATCH ghak32 V2 01/13] audit: add " Richard Guy Briggs
                   ` (13 more replies)
  0 siblings, 14 replies; 73+ messages in thread
From: Richard Guy Briggs @ 2018-03-16  9:00 UTC (permalink / raw)
  To: cgroups, containers, linux-api, Linux-Audit Mailing List,
	linux-fsdevel, LKML, netdev
  Cc: luto, jlayton, carlos, viro, dhowells, simo, eparis, serge,
	ebiederm, madzcar, Richard Guy Briggs

Implement audit kernel container ID.

This patchset is a second RFC based on the proposal document (V3)
posted:
	https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html

The first patch implements the proc fs write to set the audit container
ID of a process, emitting an AUDIT_CONTAINER record to announce the
registration of that container ID on that process.  This patch requires
userspace support for record acceptance and proper type display.

The second checks for children or co-threads and refuses to set the
container ID if either are present.  (This policy could be changed to
set both with the same container ID provided they meet the rest of the
requirements.)

The third implements the auxiliary record AUDIT_CONTAINER_INFO if a
container ID is identifiable with an event.  This patch requires
userspace support for proper type display.

The fourth adds container ID filtering to the exit, exclude and user
lists.  This patch requires auditctil userspace support for the
--containerid option.

The 5th adds signal and ptrace support.

The 6th creates a local audit context to be able to bind a standalone
record with a locally created auxiliary record.

The 7th, 8th, 9th, 10th patches add container ID records to standalone
records.  Some of these may end up being syscall auxiliary records and
won't need this specific support since they'll be supported via
syscalls.

The 11th adds network namespace container ID labelling based on member
tasks' container ID labels.

The 12th adds container ID support to standalone netfilter records that
don't have a task context and lists each container to which that net
namespace belongs.

The 13th implements reading the container ID from the proc filesystem
for debugging.  This patch isn't planned for upstream inclusion.

Feedback please!

Example: Set a container ID of 123456 to the "sleep" task:
	sleep 2&  
	child=$!
	echo 123456 > /proc/$child/containerid; echo $?
	ausearch -ts recent -m container
	echo child:$child contid:$( cat /proc/$child/containerid)
This should produce a record such as:
	type=CONTAINER msg=audit(1521122590.315:222): op=set pid=689 uid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 auid=0 tty=pts0 ses=3 opid=707 old-contid=18446744073709551615 contid=123456 res=1

Example: Set a filter on a container ID 123459 on /tmp/tmpcontainerid:
	containerid=123459
	key=tmpcontainerid
	auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key
	perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
	child=$!
	echo $containerid > /proc/$child/containerid
	sleep 2
	ausearch -i -ts recent -k $key
	auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key
	rm -f /tmp/$key
This should produce an event such as:
	type=CONTAINER_INFO msg=audit(1521122591.614:227): op=task contid=123459
	type=PROCTITLE msg=audit(1521122591.614:227): proctitle=7065726C002D6500736C65657020313B206F70656E286D792024746D7066696C652C20273E272C20222F746D702F746D70636F6E7461696E6572696422293B20636C6F73652824746D7066696C65293B
	type=PATH msg=audit(1521122591.614:227): item=1 name="/tmp/tmpcontainerid" inode=18427 dev=00:26 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
	type=PATH msg=audit(1521122591.614:227): item=0 name="/tmp/" inode=13513 dev=00:26 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
	type=CWD msg=audit(1521122591.614:227): cwd="/root"
	type=SYSCALL msg=audit(1521122591.614:227): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=55db90a28900 a2=241 a3=1b6 items=2 ppid=689 pid=724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"

See:
	https://github.com/linux-audit/audit-kernel/issues/32
	https://github.com/linux-audit/audit-userspace/issues/40
	https://github.com/linux-audit/audit-testsuite/issues/64

Richard Guy Briggs (13):
  audit: add container id
  audit: check children and threading before allowing containerid
  audit: log container info of syscalls
  audit: add containerid filtering
  audit: add containerid support for ptrace and signals
  audit: add support for non-syscall auxiliary records
  audit: add container aux record to watch/tree/mark
  audit: add containerid support for tty_audit
  audit: add containerid support for config/feature/user records
  audit: add containerid support for seccomp and anom_abend records
  audit: add support for containerid to network namespaces
  audit: NETFILTER_PKT: record each container ID associated with a netNS
  debug audit: read container ID of a process

 drivers/tty/tty_audit.c     |   5 +-
 fs/proc/base.c              |  53 ++++++++++++++++
 include/linux/audit.h       |  43 +++++++++++++
 include/linux/init_task.h   |   4 +-
 include/linux/sched.h       |   1 +
 include/net/net_namespace.h |  12 ++++
 include/uapi/linux/audit.h  |   8 ++-
 kernel/audit.c              |  75 ++++++++++++++++++++---
 kernel/audit.h              |   3 +
 kernel/audit_fsnotify.c     |   5 +-
 kernel/audit_tree.c         |   5 +-
 kernel/audit_watch.c        |  33 +++++-----
 kernel/auditfilter.c        |  52 +++++++++++++++-
 kernel/auditsc.c            | 145 ++++++++++++++++++++++++++++++++++++++++++--
 kernel/nsproxy.c            |   6 ++
 net/core/net_namespace.c    |  45 ++++++++++++++
 net/netfilter/xt_AUDIT.c    |  15 ++++-
 17 files changed, 473 insertions(+), 37 deletions(-)

-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 73+ messages in thread

end of thread, other threads:[~2018-06-04 20:32 UTC | newest]

Thread overview: 73+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-16  9:00 [RFC PATCH ghak32 V2 00/13] audit: implement container id Richard Guy Briggs
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 01/13] audit: add " Richard Guy Briggs
2018-03-28 18:39   ` Jonathan Corbet
2018-03-29  9:01     ` Richard Guy Briggs
2018-03-29 13:03       ` Jonathan Corbet
2018-03-30  5:06         ` Richard Guy Briggs
2018-04-18 23:47   ` Paul Moore
2018-04-19  0:41     ` Casey Schaufler
2018-04-19  0:46       ` Paul Moore
2018-04-19  1:15         ` Casey Schaufler
2018-04-21 14:34     ` Richard Guy Briggs
2018-04-23 23:15       ` Paul Moore
2018-04-24  2:02         ` Richard Guy Briggs
2018-04-24 19:01           ` Paul Moore
2018-04-25  0:40             ` Richard Guy Briggs
2018-04-26 22:47               ` Paul Moore
2018-05-06 16:51     ` Richard Guy Briggs
2018-05-17 21:00   ` Steve Grubb
2018-05-17 21:56     ` Richard Guy Briggs
2018-05-18 13:56       ` Steve Grubb
2018-05-18 15:21         ` Richard Guy Briggs
2018-05-18 15:38           ` Steve Grubb
2018-06-01 21:04     ` Richard Guy Briggs
2018-06-04 16:09       ` Steve Grubb
2018-06-04 20:23         ` Richard Guy Briggs
2018-06-04 20:30           ` Richard Guy Briggs
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid Richard Guy Briggs
2018-04-19  0:11   ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls Richard Guy Briggs
2018-05-17 21:09   ` Steve Grubb
2018-05-17 21:41     ` Richard Guy Briggs
2018-05-21 19:19       ` Steve Grubb
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering Richard Guy Briggs
2018-04-19  0:24   ` Paul Moore
2018-04-19 12:17     ` Richard Guy Briggs
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-04-19  0:32   ` Paul Moore
2018-04-20  1:03     ` Richard Guy Briggs
2018-04-20 16:13       ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-04-19  0:39   ` Paul Moore
2018-04-20  1:23     ` Richard Guy Briggs
2018-04-20 16:21       ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark Richard Guy Briggs
2018-04-19  0:42   ` Paul Moore
2018-04-19 12:24     ` Richard Guy Briggs
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 08/13] audit: add containerid support for tty_audit Richard Guy Briggs
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records Richard Guy Briggs
2018-04-19  1:27   ` Paul Moore
2018-04-19 12:31     ` Richard Guy Briggs
2018-04-19 12:59       ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records Richard Guy Briggs
2018-04-19  1:31   ` Paul Moore
2018-04-20  0:42     ` Richard Guy Briggs
2018-04-20 16:11       ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces Richard Guy Briggs
2018-04-19  1:46   ` Paul Moore
2018-04-20 20:02     ` Richard Guy Briggs
2018-04-20 20:22       ` Paul Moore
2018-04-20 20:42         ` Richard Guy Briggs
2018-04-21 12:10           ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2018-04-19  2:10   ` Paul Moore
2018-04-19 12:45     ` Richard Guy Briggs
2018-04-19 13:13       ` Paul Moore
2018-03-16  9:00 ` [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process Richard Guy Briggs
2018-05-21 19:16   ` Steve Grubb
2018-05-21 19:19     ` Eric W. Biederman
2018-05-21 20:06       ` Paul Moore
2018-05-22 17:35         ` Richard Guy Briggs
2018-05-22 18:59           ` Paul Moore
2018-05-30 13:20 ` [RFC PATCH ghak32 V2 00/13] audit: implement container id Steve Grubb
2018-05-30 17:33   ` Richard Guy Briggs

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).