* [PATCH] capabilities: audit capability use
@ 2016-07-11 11:14 Topi Miettinen
2016-07-11 15:25 ` Serge E. Hallyn
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: Topi Miettinen @ 2016-07-11 11:14 UTC (permalink / raw)
To: linux-kernel
Cc: ebiederm, mladek, luto, serge, keescook, Topi Miettinen,
Paul Moore, Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
Serge Hallyn, moderated list:AUDIT SUBSYSTEM,
open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
There are many basic ways to control processes, including capabilities,
cgroups and resource limits. However, there are far fewer ways to find
out useful values for the limits, except blind trial and error.
Currently, there is no way to know which capabilities are actually used.
Even the source code is only implicit, in-depth knowledge of each
capability must be used when analyzing a program to judge which
capabilities the program will exercise.
Generate an audit message at system call exit, when capabilities are used.
This can then be used to configure capability sets for services by a
software developer, maintainer or system administrator.
Test case demonstrating basic capability monitoring with the new
message types 1330 and 1331 and how the cgroups are displayed (boot to
rdshell):
BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
Enter 'help' for a list of built-in commands.
(initramfs) cd /sys/fs
(initramfs) mount -t cgroup2 cgroup cgroup
[ 12.343152] audit_printk_skb: 5886 callbacks suppressed
[ 12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
[ 12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
[ 12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
[ 12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
(initramfs) cd cgroup
(initramfs) mkdir test; cd test
[ 17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
[ 17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
[ 17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
[ 17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
(initramfs) echo $$ >cgroup.procs
(initramfs) mknod /dev/z_$$ c 1 2
[ 28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
[ 28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
[ 28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
[ 28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
(initramfs) chown 1234 /dev/z_*
[ 34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
[ 34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
[ 34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
[ 34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
include/linux/audit.h | 4 +++
include/linux/cgroup.h | 2 ++
include/uapi/linux/audit.h | 2 ++
kernel/audit.c | 7 +++---
kernel/audit.h | 1 +
kernel/auditsc.c | 28 ++++++++++++++++++++-
kernel/capability.c | 5 ++--
kernel/cgroup.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 105 insertions(+), 6 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index e38e3fc..971cb2e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags);
}
+extern void audit_log_cap_use(int cap);
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
{ }
static inline void audit_ptrace(struct task_struct *t)
{ }
+static inline void audit_log_cap_use(int cap)
+{ }
#define audit_n_rules 0
#define audit_signals 0
#endif /* CONFIG_AUDITSYSCALL */
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index a20320c..b5dc8aa 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *tsk);
+struct audit_buffer;
+void audit_cgroup_list(struct audit_buffer *ab);
void cgroup_fork(struct task_struct *p);
extern int cgroup_can_fork(struct task_struct *p);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..c1ae016 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,8 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_CAPABILITY 1330 /* Record showing capability use */
+#define AUDIT_CGROUP 1331 /* Record showing cgroups */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 8d528f9..98dd920 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,7 @@
#include <linux/kthread.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
+#include <linux/cgroup.h>
#include <linux/audit.h>
@@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{
int i;
- audit_log_format(ab, " %s=", prefix);
+ audit_log_format(ab, "%s=", prefix);
CAP_FOR_EACH_U32(i) {
audit_log_format(ab, "%08x",
cap->cap[CAP_LAST_U32 - i]);
@@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
int log = 0;
if (!cap_isclear(*perm)) {
- audit_log_cap(ab, "cap_fp", perm);
+ audit_log_cap(ab, " cap_fp", perm);
log = 1;
}
if (!cap_isclear(*inh)) {
- audit_log_cap(ab, "cap_fi", inh);
+ audit_log_cap(ab, " cap_fi", inh);
log = 1;
}
diff --git a/kernel/audit.h b/kernel/audit.h
index a492f4c..680e8b5 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -202,6 +202,7 @@ struct audit_context {
};
int fds[2];
struct audit_proctitle proctitle;
+ kernel_cap_t cap_used;
};
extern u32 audit_ever_enabled;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2672d10..32c3813 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
* References in it _are_ dropped - at the same time we free/drop aux stuff.
*/
-#ifdef CONFIG_AUDIT_TREE
static void audit_set_auditable(struct audit_context *ctx)
{
if (!ctx->prio) {
@@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
}
}
+#ifdef CONFIG_AUDIT_TREE
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
{
struct audit_tree_refs *p = ctx->trees;
@@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_proctitle(tsk, context);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
+ if (ab) {
+ audit_log_cap(ab, "cap_used", &context->cap_used);
+ audit_log_end(ab);
+ }
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
+ if (ab) {
+ audit_log_format(ab, "cgroups=");
+ audit_cgroup_list(ab);
+ audit_log_end(ab);
+ }
+
/* Send end of event record to help user space know we are finished */
ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
if (ab)
@@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
return NULL;
return &ctx->killed_trees;
}
+
+void audit_log_cap_use(int cap)
+{
+ struct audit_context *context = current->audit_context;
+
+ if (context) {
+ cap_raise(context->cap_used, cap);
+ audit_set_auditable(context);
+ } else {
+ audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
+ "cap_used=%d pid=%d no audit_context",
+ cap, task_pid_nr(current));
+ }
+}
diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b5..d45d5b1 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
* @ns: The usernamespace we want the capability in
* @cap: The capability to be tested for
*
- * Return true if the current task has the given superior capability currently
- * available for use, false if not.
+ * Return true if the current task has the given superior capability
+ * currently available for use, false if not. Write an audit message.
*
* This sets PF_SUPERPRIV on the task if the capability is available on the
* assumption that it's about to be used.
@@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
}
if (security_capable(current_cred(), ns, cap) == 0) {
+ audit_log_cap_use(cap);
current->flags |= PF_SUPERPRIV;
return true;
}
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 75c0ff0..1931679 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -63,6 +63,7 @@
#include <linux/nsproxy.h>
#include <linux/proc_ns.h>
#include <net/sock.h>
+#include <linux/audit.h>
/*
* pidlists linger the following amount before being destroyed. The goal
@@ -5789,6 +5790,67 @@ out:
return retval;
}
+/*
+ * audit_cgroup_list()
+ * - Print task's cgroup paths with audit_log_format()
+ * - Used for capability audit logging
+ * - Otherwise very similar to proc_cgroup_show().
+ */
+void audit_cgroup_list(struct audit_buffer *ab)
+{
+ char *buf, *path;
+ struct cgroup_root *root;
+
+ buf = kmalloc(PATH_MAX, GFP_NOFS);
+ if (!buf)
+ return;
+
+ mutex_lock(&cgroup_mutex);
+ spin_lock_irq(&css_set_lock);
+
+ for_each_root(root) {
+ struct cgroup_subsys *ss;
+ struct cgroup *cgrp;
+ int ssid, count = 0;
+
+ if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
+ continue;
+
+ if (root != &cgrp_dfl_root)
+ for_each_subsys(ss, ssid)
+ if (root->subsys_mask & (1 << ssid))
+ audit_log_format(ab, "%s%s",
+ count++ ? "," : "",
+ ss->legacy_name);
+ if (strlen(root->name))
+ audit_log_format(ab, "%sname=%s", count ? "," : "",
+ root->name);
+ audit_log_format(ab, ":");
+
+ cgrp = task_cgroup_from_root(current, root);
+
+ if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
+ path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
+ current->nsproxy->cgroup_ns);
+ if (!path)
+ goto out_unlock;
+ } else
+ path = "/";
+
+ audit_log_format(ab, "%s", path);
+
+ if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
+ audit_log_format(ab, " (deleted);");
+ else
+ audit_log_format(ab, ";");
+ }
+
+out_unlock:
+ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+ kfree(buf);
+}
+
/* Display information about each subsystem and each hierarchy */
static int proc_cgroupstats_show(struct seq_file *m, void *v)
{
--
2.8.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* Re: [PATCH] capabilities: audit capability use
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
@ 2016-07-11 15:25 ` Serge E. Hallyn
2016-07-11 16:05 ` Topi Miettinen
2016-07-11 17:09 ` Tejun Heo
` (2 subsequent siblings)
3 siblings, 1 reply; 15+ messages in thread
From: Serge E. Hallyn @ 2016-07-11 15:25 UTC (permalink / raw)
To: Topi Miettinen
Cc: linux-kernel, ebiederm, mladek, luto, serge, keescook,
Paul Moore, Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
Serge Hallyn, moderated list:AUDIT SUBSYSTEM,
open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
Quoting Topi Miettinen (toiwoton@gmail.com):
> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
>
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
>
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
>
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):
Thanks, Topi, I'll find time this week to look this over in detail.
How much chattier does this make the syslog/journald during a regular
boot? I was thinking "this is audit, we can choose what messages
will show up", but I guess that' sonly what auditd actually listens to,
not what kernel emits? (sorry i've not looked at audit in a long
time). Drat, that makes it seem like tracepoints would be better
after all. But let's see how much it addes to the noise.
> BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
> Enter 'help' for a list of built-in commands.
>
> (initramfs) cd /sys/fs
> (initramfs) mount -t cgroup2 cgroup cgroup
> [ 12.343152] audit_printk_skb: 5886 callbacks suppressed
> [ 12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
> [ 12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
> [ 12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
> [ 12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
> (initramfs) cd cgroup
> (initramfs) mkdir test; cd test
> [ 17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
> [ 17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
> [ 17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
> [ 17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
> (initramfs) echo $$ >cgroup.procs
> (initramfs) mknod /dev/z_$$ c 1 2
> [ 28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
> [ 28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
> [ 28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
> [ 28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
> (initramfs) chown 1234 /dev/z_*
> [ 34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
> [ 34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
> [ 34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
> [ 34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> ---
> include/linux/audit.h | 4 +++
> include/linux/cgroup.h | 2 ++
> include/uapi/linux/audit.h | 2 ++
> kernel/audit.c | 7 +++---
> kernel/audit.h | 1 +
> kernel/auditsc.c | 28 ++++++++++++++++++++-
> kernel/capability.c | 5 ++--
> kernel/cgroup.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++
> 8 files changed, 105 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e38e3fc..971cb2e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
> __audit_mmap_fd(fd, flags);
> }
>
> +extern void audit_log_cap_use(int cap);
> +
> extern int audit_n_rules;
> extern int audit_signals;
> #else /* CONFIG_AUDITSYSCALL */
> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
> { }
> static inline void audit_ptrace(struct task_struct *t)
> { }
> +static inline void audit_log_cap_use(int cap)
> +{ }
> #define audit_n_rules 0
> #define audit_signals 0
> #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> index a20320c..b5dc8aa 100644
> --- a/include/linux/cgroup.h
> +++ b/include/linux/cgroup.h
> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
> int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
> int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
> struct pid *pid, struct task_struct *tsk);
> +struct audit_buffer;
> +void audit_cgroup_list(struct audit_buffer *ab);
>
> void cgroup_fork(struct task_struct *p);
> extern int cgroup_can_fork(struct task_struct *p);
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index d820aa9..c1ae016 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,8 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
> +#define AUDIT_CAPABILITY 1330 /* Record showing capability use */
> +#define AUDIT_CGROUP 1331 /* Record showing cgroups */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 8d528f9..98dd920 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -54,6 +54,7 @@
> #include <linux/kthread.h>
> #include <linux/kernel.h>
> #include <linux/syscalls.h>
> +#include <linux/cgroup.h>
>
> #include <linux/audit.h>
>
> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
> {
> int i;
>
> - audit_log_format(ab, " %s=", prefix);
> + audit_log_format(ab, "%s=", prefix);
> CAP_FOR_EACH_U32(i) {
> audit_log_format(ab, "%08x",
> cap->cap[CAP_LAST_U32 - i]);
> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
> int log = 0;
>
> if (!cap_isclear(*perm)) {
> - audit_log_cap(ab, "cap_fp", perm);
> + audit_log_cap(ab, " cap_fp", perm);
> log = 1;
> }
> if (!cap_isclear(*inh)) {
> - audit_log_cap(ab, "cap_fi", inh);
> + audit_log_cap(ab, " cap_fi", inh);
> log = 1;
> }
>
> diff --git a/kernel/audit.h b/kernel/audit.h
> index a492f4c..680e8b5 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -202,6 +202,7 @@ struct audit_context {
> };
> int fds[2];
> struct audit_proctitle proctitle;
> + kernel_cap_t cap_used;
> };
>
> extern u32 audit_ever_enabled;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 2672d10..32c3813 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
> * References in it _are_ dropped - at the same time we free/drop aux stuff.
> */
>
> -#ifdef CONFIG_AUDIT_TREE
> static void audit_set_auditable(struct audit_context *ctx)
> {
> if (!ctx->prio) {
> @@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
> }
> }
>
> +#ifdef CONFIG_AUDIT_TREE
> static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
> {
> struct audit_tree_refs *p = ctx->trees;
> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>
> audit_log_proctitle(tsk, context);
>
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
> + if (ab) {
> + audit_log_cap(ab, "cap_used", &context->cap_used);
> + audit_log_end(ab);
> + }
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
> + if (ab) {
> + audit_log_format(ab, "cgroups=");
> + audit_cgroup_list(ab);
> + audit_log_end(ab);
> + }
> +
> /* Send end of event record to help user space know we are finished */
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
> if (ab)
> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
> return NULL;
> return &ctx->killed_trees;
> }
> +
> +void audit_log_cap_use(int cap)
> +{
> + struct audit_context *context = current->audit_context;
> +
> + if (context) {
> + cap_raise(context->cap_used, cap);
> + audit_set_auditable(context);
> + } else {
> + audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
> + "cap_used=%d pid=%d no audit_context",
> + cap, task_pid_nr(current));
> + }
> +}
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 45432b5..d45d5b1 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
> * @ns: The usernamespace we want the capability in
> * @cap: The capability to be tested for
> *
> - * Return true if the current task has the given superior capability currently
> - * available for use, false if not.
> + * Return true if the current task has the given superior capability
> + * currently available for use, false if not. Write an audit message.
> *
> * This sets PF_SUPERPRIV on the task if the capability is available on the
> * assumption that it's about to be used.
> @@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
> }
>
> if (security_capable(current_cred(), ns, cap) == 0) {
> + audit_log_cap_use(cap);
> current->flags |= PF_SUPERPRIV;
> return true;
> }
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 75c0ff0..1931679 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -63,6 +63,7 @@
> #include <linux/nsproxy.h>
> #include <linux/proc_ns.h>
> #include <net/sock.h>
> +#include <linux/audit.h>
>
> /*
> * pidlists linger the following amount before being destroyed. The goal
> @@ -5789,6 +5790,67 @@ out:
> return retval;
> }
>
> +/*
> + * audit_cgroup_list()
> + * - Print task's cgroup paths with audit_log_format()
> + * - Used for capability audit logging
> + * - Otherwise very similar to proc_cgroup_show().
> + */
> +void audit_cgroup_list(struct audit_buffer *ab)
> +{
> + char *buf, *path;
> + struct cgroup_root *root;
> +
> + buf = kmalloc(PATH_MAX, GFP_NOFS);
> + if (!buf)
> + return;
> +
> + mutex_lock(&cgroup_mutex);
> + spin_lock_irq(&css_set_lock);
> +
> + for_each_root(root) {
> + struct cgroup_subsys *ss;
> + struct cgroup *cgrp;
> + int ssid, count = 0;
> +
> + if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
> + continue;
> +
> + if (root != &cgrp_dfl_root)
> + for_each_subsys(ss, ssid)
> + if (root->subsys_mask & (1 << ssid))
> + audit_log_format(ab, "%s%s",
> + count++ ? "," : "",
> + ss->legacy_name);
> + if (strlen(root->name))
> + audit_log_format(ab, "%sname=%s", count ? "," : "",
> + root->name);
> + audit_log_format(ab, ":");
> +
> + cgrp = task_cgroup_from_root(current, root);
> +
> + if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
> + path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
> + current->nsproxy->cgroup_ns);
> + if (!path)
> + goto out_unlock;
> + } else
> + path = "/";
> +
> + audit_log_format(ab, "%s", path);
> +
> + if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
> + audit_log_format(ab, " (deleted);");
> + else
> + audit_log_format(ab, ";");
> + }
> +
> +out_unlock:
> + spin_unlock_irq(&css_set_lock);
> + mutex_unlock(&cgroup_mutex);
> + kfree(buf);
> +}
> +
> /* Display information about each subsystem and each hierarchy */
> static int proc_cgroupstats_show(struct seq_file *m, void *v)
> {
> --
> 2.8.1
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [PATCH] capabilities: audit capability use
2016-07-11 15:25 ` Serge E. Hallyn
@ 2016-07-11 16:05 ` Topi Miettinen
2016-07-11 19:28 ` Topi Miettinen
0 siblings, 1 reply; 15+ messages in thread
From: Topi Miettinen @ 2016-07-11 16:05 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: linux-kernel, ebiederm, mladek, luto, keescook, Paul Moore,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On 07/11/16 15:25, Serge E. Hallyn wrote:
> Quoting Topi Miettinen (toiwoton@gmail.com):
>> There are many basic ways to control processes, including capabilities,
>> cgroups and resource limits. However, there are far fewer ways to find
>> out useful values for the limits, except blind trial and error.
>>
>> Currently, there is no way to know which capabilities are actually used.
>> Even the source code is only implicit, in-depth knowledge of each
>> capability must be used when analyzing a program to judge which
>> capabilities the program will exercise.
>>
>> Generate an audit message at system call exit, when capabilities are used.
>> This can then be used to configure capability sets for services by a
>> software developer, maintainer or system administrator.
>>
>> Test case demonstrating basic capability monitoring with the new
>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>> rdshell):
>
> Thanks, Topi, I'll find time this week to look this over in detail.
>
> How much chattier does this make the syslog/journald during a regular
> boot? I was thinking "this is audit, we can choose what messages
> will show up", but I guess that' sonly what auditd actually listens to,
> not what kernel emits? (sorry i've not looked at audit in a long
> time). Drat, that makes it seem like tracepoints would be better
> after all. But let's see how much it addes to the noise.
For example "loadkeys" causes thousands of entries. :-( I'm checking how
to avoid audit message rate limiting, now some messages are lost.
It's still too easy to drown the logs with noise. That could be limited
a lot by emitting a message only when the capability is used for the
first time. But the question is how to define where to start counting
(fork, exec, and/or setpcap?). I'm also not sure if that is the right
way to log, since the first use of a capability could be expected and an
innocent one, but then the 100th one could be malicious.
It's also very complex and error-prone to collect a capability mask from
audit logs, which was my original goal.
-Topi
>
>> BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
>> Enter 'help' for a list of built-in commands.
>>
>> (initramfs) cd /sys/fs
>> (initramfs) mount -t cgroup2 cgroup cgroup
>> [ 12.343152] audit_printk_skb: 5886 callbacks suppressed
>> [ 12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
>> [ 12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
>> [ 12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
>> [ 12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
>> (initramfs) cd cgroup
>> (initramfs) mkdir test; cd test
>> [ 17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
>> [ 17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
>> [ 17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
>> [ 17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
>> (initramfs) echo $$ >cgroup.procs
>> (initramfs) mknod /dev/z_$$ c 1 2
>> [ 28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
>> [ 28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
>> [ 28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
>> [ 28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
>> (initramfs) chown 1234 /dev/z_*
>> [ 34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
>> [ 34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
>> [ 34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
>> [ 34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
>>
>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>> ---
>> include/linux/audit.h | 4 +++
>> include/linux/cgroup.h | 2 ++
>> include/uapi/linux/audit.h | 2 ++
>> kernel/audit.c | 7 +++---
>> kernel/audit.h | 1 +
>> kernel/auditsc.c | 28 ++++++++++++++++++++-
>> kernel/capability.c | 5 ++--
>> kernel/cgroup.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++
>> 8 files changed, 105 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index e38e3fc..971cb2e 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>> __audit_mmap_fd(fd, flags);
>> }
>>
>> +extern void audit_log_cap_use(int cap);
>> +
>> extern int audit_n_rules;
>> extern int audit_signals;
>> #else /* CONFIG_AUDITSYSCALL */
>> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>> { }
>> static inline void audit_ptrace(struct task_struct *t)
>> { }
>> +static inline void audit_log_cap_use(int cap)
>> +{ }
>> #define audit_n_rules 0
>> #define audit_signals 0
>> #endif /* CONFIG_AUDITSYSCALL */
>> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
>> index a20320c..b5dc8aa 100644
>> --- a/include/linux/cgroup.h
>> +++ b/include/linux/cgroup.h
>> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
>> int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
>> int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
>> struct pid *pid, struct task_struct *tsk);
>> +struct audit_buffer;
>> +void audit_cgroup_list(struct audit_buffer *ab);
>>
>> void cgroup_fork(struct task_struct *p);
>> extern int cgroup_can_fork(struct task_struct *p);
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index d820aa9..c1ae016 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -111,6 +111,8 @@
>> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
>> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
>> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
>> +#define AUDIT_CAPABILITY 1330 /* Record showing capability use */
>> +#define AUDIT_CGROUP 1331 /* Record showing cgroups */
>>
>> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
>> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
>> diff --git a/kernel/audit.c b/kernel/audit.c
>> index 8d528f9..98dd920 100644
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -54,6 +54,7 @@
>> #include <linux/kthread.h>
>> #include <linux/kernel.h>
>> #include <linux/syscalls.h>
>> +#include <linux/cgroup.h>
>>
>> #include <linux/audit.h>
>>
>> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
>> {
>> int i;
>>
>> - audit_log_format(ab, " %s=", prefix);
>> + audit_log_format(ab, "%s=", prefix);
>> CAP_FOR_EACH_U32(i) {
>> audit_log_format(ab, "%08x",
>> cap->cap[CAP_LAST_U32 - i]);
>> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
>> int log = 0;
>>
>> if (!cap_isclear(*perm)) {
>> - audit_log_cap(ab, "cap_fp", perm);
>> + audit_log_cap(ab, " cap_fp", perm);
>> log = 1;
>> }
>> if (!cap_isclear(*inh)) {
>> - audit_log_cap(ab, "cap_fi", inh);
>> + audit_log_cap(ab, " cap_fi", inh);
>> log = 1;
>> }
>>
>> diff --git a/kernel/audit.h b/kernel/audit.h
>> index a492f4c..680e8b5 100644
>> --- a/kernel/audit.h
>> +++ b/kernel/audit.h
>> @@ -202,6 +202,7 @@ struct audit_context {
>> };
>> int fds[2];
>> struct audit_proctitle proctitle;
>> + kernel_cap_t cap_used;
>> };
>>
>> extern u32 audit_ever_enabled;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 2672d10..32c3813 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
>> * References in it _are_ dropped - at the same time we free/drop aux stuff.
>> */
>>
>> -#ifdef CONFIG_AUDIT_TREE
>> static void audit_set_auditable(struct audit_context *ctx)
>> {
>> if (!ctx->prio) {
>> @@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
>> }
>> }
>>
>> +#ifdef CONFIG_AUDIT_TREE
>> static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
>> {
>> struct audit_tree_refs *p = ctx->trees;
>> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>>
>> audit_log_proctitle(tsk, context);
>>
>> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
>> + if (ab) {
>> + audit_log_cap(ab, "cap_used", &context->cap_used);
>> + audit_log_end(ab);
>> + }
>> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
>> + if (ab) {
>> + audit_log_format(ab, "cgroups=");
>> + audit_cgroup_list(ab);
>> + audit_log_end(ab);
>> + }
>> +
>> /* Send end of event record to help user space know we are finished */
>> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
>> if (ab)
>> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
>> return NULL;
>> return &ctx->killed_trees;
>> }
>> +
>> +void audit_log_cap_use(int cap)
>> +{
>> + struct audit_context *context = current->audit_context;
>> +
>> + if (context) {
>> + cap_raise(context->cap_used, cap);
>> + audit_set_auditable(context);
>> + } else {
>> + audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
>> + "cap_used=%d pid=%d no audit_context",
>> + cap, task_pid_nr(current));
>> + }
>> +}
>> diff --git a/kernel/capability.c b/kernel/capability.c
>> index 45432b5..d45d5b1 100644
>> --- a/kernel/capability.c
>> +++ b/kernel/capability.c
>> @@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
>> * @ns: The usernamespace we want the capability in
>> * @cap: The capability to be tested for
>> *
>> - * Return true if the current task has the given superior capability currently
>> - * available for use, false if not.
>> + * Return true if the current task has the given superior capability
>> + * currently available for use, false if not. Write an audit message.
>> *
>> * This sets PF_SUPERPRIV on the task if the capability is available on the
>> * assumption that it's about to be used.
>> @@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
>> }
>>
>> if (security_capable(current_cred(), ns, cap) == 0) {
>> + audit_log_cap_use(cap);
>> current->flags |= PF_SUPERPRIV;
>> return true;
>> }
>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>> index 75c0ff0..1931679 100644
>> --- a/kernel/cgroup.c
>> +++ b/kernel/cgroup.c
>> @@ -63,6 +63,7 @@
>> #include <linux/nsproxy.h>
>> #include <linux/proc_ns.h>
>> #include <net/sock.h>
>> +#include <linux/audit.h>
>>
>> /*
>> * pidlists linger the following amount before being destroyed. The goal
>> @@ -5789,6 +5790,67 @@ out:
>> return retval;
>> }
>>
>> +/*
>> + * audit_cgroup_list()
>> + * - Print task's cgroup paths with audit_log_format()
>> + * - Used for capability audit logging
>> + * - Otherwise very similar to proc_cgroup_show().
>> + */
>> +void audit_cgroup_list(struct audit_buffer *ab)
>> +{
>> + char *buf, *path;
>> + struct cgroup_root *root;
>> +
>> + buf = kmalloc(PATH_MAX, GFP_NOFS);
>> + if (!buf)
>> + return;
>> +
>> + mutex_lock(&cgroup_mutex);
>> + spin_lock_irq(&css_set_lock);
>> +
>> + for_each_root(root) {
>> + struct cgroup_subsys *ss;
>> + struct cgroup *cgrp;
>> + int ssid, count = 0;
>> +
>> + if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
>> + continue;
>> +
>> + if (root != &cgrp_dfl_root)
>> + for_each_subsys(ss, ssid)
>> + if (root->subsys_mask & (1 << ssid))
>> + audit_log_format(ab, "%s%s",
>> + count++ ? "," : "",
>> + ss->legacy_name);
>> + if (strlen(root->name))
>> + audit_log_format(ab, "%sname=%s", count ? "," : "",
>> + root->name);
>> + audit_log_format(ab, ":");
>> +
>> + cgrp = task_cgroup_from_root(current, root);
>> +
>> + if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
>> + path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
>> + current->nsproxy->cgroup_ns);
>> + if (!path)
>> + goto out_unlock;
>> + } else
>> + path = "/";
>> +
>> + audit_log_format(ab, "%s", path);
>> +
>> + if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
>> + audit_log_format(ab, " (deleted);");
>> + else
>> + audit_log_format(ab, ";");
>> + }
>> +
>> +out_unlock:
>> + spin_unlock_irq(&css_set_lock);
>> + mutex_unlock(&cgroup_mutex);
>> + kfree(buf);
>> +}
>> +
>> /* Display information about each subsystem and each hierarchy */
>> static int proc_cgroupstats_show(struct seq_file *m, void *v)
>> {
>> --
>> 2.8.1
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [PATCH] capabilities: audit capability use
2016-07-11 16:05 ` Topi Miettinen
@ 2016-07-11 19:28 ` Topi Miettinen
0 siblings, 0 replies; 15+ messages in thread
From: Topi Miettinen @ 2016-07-11 19:28 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: linux-kernel, ebiederm, pmladek, luto, keescook, Paul Moore,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On 07/11/16 16:05, Topi Miettinen wrote:
> On 07/11/16 15:25, Serge E. Hallyn wrote:
>> Quoting Topi Miettinen (toiwoton@gmail.com):
>>> There are many basic ways to control processes, including capabilities,
>>> cgroups and resource limits. However, there are far fewer ways to find
>>> out useful values for the limits, except blind trial and error.
>>>
>>> Currently, there is no way to know which capabilities are actually used.
>>> Even the source code is only implicit, in-depth knowledge of each
>>> capability must be used when analyzing a program to judge which
>>> capabilities the program will exercise.
>>>
>>> Generate an audit message at system call exit, when capabilities are used.
>>> This can then be used to configure capability sets for services by a
>>> software developer, maintainer or system administrator.
>>>
>>> Test case demonstrating basic capability monitoring with the new
>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>> rdshell):
>>
>> Thanks, Topi, I'll find time this week to look this over in detail.
>>
>> How much chattier does this make the syslog/journald during a regular
>> boot? I was thinking "this is audit, we can choose what messages
>> will show up", but I guess that' sonly what auditd actually listens to,
>> not what kernel emits? (sorry i've not looked at audit in a long
>> time). Drat, that makes it seem like tracepoints would be better
>> after all. But let's see how much it addes to the noise.
>
> For example "loadkeys" causes thousands of entries. :-( I'm checking how
> to avoid audit message rate limiting, now some messages are lost.
>
> It's still too easy to drown the logs with noise. That could be limited
> a lot by emitting a message only when the capability is used for the
> first time. But the question is how to define where to start counting
> (fork, exec, and/or setpcap?). I'm also not sure if that is the right
> way to log, since the first use of a capability could be expected and an
> innocent one, but then the 100th one could be malicious.
>
> It's also very complex and error-prone to collect a capability mask from
> audit logs, which was my original goal.
What if only a summary of capabilities was logged at task exit? That
should make the log volume reasonable.
-Topi
>
> -Topi
>
>>
>>> BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
>>> Enter 'help' for a list of built-in commands.
>>>
>>> (initramfs) cd /sys/fs
>>> (initramfs) mount -t cgroup2 cgroup cgroup
>>> [ 12.343152] audit_printk_skb: 5886 callbacks suppressed
>>> [ 12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
>>> [ 12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
>>> [ 12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
>>> [ 12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
>>> (initramfs) cd cgroup
>>> (initramfs) mkdir test; cd test
>>> [ 17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
>>> [ 17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
>>> [ 17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
>>> [ 17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
>>> (initramfs) echo $$ >cgroup.procs
>>> (initramfs) mknod /dev/z_$$ c 1 2
>>> [ 28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
>>> [ 28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
>>> [ 28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
>>> [ 28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
>>> (initramfs) chown 1234 /dev/z_*
>>> [ 34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
>>> [ 34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
>>> [ 34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
>>> [ 34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
>>>
>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>>> ---
>>> include/linux/audit.h | 4 +++
>>> include/linux/cgroup.h | 2 ++
>>> include/uapi/linux/audit.h | 2 ++
>>> kernel/audit.c | 7 +++---
>>> kernel/audit.h | 1 +
>>> kernel/auditsc.c | 28 ++++++++++++++++++++-
>>> kernel/capability.c | 5 ++--
>>> kernel/cgroup.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++
>>> 8 files changed, 105 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index e38e3fc..971cb2e 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>>> __audit_mmap_fd(fd, flags);
>>> }
>>>
>>> +extern void audit_log_cap_use(int cap);
>>> +
>>> extern int audit_n_rules;
>>> extern int audit_signals;
>>> #else /* CONFIG_AUDITSYSCALL */
>>> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>>> { }
>>> static inline void audit_ptrace(struct task_struct *t)
>>> { }
>>> +static inline void audit_log_cap_use(int cap)
>>> +{ }
>>> #define audit_n_rules 0
>>> #define audit_signals 0
>>> #endif /* CONFIG_AUDITSYSCALL */
>>> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
>>> index a20320c..b5dc8aa 100644
>>> --- a/include/linux/cgroup.h
>>> +++ b/include/linux/cgroup.h
>>> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
>>> int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
>>> int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
>>> struct pid *pid, struct task_struct *tsk);
>>> +struct audit_buffer;
>>> +void audit_cgroup_list(struct audit_buffer *ab);
>>>
>>> void cgroup_fork(struct task_struct *p);
>>> extern int cgroup_can_fork(struct task_struct *p);
>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>>> index d820aa9..c1ae016 100644
>>> --- a/include/uapi/linux/audit.h
>>> +++ b/include/uapi/linux/audit.h
>>> @@ -111,6 +111,8 @@
>>> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
>>> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
>>> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
>>> +#define AUDIT_CAPABILITY 1330 /* Record showing capability use */
>>> +#define AUDIT_CGROUP 1331 /* Record showing cgroups */
>>>
>>> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
>>> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
>>> diff --git a/kernel/audit.c b/kernel/audit.c
>>> index 8d528f9..98dd920 100644
>>> --- a/kernel/audit.c
>>> +++ b/kernel/audit.c
>>> @@ -54,6 +54,7 @@
>>> #include <linux/kthread.h>
>>> #include <linux/kernel.h>
>>> #include <linux/syscalls.h>
>>> +#include <linux/cgroup.h>
>>>
>>> #include <linux/audit.h>
>>>
>>> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
>>> {
>>> int i;
>>>
>>> - audit_log_format(ab, " %s=", prefix);
>>> + audit_log_format(ab, "%s=", prefix);
>>> CAP_FOR_EACH_U32(i) {
>>> audit_log_format(ab, "%08x",
>>> cap->cap[CAP_LAST_U32 - i]);
>>> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
>>> int log = 0;
>>>
>>> if (!cap_isclear(*perm)) {
>>> - audit_log_cap(ab, "cap_fp", perm);
>>> + audit_log_cap(ab, " cap_fp", perm);
>>> log = 1;
>>> }
>>> if (!cap_isclear(*inh)) {
>>> - audit_log_cap(ab, "cap_fi", inh);
>>> + audit_log_cap(ab, " cap_fi", inh);
>>> log = 1;
>>> }
>>>
>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>> index a492f4c..680e8b5 100644
>>> --- a/kernel/audit.h
>>> +++ b/kernel/audit.h
>>> @@ -202,6 +202,7 @@ struct audit_context {
>>> };
>>> int fds[2];
>>> struct audit_proctitle proctitle;
>>> + kernel_cap_t cap_used;
>>> };
>>>
>>> extern u32 audit_ever_enabled;
>>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>>> index 2672d10..32c3813 100644
>>> --- a/kernel/auditsc.c
>>> +++ b/kernel/auditsc.c
>>> @@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
>>> * References in it _are_ dropped - at the same time we free/drop aux stuff.
>>> */
>>>
>>> -#ifdef CONFIG_AUDIT_TREE
>>> static void audit_set_auditable(struct audit_context *ctx)
>>> {
>>> if (!ctx->prio) {
>>> @@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
>>> }
>>> }
>>>
>>> +#ifdef CONFIG_AUDIT_TREE
>>> static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
>>> {
>>> struct audit_tree_refs *p = ctx->trees;
>>> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>>>
>>> audit_log_proctitle(tsk, context);
>>>
>>> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
>>> + if (ab) {
>>> + audit_log_cap(ab, "cap_used", &context->cap_used);
>>> + audit_log_end(ab);
>>> + }
>>> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
>>> + if (ab) {
>>> + audit_log_format(ab, "cgroups=");
>>> + audit_cgroup_list(ab);
>>> + audit_log_end(ab);
>>> + }
>>> +
>>> /* Send end of event record to help user space know we are finished */
>>> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
>>> if (ab)
>>> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
>>> return NULL;
>>> return &ctx->killed_trees;
>>> }
>>> +
>>> +void audit_log_cap_use(int cap)
>>> +{
>>> + struct audit_context *context = current->audit_context;
>>> +
>>> + if (context) {
>>> + cap_raise(context->cap_used, cap);
>>> + audit_set_auditable(context);
>>> + } else {
>>> + audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
>>> + "cap_used=%d pid=%d no audit_context",
>>> + cap, task_pid_nr(current));
>>> + }
>>> +}
>>> diff --git a/kernel/capability.c b/kernel/capability.c
>>> index 45432b5..d45d5b1 100644
>>> --- a/kernel/capability.c
>>> +++ b/kernel/capability.c
>>> @@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
>>> * @ns: The usernamespace we want the capability in
>>> * @cap: The capability to be tested for
>>> *
>>> - * Return true if the current task has the given superior capability currently
>>> - * available for use, false if not.
>>> + * Return true if the current task has the given superior capability
>>> + * currently available for use, false if not. Write an audit message.
>>> *
>>> * This sets PF_SUPERPRIV on the task if the capability is available on the
>>> * assumption that it's about to be used.
>>> @@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
>>> }
>>>
>>> if (security_capable(current_cred(), ns, cap) == 0) {
>>> + audit_log_cap_use(cap);
>>> current->flags |= PF_SUPERPRIV;
>>> return true;
>>> }
>>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>>> index 75c0ff0..1931679 100644
>>> --- a/kernel/cgroup.c
>>> +++ b/kernel/cgroup.c
>>> @@ -63,6 +63,7 @@
>>> #include <linux/nsproxy.h>
>>> #include <linux/proc_ns.h>
>>> #include <net/sock.h>
>>> +#include <linux/audit.h>
>>>
>>> /*
>>> * pidlists linger the following amount before being destroyed. The goal
>>> @@ -5789,6 +5790,67 @@ out:
>>> return retval;
>>> }
>>>
>>> +/*
>>> + * audit_cgroup_list()
>>> + * - Print task's cgroup paths with audit_log_format()
>>> + * - Used for capability audit logging
>>> + * - Otherwise very similar to proc_cgroup_show().
>>> + */
>>> +void audit_cgroup_list(struct audit_buffer *ab)
>>> +{
>>> + char *buf, *path;
>>> + struct cgroup_root *root;
>>> +
>>> + buf = kmalloc(PATH_MAX, GFP_NOFS);
>>> + if (!buf)
>>> + return;
>>> +
>>> + mutex_lock(&cgroup_mutex);
>>> + spin_lock_irq(&css_set_lock);
>>> +
>>> + for_each_root(root) {
>>> + struct cgroup_subsys *ss;
>>> + struct cgroup *cgrp;
>>> + int ssid, count = 0;
>>> +
>>> + if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
>>> + continue;
>>> +
>>> + if (root != &cgrp_dfl_root)
>>> + for_each_subsys(ss, ssid)
>>> + if (root->subsys_mask & (1 << ssid))
>>> + audit_log_format(ab, "%s%s",
>>> + count++ ? "," : "",
>>> + ss->legacy_name);
>>> + if (strlen(root->name))
>>> + audit_log_format(ab, "%sname=%s", count ? "," : "",
>>> + root->name);
>>> + audit_log_format(ab, ":");
>>> +
>>> + cgrp = task_cgroup_from_root(current, root);
>>> +
>>> + if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
>>> + path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
>>> + current->nsproxy->cgroup_ns);
>>> + if (!path)
>>> + goto out_unlock;
>>> + } else
>>> + path = "/";
>>> +
>>> + audit_log_format(ab, "%s", path);
>>> +
>>> + if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
>>> + audit_log_format(ab, " (deleted);");
>>> + else
>>> + audit_log_format(ab, ";");
>>> + }
>>> +
>>> +out_unlock:
>>> + spin_unlock_irq(&css_set_lock);
>>> + mutex_unlock(&cgroup_mutex);
>>> + kfree(buf);
>>> +}
>>> +
>>> /* Display information about each subsystem and each hierarchy */
>>> static int proc_cgroupstats_show(struct seq_file *m, void *v)
>>> {
>>> --
>>> 2.8.1
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
2016-07-11 15:25 ` Serge E. Hallyn
@ 2016-07-11 17:09 ` Tejun Heo
2016-07-11 19:47 ` Topi Miettinen
2016-07-11 21:57 ` Eric W. Biederman
2016-07-12 21:56 ` Paul Moore
3 siblings, 1 reply; 15+ messages in thread
From: Tejun Heo @ 2016-07-11 17:09 UTC (permalink / raw)
To: Topi Miettinen
Cc: linux-kernel, ebiederm, mladek, luto, serge, keescook,
Paul Moore, Eric Paris, Li Zefan, Johannes Weiner, Serge Hallyn,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
Hello,
On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote:
> [ 28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
> [ 28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
> [ 28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
Please don't put additions of the two different audit types into one
patch and I don't think the cgroup audit logging makes much sense.
Without logging all migrations, it doesn't help auditing all that
much. Also, printing all cgroup membership like that can be
problematic for audit it can be arbitrarily long.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-11 17:09 ` Tejun Heo
@ 2016-07-11 19:47 ` Topi Miettinen
2016-07-12 14:59 ` Tejun Heo
0 siblings, 1 reply; 15+ messages in thread
From: Topi Miettinen @ 2016-07-11 19:47 UTC (permalink / raw)
To: Tejun Heo
Cc: linux-kernel, ebiederm, pmladek, luto, serge, keescook,
Paul Moore, Eric Paris, Li Zefan, Johannes Weiner, Serge Hallyn,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On 07/11/16 17:09, Tejun Heo wrote:
> Hello,
>
> On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote:
>> [ 28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
>> [ 28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
>> [ 28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
>
> Please don't put additions of the two different audit types into one
> patch and I don't think the cgroup audit logging makes much sense.
> Without logging all migrations, it doesn't help auditing all that
> much. Also, printing all cgroup membership like that can be
> problematic for audit it can be arbitrarily long.
>
> Thanks.
>
It's really critical to be able to associate a task in the logs to
cgroups which were valid that time. Or can we infer somehow what cgroups
a task was taking part, long time after task exit? Perhaps task cgroup
membership changes and changes in available cgroups should be logged too?
Some kind of cgroup IDs could be logged instead of long paths. Then
these IDs should be reliably resolvable to paths offline somehow.
How usual migrations between cgroups are? Why would a task ever move
from (say) systemd/system.slice/smartd.service to anywhere else?
-Topi
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-11 19:47 ` Topi Miettinen
@ 2016-07-12 14:59 ` Tejun Heo
2016-07-13 6:52 ` Topi Miettinen
0 siblings, 1 reply; 15+ messages in thread
From: Tejun Heo @ 2016-07-12 14:59 UTC (permalink / raw)
To: Topi Miettinen
Cc: linux-kernel, ebiederm, pmladek, luto, serge, keescook,
Paul Moore, Eric Paris, Li Zefan, Johannes Weiner, Serge Hallyn,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On Mon, Jul 11, 2016 at 07:47:44PM +0000, Topi Miettinen wrote:
> It's really critical to be able to associate a task in the logs to
> cgroups which were valid that time. Or can we infer somehow what cgroups
When is "that time"? Without logging all operations, this is
meaningless.
> a task was taking part, long time after task exit? Perhaps task cgroup
> membership changes and changes in available cgroups should be logged too?
>
> Some kind of cgroup IDs could be logged instead of long paths. Then
> these IDs should be reliably resolvable to paths offline somehow.
I don't think that's doable. That pretty much requires the kernel to
remember paths of all past cgroups.
> How usual migrations between cgroups are? Why would a task ever move
> from (say) systemd/system.slice/smartd.service to anywhere else?
In most cases, they won't move once set up initially but that's not
the point of audit subsystem. Logging this once one exit isn't gonna
help anything for auditing the system.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-12 14:59 ` Tejun Heo
@ 2016-07-13 6:52 ` Topi Miettinen
0 siblings, 0 replies; 15+ messages in thread
From: Topi Miettinen @ 2016-07-13 6:52 UTC (permalink / raw)
To: Tejun Heo
Cc: linux-kernel, ebiederm, pmladek, luto, serge, keescook,
Paul Moore, Eric Paris, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On 07/12/16 14:59, Tejun Heo wrote:
> On Mon, Jul 11, 2016 at 07:47:44PM +0000, Topi Miettinen wrote:
>> It's really critical to be able to associate a task in the logs to
>> cgroups which were valid that time. Or can we infer somehow what cgroups
>
> When is "that time"? Without logging all operations, this is
> meaningless.
>
>> a task was taking part, long time after task exit? Perhaps task cgroup
>> membership changes and changes in available cgroups should be logged too?
>>
>> Some kind of cgroup IDs could be logged instead of long paths. Then
>> these IDs should be reliably resolvable to paths offline somehow.
>
> I don't think that's doable. That pretty much requires the kernel to
> remember paths of all past cgroups.
That's a show stopper for audit approach for getting helpful information
for configuration. I'll try something different, probably cgroupstats.
-Topi
>
>> How usual migrations between cgroups are? Why would a task ever move
>> from (say) systemd/system.slice/smartd.service to anywhere else?
>
> In most cases, they won't move once set up initially but that's not
> the point of audit subsystem. Logging this once one exit isn't gonna
> help anything for auditing the system.
>
> Thanks.
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
2016-07-11 15:25 ` Serge E. Hallyn
2016-07-11 17:09 ` Tejun Heo
@ 2016-07-11 21:57 ` Eric W. Biederman
2016-07-12 8:54 ` Topi Miettinen
2016-07-12 21:56 ` Paul Moore
3 siblings, 1 reply; 15+ messages in thread
From: Eric W. Biederman @ 2016-07-11 21:57 UTC (permalink / raw)
To: Topi Miettinen
Cc: linux-kernel, mladek, luto, serge, keescook, Paul Moore,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner, Serge Hallyn,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
Topi Miettinen <toiwoton@gmail.com> writes:
> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
>
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
>
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
>
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):
You totally miss the interactions with the user namespace so this won't
give you the information you are aiming for.
Eric
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-11 21:57 ` Eric W. Biederman
@ 2016-07-12 8:54 ` Topi Miettinen
2016-07-12 13:16 ` Eric W. Biederman
0 siblings, 1 reply; 15+ messages in thread
From: Topi Miettinen @ 2016-07-12 8:54 UTC (permalink / raw)
To: Eric W. Biederman
Cc: linux-kernel, pmladek, luto, serge, keescook, Paul Moore,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On 07/11/16 21:57, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@gmail.com> writes:
>
>> There are many basic ways to control processes, including capabilities,
>> cgroups and resource limits. However, there are far fewer ways to find
>> out useful values for the limits, except blind trial and error.
>>
>> Currently, there is no way to know which capabilities are actually used.
>> Even the source code is only implicit, in-depth knowledge of each
>> capability must be used when analyzing a program to judge which
>> capabilities the program will exercise.
>>
>> Generate an audit message at system call exit, when capabilities are used.
>> This can then be used to configure capability sets for services by a
>> software developer, maintainer or system administrator.
>>
>> Test case demonstrating basic capability monitoring with the new
>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>> rdshell):
>
> You totally miss the interactions with the user namespace so this won't
> give you the information you are aiming for.
Please correct me if this is not right:
There are two cases:
a) real capability use as seen outside the namespace
b) use of capabilities granted by the namespace
Both cases could be active independently.
For auditing purposes, we're mostly interested in a) and log noise from
b) could be even seen a distraction.
For configuration purposes, both cases can be interesting, a) for the
configuration of services and b) in case where the containerized
configuration is planned to be deployed outside. I'd still only log a).
The same logic should apply with cgroup namespaces.
-Topi
>
> Eric
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-12 8:54 ` Topi Miettinen
@ 2016-07-12 13:16 ` Eric W. Biederman
2016-07-12 22:00 ` Paul Moore
2016-07-13 7:30 ` Topi Miettinen
0 siblings, 2 replies; 15+ messages in thread
From: Eric W. Biederman @ 2016-07-12 13:16 UTC (permalink / raw)
To: Topi Miettinen
Cc: linux-kernel, pmladek, luto, serge, keescook, Paul Moore,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
Topi Miettinen <toiwoton@gmail.com> writes:
> On 07/11/16 21:57, Eric W. Biederman wrote:
>> Topi Miettinen <toiwoton@gmail.com> writes:
>>
>>> There are many basic ways to control processes, including capabilities,
>>> cgroups and resource limits. However, there are far fewer ways to find
>>> out useful values for the limits, except blind trial and error.
>>>
>>> Currently, there is no way to know which capabilities are actually used.
>>> Even the source code is only implicit, in-depth knowledge of each
>>> capability must be used when analyzing a program to judge which
>>> capabilities the program will exercise.
>>>
>>> Generate an audit message at system call exit, when capabilities are used.
>>> This can then be used to configure capability sets for services by a
>>> software developer, maintainer or system administrator.
>>>
>>> Test case demonstrating basic capability monitoring with the new
>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>> rdshell):
>>
>> You totally miss the interactions with the user namespace so this won't
>> give you the information you are aiming for.
>
> Please correct me if this is not right:
>
> There are two cases:
> a) real capability use as seen outside the namespace
> b) use of capabilities granted by the namespace
> Both cases could be active independently.
>
> For auditing purposes, we're mostly interested in a) and log noise from
> b) could be even seen a distraction.
>
> For configuration purposes, both cases can be interesting, a) for the
> configuration of services and b) in case where the containerized
> configuration is planned to be deployed outside. I'd still only log
> a).
>
>
> The same logic should apply with cgroup namespaces.
Not logging capabilities outside of the initial user namespace is
certainly the conservative place to start, and what selinux does.
You should also be logging capability use from cap_capable. Not
ns_capable. You are missing several kinds of capability use as
a quick review of kernel/capability.c should have shown you.
Eric
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-12 13:16 ` Eric W. Biederman
@ 2016-07-12 22:00 ` Paul Moore
2016-07-13 7:30 ` Topi Miettinen
1 sibling, 0 replies; 15+ messages in thread
From: Paul Moore @ 2016-07-12 22:00 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Topi Miettinen, linux-kernel, pmladek, luto, serge, keescook,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On Tue, Jul 12, 2016 at 9:16 AM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.
FYI, we added some basic userns capability smarts to SELinux in Linux 4.7.
commit 8e4ff6f228e4722cac74db716e308d1da33d744f
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri Apr 8 13:52:00 2016 -0400
selinux: distinguish non-init user namespace capability checks
Distinguish capability checks against a target associated
with the init user namespace versus capability checks against
a target associated with a non-init user namespace by defining
and using separate security classes for the latter.
This is needed to support e.g. Chrome usage of user namespaces
for the Chrome sandbox without needing to allow Chrome to also
exercise capabilities on targets in the init user namespace.
Suggested-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-12 13:16 ` Eric W. Biederman
2016-07-12 22:00 ` Paul Moore
@ 2016-07-13 7:30 ` Topi Miettinen
1 sibling, 0 replies; 15+ messages in thread
From: Topi Miettinen @ 2016-07-13 7:30 UTC (permalink / raw)
To: Eric W. Biederman
Cc: linux-kernel, pmladek, luto, serge, keescook, Paul Moore,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On 07/12/16 13:16, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@gmail.com> writes:
>
>> On 07/11/16 21:57, Eric W. Biederman wrote:
>>> Topi Miettinen <toiwoton@gmail.com> writes:
>>>
>>>> There are many basic ways to control processes, including capabilities,
>>>> cgroups and resource limits. However, there are far fewer ways to find
>>>> out useful values for the limits, except blind trial and error.
>>>>
>>>> Currently, there is no way to know which capabilities are actually used.
>>>> Even the source code is only implicit, in-depth knowledge of each
>>>> capability must be used when analyzing a program to judge which
>>>> capabilities the program will exercise.
>>>>
>>>> Generate an audit message at system call exit, when capabilities are used.
>>>> This can then be used to configure capability sets for services by a
>>>> software developer, maintainer or system administrator.
>>>>
>>>> Test case demonstrating basic capability monitoring with the new
>>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>>> rdshell):
>>>
>>> You totally miss the interactions with the user namespace so this won't
>>> give you the information you are aiming for.
>>
>> Please correct me if this is not right:
>>
>> There are two cases:
>> a) real capability use as seen outside the namespace
>> b) use of capabilities granted by the namespace
>> Both cases could be active independently.
>>
>> For auditing purposes, we're mostly interested in a) and log noise from
>> b) could be even seen a distraction.
>>
>> For configuration purposes, both cases can be interesting, a) for the
>> configuration of services and b) in case where the containerized
>> configuration is planned to be deployed outside. I'd still only log
>> a).
>>
>>
>> The same logic should apply with cgroup namespaces.
>
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.
>
> You should also be logging capability use from cap_capable. Not
But cap_capable is not called from apparmor aa_capable or selinux
selinux_capable, how about security_capable()?
> ns_capable. You are missing several kinds of capability use as
> a quick review of kernel/capability.c should have shown you.
Right, sorry about that.
-Topi
>
> Eric
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: audit capability use
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
` (2 preceding siblings ...)
2016-07-11 21:57 ` Eric W. Biederman
@ 2016-07-12 21:56 ` Paul Moore
3 siblings, 0 replies; 15+ messages in thread
From: Paul Moore @ 2016-07-12 21:56 UTC (permalink / raw)
To: Topi Miettinen, moderated list:AUDIT SUBSYSTEM
Cc: linux-kernel, ebiederm, mladek, luto, serge, keescook,
Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner, Serge Hallyn,
open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
On Mon, Jul 11, 2016 at 7:14 AM, Topi Miettinen <toiwoton@gmail.com> wrote:
> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
>
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
>
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
>
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):
NOTE: additional comments inline with the patch.
I can understand the desire to audit the capabilities, but I'm a
little uncertain about the value of auditing cgroups at this point in
time. The audit subsystem focuses primarily on security relevant
information, and while you could make an argument for cgroups here, I
think it is a relatively weak argument at the moment.
Also, please continue to work on reducing the impact of this on the
audit logs (your discussion with Serge).
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e38e3fc..971cb2e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
> __audit_mmap_fd(fd, flags);
> }
>
> +extern void audit_log_cap_use(int cap);
> +
> extern int audit_n_rules;
> extern int audit_signals;
> #else /* CONFIG_AUDITSYSCALL */
> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
> { }
> static inline void audit_ptrace(struct task_struct *t)
> { }
> +static inline void audit_log_cap_use(int cap)
> +{ }
> #define audit_n_rules 0
> #define audit_signals 0
> #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> index a20320c..b5dc8aa 100644
> --- a/include/linux/cgroup.h
> +++ b/include/linux/cgroup.h
> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
> int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
> int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
> struct pid *pid, struct task_struct *tsk);
> +struct audit_buffer;
> +void audit_cgroup_list(struct audit_buffer *ab);
>
> void cgroup_fork(struct task_struct *p);
> extern int cgroup_can_fork(struct task_struct *p);
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index d820aa9..c1ae016 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,8 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
> +#define AUDIT_CAPABILITY 1330 /* Record showing capability use */
> +#define AUDIT_CGROUP 1331 /* Record showing cgroups */
As Tejun Heo already stated, please put the capability changes and the
cgroup changes into two separate patches in one patchset.
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 8d528f9..98dd920 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -54,6 +54,7 @@
> #include <linux/kthread.h>
> #include <linux/kernel.h>
> #include <linux/syscalls.h>
> +#include <linux/cgroup.h>
>
> #include <linux/audit.h>
>
> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
> {
> int i;
>
> - audit_log_format(ab, " %s=", prefix);
> + audit_log_format(ab, "%s=", prefix);
Why?
> CAP_FOR_EACH_U32(i) {
> audit_log_format(ab, "%08x",
> cap->cap[CAP_LAST_U32 - i]);
> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
> int log = 0;
>
> if (!cap_isclear(*perm)) {
> - audit_log_cap(ab, "cap_fp", perm);
> + audit_log_cap(ab, " cap_fp", perm);
This is not an improvement, please stick with the leading space in
audit_log_cap() so callers do not have to worry about formatting
issues like this.
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 2672d10..32c3813 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>
> audit_log_proctitle(tsk, context);
>
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
> + if (ab) {
> + audit_log_cap(ab, "cap_used", &context->cap_used);
> + audit_log_end(ab);
> + }
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
> + if (ab) {
> + audit_log_format(ab, "cgroups=");
> + audit_cgroup_list(ab);
Why not just move the "cgroups=" into audit_cgroup_list()? Can you
ever think of a reason why you would need to record the cgroups
without the "cgroup=" field prefix?
> + audit_log_end(ab);
> + }
> +
> /* Send end of event record to help user space know we are finished */
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
> if (ab)
> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
> return NULL;
> return &ctx->killed_trees;
> }
> +
> +void audit_log_cap_use(int cap)
> +{
> + struct audit_context *context = current->audit_context;
> +
> + if (context) {
> + cap_raise(context->cap_used, cap);
> + audit_set_auditable(context);
> + } else {
> + audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
> + "cap_used=%d pid=%d no audit_context",
> + cap, task_pid_nr(current));
> + }
> +}
You can't log "no audit_context" in the audit record, all information
logged should follow the "<field>=<value>" format.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] capabilities: add capability cgroup controller
@ 2016-07-03 15:08 Topi Miettinen
2016-07-03 16:13 ` [PATCH] capabilities: audit capability use kbuild test robot
0 siblings, 1 reply; 15+ messages in thread
From: Topi Miettinen @ 2016-07-03 15:08 UTC (permalink / raw)
To: Serge E. Hallyn, Eric W. Biederman, Tejun Heo
Cc: lkml, luto, Kees Cook, Jonathan Corbet, Li Zefan,
Johannes Weiner, Serge Hallyn, James Morris, Andrew Morton,
David Howells, David Woodhouse, Ard Biesheuvel, Paul E. McKenney,
Petr Mladek, open list:DOCUMENTATION,
open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
[-- Attachment #1: Type: text/plain, Size: 2300 bytes --]
On 06/27/16 19:49, Serge E. Hallyn wrote:
> Quoting Tejun Heo (tj@kernel.org):
>> Hello,
>>
>> On Mon, Jun 27, 2016 at 3:10 PM, Topi Miettinen <toiwoton@gmail.com> wrote:
>>> I'll have to study these more. But from what I saw so far, it looks to
>>> me that a separate tool would be needed to read taskstats and if that
>>> tool is not taken by distros, the users would not be any wiser, right?
>>> With cgroup (or /proc), no new tools would be needed.
>>
>> That is a factor but shouldn't be a deciding factor in designing our
>> user-facing interfaces. Please also note that kernel source tree
>> already has tools/ subdirectory which contains userland tools which
>> are distributed along with the kernel.
>
> And, if you take audit+cgroup approach then no tools are needed. So long
> as you can have audit print out the cgroups for a task as part of the
> capability audit record.
>
The attached patch would make any uses of capabilities generate audit
messages. It works for simple tests as you can see from the commit
message, but unfortunately the call to audit_cgroup_list() deadlocks the
system when booting a full blown OS. There's no deadlock when the call
is removed.
I guess that in some cases, cgroup_mutex and/or css_set_lock could be
already held earlier before entering audit_cgroup_list(). Holding the
locks is however required by task_cgroup_from_root(). Is there any way
to avoid this? For example, only print some kind of cgroup ID numbers
(are there unique and stable IDs, available without locks?) for those
cgroups where the task is registered in the audit message?
I could remove the cgroup part from the audit message entirely, but then
knowing which capabilities were used in what cgroup gets much more
difficult. The rest of the patch would be useful without it and of
course simpler.
In my earlier versions a per-task cap_used variable summarized all uses
of capabilities, but it was not clear when to reset the variable (fork?
exec? capset?), so it's gone for now. This was also used to rate limit
printing audit messages by only acting when each capability was first
used by the task, but now all uses of capabilities trigger audit
logging. Could that become a problem? I think it only makes sense to
summarize capability use per cgroup (via taskstats).
-Topi
[-- Attachment #2: 0001-capabilities-audit-capability-use.patch --]
[-- Type: text/x-patch, Size: 9402 bytes --]
>From 2d5248f91998873174dbcbcafe87e5b30c3858aa Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 2 Jul 2016 16:25:20 +0300
Subject: [PATCH] capabilities: audit capability use
There are many basic ways to control processes, including capabilities,
cgroups and resource limits. However, there are far fewer ways to find
out useful values for the limits, except blind trial and error.
Currently, there is no way to know which capabilities are actually used.
Even the source code is only implicit, in-depth knowledge of each
capability must be used when analyzing a program to judge which
capabilities the program will exercise.
Generate an audit message when capabilities are used. This can then be
used to configure capability sets for services by a software developer,
maintainer or system administrator.
Test case demonstrating basic capability monitoring with the new
message type 1330 and how the cgroups are displayed (boot to rdshell):
BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
Enter 'help' for a list of built-in commands.
(initramfs) cd /sys/fs
(initramfs) mount -t cgroup2 cgroup cgroup
[ 16.503902] audit_printk_skb: 4026 callbacks suppressed
[ 16.505059] audit: type=1330 audit(1467543885.733:469): cap_used=21 pid=214 auid=4294967295 uid=0 gid=0 ses=4294967295 cgroups=
[ 16.506845] audit: type=1330 audit(1467543885.733:469): cap_used=21 pid=214 auid=4294967295 uid=0 gid=0 ses=4294967295 cgroups=
[ 16.509234] audit: type=1300 audit(1467543885.733:469): arch=c000003e syscall=165 success=yes exit=0 a0=7ffc2f394e2d a1=7ffc2f394e34 a2=7ffc2f394e25 a3=8000 items=0 ppid=213 pid=214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
[ 16.510134] audit: type=1327 audit(1467543885.733:469): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
(initramfs) cd cgroup
(initramfs) mkdir test; cd test
[ 16.533829] audit: type=1330 audit(1467543885.765:470): cap_used=1 pid=215 auid=4294967295 uid=0 gid=0 ses=4294967295 cgroups=:/;
[ 16.536587] audit: type=1300 audit(1467543885.765:470): arch=c000003e syscall=83 success=yes exit=0 a0=7ffe4f0bfe29 a1=1ff a2=0 a3=1e2 items=0 ppid=213 pid=215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
[ 16.537263] audit: type=1327 audit(1467543885.765:470): proctitle=6D6B6469720074657374
(initramfs) echo $$ >cgroup.procs
(initramfs) mknod /dev/z_$$ c 1 2
[ 16.571516] audit: type=1330 audit(1467543885.801:471): cap_used=27 pid=216 auid=4294967295 uid=0 gid=0 ses=4294967295 cgroups=:/test;
[ 16.572812] audit: type=1300 audit(1467543885.801:471): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe04fe3e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=213 pid=216 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
[ 16.573571] audit: type=1327 audit(1467543885.801:471): proctitle=6D6B6E6F64002F6465762F7A5F323133006300310032
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
include/linux/audit.h | 4 +++
include/linux/cgroup.h | 2 ++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 22 ++++++++++++++++
kernel/capability.c | 5 ++--
kernel/cgroup.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 94 insertions(+), 2 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index e38e3fc..971cb2e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags);
}
+extern void audit_log_cap_use(int cap);
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
{ }
static inline void audit_ptrace(struct task_struct *t)
{ }
+static inline void audit_log_cap_use(int cap)
+{ }
#define audit_n_rules 0
#define audit_signals 0
#endif /* CONFIG_AUDITSYSCALL */
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index a20320c..b5dc8aa 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *tsk);
+struct audit_buffer;
+void audit_cgroup_list(struct audit_buffer *ab);
void cgroup_fork(struct task_struct *p);
extern int cgroup_can_fork(struct task_struct *p);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..a5c9a73 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_CAPABILITY 1330 /* Record showing capability use */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 8d528f9..370beb7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,7 @@
#include <linux/kthread.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
+#include <linux/cgroup.h>
#include <linux/audit.h>
@@ -1709,6 +1710,27 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
name->fcap.fE, name->fcap_ver);
}
+void audit_log_cap_use(int cap)
+{
+ struct audit_context *context = current->audit_context;
+ struct audit_buffer *ab;
+ kuid_t uid;
+ kgid_t gid;
+
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
+ audit_log_format(ab, "cap_used=%d", cap);
+ current_uid_gid(&uid, &gid);
+ audit_log_format(ab, " pid=%d auid=%u uid=%u gid=%u ses=%u",
+ task_pid_nr(current),
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ from_kuid(&init_user_ns, uid),
+ from_kgid(&init_user_ns, gid),
+ audit_get_sessionid(current));
+ audit_log_format(ab, " cgroups=");
+ audit_cgroup_list(ab);
+ audit_log_end(ab);
+}
+
static inline int audit_copy_fcaps(struct audit_names *name,
const struct dentry *dentry)
{
diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b5..d45d5b1 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
* @ns: The usernamespace we want the capability in
* @cap: The capability to be tested for
*
- * Return true if the current task has the given superior capability currently
- * available for use, false if not.
+ * Return true if the current task has the given superior capability
+ * currently available for use, false if not. Write an audit message.
*
* This sets PF_SUPERPRIV on the task if the capability is available on the
* assumption that it's about to be used.
@@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
}
if (security_capable(current_cred(), ns, cap) == 0) {
+ audit_log_cap_use(cap);
current->flags |= PF_SUPERPRIV;
return true;
}
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 75c0ff0..3b92e85 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -63,6 +63,7 @@
#include <linux/nsproxy.h>
#include <linux/proc_ns.h>
#include <net/sock.h>
+#include <linux/audit.h>
/*
* pidlists linger the following amount before being destroyed. The goal
@@ -5789,6 +5790,67 @@ out:
return retval;
}
+/*
+ * audit_cgroup_list()
+ * - Print task's cgroup paths with audit_log_format()
+ * - Used for capability audit logging
+ * - Otherwise very similar to proc_cgroup_show().
+ */
+void audit_cgroup_list(struct audit_buffer *ab)
+{
+ char *buf, *path;
+ struct cgroup_root *root;
+
+ buf = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!buf)
+ return;
+
+ mutex_lock(&cgroup_mutex);
+ spin_lock_irq(&css_set_lock);
+
+ for_each_root(root) {
+ struct cgroup_subsys *ss;
+ struct cgroup *cgrp;
+ int ssid, count = 0;
+
+ if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
+ continue;
+
+ if (root != &cgrp_dfl_root)
+ for_each_subsys(ss, ssid)
+ if (root->subsys_mask & (1 << ssid))
+ audit_log_format(ab, "%s%s",
+ count++ ? "," : "",
+ ss->legacy_name);
+ if (strlen(root->name))
+ audit_log_format(ab, "%sname=%s", count ? "," : "",
+ root->name);
+ audit_log_format(ab, ":");
+
+ cgrp = task_cgroup_from_root(current, root);
+
+ if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
+ path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
+ current->nsproxy->cgroup_ns);
+ if (!path)
+ goto out_unlock;
+ } else
+ path = "/";
+
+ audit_log_format(ab, "%s", path);
+
+ if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
+ audit_log_format(ab, " (deleted);");
+ else
+ audit_log_format(ab, ";");
+ }
+
+out_unlock:
+ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+ kfree(buf);
+}
+
/* Display information about each subsystem and each hierarchy */
static int proc_cgroupstats_show(struct seq_file *m, void *v)
{
--
2.8.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* Re: [PATCH] capabilities: audit capability use
2016-07-03 15:08 [PATCH] capabilities: add capability cgroup controller Topi Miettinen
@ 2016-07-03 16:13 ` kbuild test robot
0 siblings, 0 replies; 15+ messages in thread
From: kbuild test robot @ 2016-07-03 16:13 UTC (permalink / raw)
To: Topi Miettinen
Cc: kbuild-all, Serge E. Hallyn, Eric W. Biederman, Tejun Heo, lkml,
luto, Kees Cook, Jonathan Corbet, Li Zefan, Johannes Weiner,
Serge Hallyn, James Morris, Andrew Morton, David Howells,
David Woodhouse, Ard Biesheuvel, Paul E. McKenney, Petr Mladek,
open list:DOCUMENTATION, open list:CONTROL GROUP (CGROUP),
open list:CAPABILITIES
[-- Attachment #1: Type: text/plain, Size: 2500 bytes --]
Hi,
[auto build test ERROR on cgroup/for-next]
[also build test ERROR on v4.7-rc5]
[cannot apply to next-20160701]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Topi-Miettinen/capabilities-audit-capability-use/20160703-231120
base: https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-next
config: microblaze-mmu_defconfig (attached as .config)
compiler: microblaze-linux-gcc (GCC) 4.9.0
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=microblaze
All errors (new ones prefixed by >>):
>> kernel/audit.c:1713:6: error: redefinition of 'audit_log_cap_use'
void audit_log_cap_use(int cap)
^
In file included from kernel/audit.c:59:0:
include/linux/audit.h:574:20: note: previous definition of 'audit_log_cap_use' was here
static inline void audit_log_cap_use(int cap)
^
kernel/audit.c: In function 'audit_log_cap_use':
>> kernel/audit.c:1730:2: error: implicit declaration of function 'audit_cgroup_list' [-Werror=implicit-function-declaration]
audit_cgroup_list(ab);
^
cc1: some warnings being treated as errors
vim +/audit_log_cap_use +1713 kernel/audit.c
1707
1708 if (log)
1709 audit_log_format(ab, " cap_fe=%d cap_fver=%x",
1710 name->fcap.fE, name->fcap_ver);
1711 }
1712
> 1713 void audit_log_cap_use(int cap)
1714 {
1715 struct audit_context *context = current->audit_context;
1716 struct audit_buffer *ab;
1717 kuid_t uid;
1718 kgid_t gid;
1719
1720 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
1721 audit_log_format(ab, "cap_used=%d", cap);
1722 current_uid_gid(&uid, &gid);
1723 audit_log_format(ab, " pid=%d auid=%u uid=%u gid=%u ses=%u",
1724 task_pid_nr(current),
1725 from_kuid(&init_user_ns, audit_get_loginuid(current)),
1726 from_kuid(&init_user_ns, uid),
1727 from_kgid(&init_user_ns, gid),
1728 audit_get_sessionid(current));
1729 audit_log_format(ab, " cgroups=");
> 1730 audit_cgroup_list(ab);
1731 audit_log_end(ab);
1732 }
1733
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 12626 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2016-07-13 7:31 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
2016-07-11 15:25 ` Serge E. Hallyn
2016-07-11 16:05 ` Topi Miettinen
2016-07-11 19:28 ` Topi Miettinen
2016-07-11 17:09 ` Tejun Heo
2016-07-11 19:47 ` Topi Miettinen
2016-07-12 14:59 ` Tejun Heo
2016-07-13 6:52 ` Topi Miettinen
2016-07-11 21:57 ` Eric W. Biederman
2016-07-12 8:54 ` Topi Miettinen
2016-07-12 13:16 ` Eric W. Biederman
2016-07-12 22:00 ` Paul Moore
2016-07-13 7:30 ` Topi Miettinen
2016-07-12 21:56 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2016-07-03 15:08 [PATCH] capabilities: add capability cgroup controller Topi Miettinen
2016-07-03 16:13 ` [PATCH] capabilities: audit capability use kbuild test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).