[PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier

[PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier

[Richard Guy Briggs]

Add support for audit kernel container identifiers to userspace tools.

The first and second add new record types.  The third adds filter
support.  The fourth and 5th start to add search support.

The 6th is to read the calling process' audit container identifier from
the /proc filesystem matching the kernel /proc read patch.

The 7th is to fix signal support and the 8th is to learn the audit
container identifier of the process that signals the audit daemon.

The 9th is a touch up to allow the contid field to be interpreted as a
CSV list.

The 10th and 11th add audit netlink support for setting and getting
contid, loginuid and sessionid preparing to deprecate the /proc
interface.

The last adds audit library support to allow a process to give
permission to a container orchestrator in a non-init user namespace via
audit netlink messages.

See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Changelog:
v7
- rebase on ghau90 and touchup
- rebase on ghak10 support (change AUDIT_CONTAINER_ID to 1334)
- render type contid as a CSV
- switch from /proc to audit netlink to set/get contid, auid/sessionid
- add support for capcontid

v6
- auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
  request and record
- swap CONTAINER_OP contid/old-contid to ease parsing
- add to auparse

v5
- updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
- add AUDIT_CONTAINER_ID to normalization
- rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD

v4
- change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to
  AUDIT_FEATURE_BITMAP_CONTAINERID
- change from event_container_id to event_contid internally
- change from container_id to contid and event_container_id to
  event_contid internally
- change command line option from --container-id to --contid

v3
- change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
- change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER
- change from AUDIT_CONTAINERID to AUDIT_CONTID
- update github issue refs
- add audit_get_containerid
- change event_container_id default value
- add --containerid to ausearch options help text
- update ausearch parser and error codes

v2
- rebase on UINT_MAX patch
- add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
  normalization

Richard Guy Briggs (12):
  AUDIT_CONTAINER_OP message type basic support
  AUDIT_CONTAINER_ID message type basic support
  auditctl: add support for AUDIT_CONTID filter
  add ausearch containerid support
  start normalization containerid support
  libaudit: add support to get the task audit container identifier
  signal_info: only print context if it is available.
  add support for audit_signal_info2
  contid: interpret correctly CONTAINER_ID contid field csv
  contid: switch from /proc to netlink
  loginuid/sessionid: switch from /proc to netlink
  libaudit: add support to get and set capcontid on a task

 auparse/auditd-config.c          |   1 +
 auparse/auparse-defs.h           |   3 +-
 auparse/interpret.c              |  10 +
 auparse/normalize_record_map.h   |   2 +
 auparse/typetab.h                |   2 +
 bindings/python/auparse_python.c |   1 +
 docs/Makefile.am                 |   3 +-
 docs/audit_get_containerid.3     |  25 +++
 docs/audit_request_signal_info.3 |   1 +
 docs/audit_set_containerid.3     |  24 +++
 docs/auditctl.8                  |   3 +
 lib/fieldtab.h                   |   1 +
 lib/libaudit.c                   | 425 ++++++++++++++++++++++++++++++++-------
 lib/libaudit.h                   |  73 +++++++
 lib/msg_typetab.h                |  10 +
 lib/netlink.c                    |  15 ++
 src/auditctl-listing.c           |  21 ++
 src/auditd-config.c              |   1 +
 src/auditd-config.h              |   1 +
 src/auditd-event.c               |  28 ++-
 src/auditd-reconfig.c            |  25 ++-
 src/auditd.c                     |   3 +-
 src/aureport-options.c           |   1 +
 src/ausearch-llist.c             |   2 +
 src/ausearch-llist.h             |   1 +
 src/ausearch-match.c             |   3 +
 src/ausearch-options.c           |  47 ++++-
 src/ausearch-options.h           |   1 +
 src/ausearch-parse.c             | 197 ++++++++++++++++++
 src/ausearch-report.c            |   6 +-
 30 files changed, 848 insertions(+), 88 deletions(-)
 create mode 100644 docs/audit_get_containerid.3
 create mode 100644 docs/audit_set_containerid.3

-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 01/12] AUDIT_CONTAINER_OP message type basic support

[Richard Guy Briggs]

This defines the message number for the audit container identifier
registration record should the kernel headers not be up to date, gives
the record number a name for printing and allows the record to be
interpreted since it is in the 1000 range like AUDIT_LOGIN.

See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 lib/libaudit.h    | 4 ++++
 lib/msg_typetab.h | 1 +
 lib/netlink.c     | 1 +
 3 files changed, 6 insertions(+)

diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8e8dc5718350..06d2e59c55aa 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -246,6 +246,10 @@ extern "C" {
 #define AUDIT_GET_FEATURE       1019    /* Get which features are enabled */
 #endif
 
+#ifndef AUDIT_CONTAINER_OP
+#define AUDIT_CONTAINER_OP	1020    /* Container creation notice */
+#endif
+
 #ifndef AUDIT_MMAP
 #define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
 #endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index d668f34444b5..00cb5c134bf6 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -44,6 +44,7 @@ _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_TTY_SET,                    "TTY_SET"                       )
 //_S(AUDIT_SET_FEATURE,                "SET_FEATURE"                   )
 //_S(AUDIT_GET_FEATURE,                "GET_FEATURE"                   )
+_S(AUDIT_CONTAINER_OP,               "CONTAINER_OP"                  )
 _S(AUDIT_USER_AUTH,                  "USER_AUTH"                     )
 _S(AUDIT_USER_ACCT,                  "USER_ACCT"                     )
 _S(AUDIT_USER_MGMT,                  "USER_MGMT"                     )
diff --git a/lib/netlink.c b/lib/netlink.c
index 5b2028fda7e8..caa963b1ddb2 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -184,6 +184,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
 			break;
 		case AUDIT_USER:
 		case AUDIT_LOGIN:
+		case AUDIT_CONTAINER_OP:
 		case AUDIT_KERNEL:
 		case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
 		case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 02/12] AUDIT_CONTAINER_ID message type basic support

[Richard Guy Briggs]

This defines the message number for the audit container identifier
information record should the kernel headers not be up to date and gives
the record number a name for printing.

See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 lib/libaudit.h    | 4 ++++
 lib/msg_typetab.h | 1 +
 2 files changed, 5 insertions(+)

diff --git a/lib/libaudit.h b/lib/libaudit.h
index 06d2e59c55aa..077847587dca 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -294,6 +294,10 @@ extern "C" {
 #define AUDIT_TIME_ADJNTPVAL	1333 /* NTP value adjustment */
 #endif
 
+#ifndef AUDIT_CONTAINER_ID
+#define AUDIT_CONTAINER_ID	1334 /* Container ID */
+#endif
+
 #ifndef AUDIT_MAC_CALIPSO_ADD
 #define AUDIT_MAC_CALIPSO_ADD	1418 /* NetLabel: add CALIPSO DOI entry */
 #endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 00cb5c134bf6..54fca1193a30 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -126,6 +126,7 @@ _S(AUDIT_KERN_MODULE,                "KERN_MODULE"                   )
 _S(AUDIT_FANOTIFY,                   "FANOTIFY"                      )
 _S(AUDIT_TIME_INJOFFSET,             "TIME_INJOFFSET"                )
 _S(AUDIT_TIME_ADJNTPVAL,             "TIME_ADJNTPVAL"                )
+_S(AUDIT_CONTAINER_ID,               "CONTAINER_ID"                  )
 _S(AUDIT_AVC,                        "AVC"                           )
 _S(AUDIT_SELINUX_ERR,                "SELINUX_ERR"                   )
 _S(AUDIT_AVC_PATH,                   "AVC_PATH"                      )
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 03/12] auditctl: add support for AUDIT_CONTID filter

[Richard Guy Briggs]

A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.

Add support to libaudit and auditctl for the AUDIT_CONTID field to
filter based on audit container identifier.  This field is specified
with the "contid" field name on the command line.

Since it is a u64 and larger than any other numeric field, send it as a
string but do the appropriate conversions on each end in each direction.

See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 docs/auditctl.8        |  3 +++
 lib/fieldtab.h         |  1 +
 lib/libaudit.c         | 36 ++++++++++++++++++++++++++++++++++++
 lib/libaudit.h         |  7 +++++++
 src/auditctl-listing.c | 21 +++++++++++++++++++++
 5 files changed, 68 insertions(+)

diff --git a/docs/auditctl.8 b/docs/auditctl.8
index 6606077c2c44..daed435f03af 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -216,6 +216,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4
 .B sessionid
 User's login session ID
 .TP
+.B contid
+Process' audit container ID
+.TP
 .B subj_user
 Program's SE Linux User
 .TP
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index b597cafb2df8..e0a49d0154bb 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE,     "obj_type"     )
 _S(AUDIT_OBJ_LEV_LOW,  "obj_lev_low"  )
 _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" )
 _S(AUDIT_SESSIONID,    "sessionid"    )
+_S(AUDIT_CONTID,       "contid"       )
 
 _S(AUDIT_DEVMAJOR,     "devmajor"     )
 _S(AUDIT_DEVMINOR,     "devminor"     )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 15e3c9ed921f..7c6b82792b5a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1756,6 +1756,42 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			if (rule->values[rule->field_count] >= AF_MAX)
 				return -EAU_FIELDVALTOOBIG;
 			break;
+		case AUDIT_CONTID: {
+			unsigned long long val;
+
+			if ((audit_get_features() &
+				AUDIT_FEATURE_BITMAP_CONTAINERID) == 0)
+				return -EAU_FIELDNOSUPPORT;
+			if (flags != AUDIT_FILTER_EXCLUDE &&
+			    flags != AUDIT_FILTER_USER &&
+			    flags != AUDIT_FILTER_EXIT)
+				return -EAU_FIELDNOFILTER;
+			if (isdigit((char)*(v))) 
+				val = strtoull(v, NULL, 0);
+			else if (strlen(v) >= 2 && *(v)=='-' && 
+						(isdigit((char)*(v+1)))) 
+				val = strtoll(v, NULL, 0);
+			else if (strcmp(v, "unset") == 0)
+				val = ULLONG_MAX;
+			else
+				return -EAU_FIELDVALNUM;
+			if (errno)
+				return -EAU_FIELDVALNUM;
+			vlen = sizeof(unsigned long long);
+			rule->values[rule->field_count] = vlen;
+			offset = rule->buflen;
+			rule->buflen += vlen;
+			*rulep = realloc(rule, sizeof(*rule) + rule->buflen);
+			if (*rulep == NULL) {
+				free(rule);
+				audit_msg(LOG_ERR, "Cannot realloc memory!\n");
+				return -3;
+			} else {
+				rule = *rulep;
+			}
+			*(unsigned long long*)(&rule->buf[offset]) = val;
+			break;
+		}
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 077847587dca..d263e44292ca 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -350,6 +350,9 @@ extern "C" {
 #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS
 #define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
 #endif
+#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID
+#define AUDIT_FEATURE_BITMAP_CONTAINERID	0x00000080
+#endif
 
 /* Defines for interfield comparison update */
 #ifndef AUDIT_OBJ_UID
@@ -376,6 +379,10 @@ extern "C" {
 #define AUDIT_FSTYPE 26
 #endif
 
+#ifndef AUDIT_CONTID
+#define AUDIT_CONTID 27
+#endif
+
 #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
 #endif
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index f670ff9bd6e8..a62454f88b2c 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -25,6 +25,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include "auditctl-listing.h"
 #include "private.h"
 #include "auditctl-llist.h"
@@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r)
 						audit_operator_to_symbol(op),
 						audit_fstype_to_name(
 						r->values[i]));
+			} else if (field == AUDIT_CONTID) {
+				unsigned long long val;
+
+				if (r->values[i] == sizeof(unsigned long long)) {
+					val = *(unsigned long long*)(&r->buf[boffset]);
+
+					if (val != ULLONG_MAX)
+						printf(" -F %s%s%llu", name,
+							audit_operator_to_symbol(op),
+							val);
+					else
+						printf(" -F %s%s%s", name,
+							audit_operator_to_symbol(op),
+							"unset");
+				} else {
+					printf(" -F %s%s%s", name,
+						audit_operator_to_symbol(op),
+						"inval");
+				}
+				boffset += r->values[i];
 			} else {
 				// The default is signed decimal
 				printf(" -F %s%s%d", name, 
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 04/12] add ausearch containerid support

[Richard Guy Briggs]

Add support to ausearch for searching on the containerid field in
records.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 src/aureport-options.c |   1 +
 src/ausearch-llist.c   |   2 +
 src/ausearch-llist.h   |   1 +
 src/ausearch-match.c   |   3 +
 src/ausearch-options.c |  47 +++++++++++-
 src/ausearch-options.h |   1 +
 src/ausearch-parse.c   | 197 +++++++++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 251 insertions(+), 1 deletion(-)

diff --git a/src/aureport-options.c b/src/aureport-options.c
index bd847d7d57f0..679c36c00985 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -62,6 +62,7 @@ const char *event_vmname = NULL;
 long long event_exit = 0;
 int event_exit_is_set = 0;
 int event_ppid = -1, event_session_id = -2;
+unsigned long long int event_contid = -1;
 int event_debug = 0, event_machine = -1;
 
 /* These are used by aureport */
diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c
index ef5503c34fd9..ade727a9e102 100644
--- a/src/ausearch-llist.c
+++ b/src/ausearch-llist.c
@@ -60,6 +60,7 @@ void list_create(llist *l)
 	l->s.arch = 0;
 	l->s.syscall = 0;
 	l->s.session_id = -2;
+	l->s.contid = -1;
 	l->s.uuid = NULL;
 	l->s.vmname = NULL;
 	l->s.tuid = NULL;
@@ -211,6 +212,7 @@ void list_clear(llist* l)
 	l->s.arch = 0;
 	l->s.syscall = 0;
 	l->s.session_id = -2;
+	l->s.contid = -1;
 	free(l->s.uuid);
 	l->s.uuid = NULL;
 	free(l->s.vmname);
diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h
index 64e4ee1f3694..2d1f52237ce6 100644
--- a/src/ausearch-llist.h
+++ b/src/ausearch-llist.h
@@ -56,6 +56,7 @@ typedef struct
   int arch;             // arch
   int syscall;          // syscall
   uint32_t session_id;  // Login session id
+  __u64 contid;         // Container id
   long long exit;       // Syscall exit code
   int exit_is_set;      // Syscall exit code is valid
   char *hostname;       // remote hostname
diff --git a/src/ausearch-match.c b/src/ausearch-match.c
index 61a11d30a09b..47c12581a963 100644
--- a/src/ausearch-match.c
+++ b/src/ausearch-match.c
@@ -113,6 +113,9 @@ int match(llist *l)
 				if ((event_session_id != -2) &&
 					(event_session_id != l->s.session_id))
 					return 0;
+				if ((event_contid != -1) &&
+					(event_contid != l->s.contid))
+					return 0;
 				if (event_exit_is_set) {
 					if (l->s.exit_is_set == 0)
 						return 0;
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index eb483e670957..609718657775 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -60,6 +60,7 @@ int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
 uint32_t event_session_id = -2;
+unsigned long long int event_contid = -1;
 long long event_exit = 0;
 int event_exit_is_set = 0;
 int line_buffered = 0;
@@ -88,7 +89,7 @@ struct nv_pair {
 
 enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
-S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
+S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_CONTID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_FORMAT,
@@ -100,6 +101,7 @@ static struct nv_pair optiontab[] = {
 	{ S_EVENT, "--event" },
 	{ S_COMM, "-c" },
 	{ S_COMM, "--comm" },
+	{ S_CONTID, "--contid" },
 	{ S_CHECKPOINT, "--checkpoint" },
 	{ S_DEBUG, "--debug" },
 	{ S_EXIT, "-e" },
@@ -197,6 +199,7 @@ static void usage(void)
 	"\t-a,--event <Audit event id>\tsearch based on audit event id\n"
 	"\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n"
 	"\t-c,--comm  <Comm name>\t\tsearch based on command line name\n"
+	"\t--contid <audit container id>\tsearch based on the task's audit container id\n"
 	"\t--checkpoint <checkpoint file>\tsearch from last complete event\n"
 	"\t--debug\t\t\tWrite malformed events that are skipped to stderr\n"
 	"\t-e,--exit  <Exit code or errno>\tsearch based on syscall exit code\n"
@@ -1182,6 +1185,48 @@ int check_params(int count, char *vars[])
 			}
 			c++;
 			break;
+		case S_CONTID:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{
+			size_t len = strlen(optarg);
+			if (isdigit(optarg[0])) {
+				errno = 0;
+				event_contid = strtoull(optarg,NULL,0);
+				if (errno) {
+					fprintf(stderr, 
+			"Numeric container ID conversion error (%s) for %s\n",
+						strerror(errno), optarg);
+					retval = -1;
+				}
+			} else if (len >= 2 && *(optarg)=='-' &&
+					(isdigit(optarg[1]))) {
+				errno = 0;
+				event_contid = strtoll(optarg, NULL, 0);
+				if (errno) {
+					retval = -1;
+					fprintf(stderr, "Error converting %s\n",
+						optarg);
+				}
+			} else {
+				fprintf(stderr, 
+			"Container ID is non-numeric and unknown (%s)\n",
+						optarg);
+				retval = -1;
+				break;
+			}
+			}
+			c++;
+			break;
 		case S_UUID:
 			if (!optarg) {
 				fprintf(stderr,
diff --git a/src/ausearch-options.h b/src/ausearch-options.h
index 1372762b4b3e..c03256e36495 100644
--- a/src/ausearch-options.h
+++ b/src/ausearch-options.h
@@ -40,6 +40,7 @@ extern int line_buffered;
 extern int event_debug;
 extern pid_t event_ppid;
 extern uint32_t event_session_id;
+extern unsigned long long int event_contid;
 extern ilist *event_type;
 
 /* Data type to govern output format */
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 497306dde070..4d48d59caa0f 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -52,6 +52,8 @@ static int parse_path(const lnode *n, search_items *s);
 static int parse_user(const lnode *n, search_items *s, anode *avc);
 static int parse_obj(const lnode *n, search_items *s);
 static int parse_login(const lnode *n, search_items *s);
+static int parse_container_op(const lnode *n, search_items *s);
+static int parse_container_id(const lnode *n, search_items *s);
 static int parse_daemon1(const lnode *n, search_items *s);
 static int parse_daemon2(const lnode *n, search_items *s);
 static int parse_sockaddr(const lnode *n, search_items *s);
@@ -113,6 +115,9 @@ int extract_search_items(llist *l)
 			case AUDIT_LOGIN:
 				ret = parse_login(n, s);
 				break;
+			case AUDIT_CONTAINER_OP:
+				ret = parse_container_op(n, s);
+				break;
 			case AUDIT_IPC:
 			case AUDIT_OBJ_PID:
 				ret = parse_obj(n, s);
@@ -179,6 +184,9 @@ int extract_search_items(llist *l)
 			case AUDIT_TTY:
 				ret = parse_tty(n, s);
 				break;
+			case AUDIT_CONTAINER_ID:
+				ret = parse_container_id(n, s);
+				break;
 			default:
 				if (event_debug)
 					fprintf(stderr,
@@ -1444,6 +1452,195 @@ static int parse_login(const lnode *n, search_items *s)
 	return 0;
 }
 
+static int parse_container_op(const lnode *n, search_items *s)
+{
+	char *ptr, *str, *term = n->message;
+
+	// skip op
+	// skip opid
+	// get contid
+	if (event_contid != -1) {
+		str = strstr(term, "contid=");
+		if (str == NULL)
+			return 45;
+		ptr = str + 7;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 46;
+		*term = 0;
+		errno = 0;
+		s->contid = strtoull(ptr, NULL, 10);
+		if (errno)
+			return 47;
+		*term = ' ';
+	}
+	// skip old-contid
+	// get pid
+	if (event_pid != -1) {
+		str = strstr(term, "pid=");
+		if (str == NULL)
+			return 48;
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 49;
+		*term = 0;
+		errno = 0;
+		s->pid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 50;
+		*term = ' ';
+	}
+	// get loginuid
+	if (event_loginuid != -2 || event_tauid) {
+		str = strstr(term, "auid=");
+		if (str == NULL) {
+			return 51;
+		} else
+			ptr = str + 5;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 52;
+		*term = 0;
+		errno = 0;
+		s->loginuid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 53;
+		*term = ' ';
+		s->tauid = lookup_uid("auid", s->loginuid);
+	}
+	// get uid
+	if (event_uid != -1 || event_tuid) {
+		str = strstr(term, "uid=");
+		if (str == NULL)
+			return 54;
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 55;
+		*term = 0;
+		errno = 0;
+		s->uid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 56;
+		*term = ' ';
+		s->tuid = lookup_uid("uid", s->uid);
+	}
+	// skip tty
+	// ses
+	if (event_session_id != -2 ) {
+		str = strstr(term, "ses=");
+		if (str == NULL)
+			return 57;
+		else
+			ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 58;
+		*term = 0;
+		errno = 0;
+		s->session_id = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 59;
+		*term = ' ';
+	}
+	// get subj
+	if (event_subject) {
+		str = strstr(term, "subj=");
+		if (str == NULL)
+			return 60;
+		ptr = str + 5;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 61;
+		*term = 0;
+		if (audit_avc_init(s) == 0) {
+			anode an;
+
+			anode_init(&an);
+			an.scontext = strdup(str);
+			alist_append(s->avc, &an);
+			*term = ' ';
+		} else
+			return 62;
+		*term = ' ';
+	}
+	// get comm
+	if (event_comm) {
+		str = strstr(ptr, "comm=");
+		if (str == NULL)
+			return 63;
+		str += 5;
+		if (*str == '"') {
+			str++;
+			term = strchr(str, '"');
+			if (term == NULL)
+				return 64;
+			*term = 0;
+			s->comm = strdup(str);
+			*term = '"';
+		} else 
+			s->comm = unescape(str);
+	}
+	// get exe
+	if (event_exe) {
+		str = strstr(term, "exe=");
+		if (str == NULL)
+			return 65;
+		str += 4;
+		if (*str == '"') {
+			str++;
+			term = strchr(str, '"');
+			if (term == NULL)
+				return 66;
+			*term = 0;
+			s->exe = strdup(str);
+			*term = '"';
+		} else 
+			s->exe = unescape(str);
+	}
+	// success
+	if (event_success != S_UNSET) {
+		str = strstr(term, "res=");
+		if (str == NULL)
+			return 67;
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term)
+			return 68;
+		*term = 0;
+		errno = 0;
+		s->success = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 69;
+		*term = ' ';
+	}
+	return 0;
+}
+
+static int parse_container_id(const lnode *n, search_items *s)
+{
+	char *ptr, *str, *term = n->message;
+
+	// get contid
+	if (event_contid != -1) {
+		str = strstr(term, "contid=");
+		if (str == NULL)
+			return 70;
+		ptr = str + 7;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 71;
+		*term = 0;
+		errno = 0;
+		s->contid = strtoull(ptr, NULL, 10);
+		if (errno)
+			return 72;
+		*term = ' ';
+	}
+	return 0;
+}
+
 static int parse_daemon1(const lnode *n, search_items *s)
 {
 	char *ptr, *str, *term, saved, *mptr;
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 05/12] start normalization containerid support

[Richard Guy Briggs]

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 auparse/auparse-defs.h           |  3 ++-
 auparse/interpret.c              | 10 ++++++++++
 auparse/normalize_record_map.h   |  2 ++
 auparse/typetab.h                |  2 ++
 bindings/python/auparse_python.c |  1 +
 5 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/auparse/auparse-defs.h b/auparse/auparse-defs.h
index 27bfa943612c..a9b144df3462 100644
--- a/auparse/auparse-defs.h
+++ b/auparse/auparse-defs.h
@@ -87,7 +87,8 @@ typedef enum {  AUPARSE_TYPE_UNCLASSIFIED,  AUPARSE_TYPE_UID, AUPARSE_TYPE_GID,
 	AUPARSE_TYPE_PROCTITLE, AUPARSE_TYPE_HOOK,
 	AUPARSE_TYPE_NETACTION, AUPARSE_TYPE_MACPROTO,
 	AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY,
-	AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY } auparse_type_t;
+	AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY, AUPARSE_TYPE_CONTID
+} auparse_type_t;
 
 /* This type determines what escaping if any gets applied to interpreted fields */
 typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL,
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 42014ee4ddea..e251384136bc 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -2842,6 +2842,13 @@ static const char *print_seccomp_code(const char *val)
 	return out;
 }
 
+static const char *print_contid(const char *val)
+{
+	if (strcmp(val, "18446744073709551615") == 0)
+		return strdup("unset");
+	return strdup(val);
+}
+
 int lookup_type(const char *name)
 {
 	int i;
@@ -3082,6 +3089,9 @@ unknown:
 		case AUPARSE_TYPE_FANOTIFY:
 			out = print_fanotify(id->val);
 			break;
+		case AUPARSE_TYPE_CONTID:
+			out = print_contid(id->val);
+			break;
 		case AUPARSE_TYPE_MAC_LABEL:
 		case AUPARSE_TYPE_UNCLASSIFIED:
 		default:
diff --git a/auparse/normalize_record_map.h b/auparse/normalize_record_map.h
index fee778e76db7..7332249c7b34 100644
--- a/auparse/normalize_record_map.h
+++ b/auparse/normalize_record_map.h
@@ -25,6 +25,7 @@
 
 _S(AUDIT_USER, "sent-message")
 _S(AUDIT_LOGIN, "changed-login-id-to")
+_S(AUDIT_CONTAINER_OP, "changed-container-id-to")
 _S(AUDIT_USER_AUTH, "authenticated")
 _S(AUDIT_USER_ACCT, "was-authorized")
 _S(AUDIT_USER_MGMT, "modified-user-account")
@@ -84,6 +85,7 @@ _S(AUDIT_FEATURE_CHANGE, "changed-audit-feature")
 //_S(AUDIT_REPLACE,"")
 _S(AUDIT_KERN_MODULE, "loaded-kernel-module")
 _S(AUDIT_FANOTIFY, "accessed-policy-controlled-file")
+_S(AUDIT_CONTAINER_ID, "has-container-id")
 _S(AUDIT_AVC, "accessed-mac-policy-controlled-object")
 _S(AUDIT_MAC_POLICY_LOAD, "loaded-selinux-policy")
 _S(AUDIT_MAC_STATUS, "changed-selinux-enforcement-to")
diff --git a/auparse/typetab.h b/auparse/typetab.h
index 0391e87f731c..0c160bb56c3b 100644
--- a/auparse/typetab.h
+++ b/auparse/typetab.h
@@ -142,3 +142,5 @@ _S(AUPARSE_TYPE_IOCTL_REQ,	"ioctlcmd"	)
 _S(AUPARSE_TYPE_FANOTIFY,	"resp"		)
 _S(AUPARSE_TYPE_ESCAPED,	"sw"		)
 _S(AUPARSE_TYPE_ESCAPED,	"root_dir"	)
+_S(AUPARSE_TYPE_CONTID,		"contid"	)
+_S(AUPARSE_TYPE_CONTID,		"old-contid"	)
diff --git a/bindings/python/auparse_python.c b/bindings/python/auparse_python.c
index 0099ca2ceb82..9f53b6d373a1 100644
--- a/bindings/python/auparse_python.c
+++ b/bindings/python/auparse_python.c
@@ -2391,6 +2391,7 @@ initauparse(void)
     PyModule_AddIntConstant(m, "AUPARSE_ESC_TTY", AUPARSE_ESC_TTY);
     PyModule_AddIntConstant(m, "AUPARSE_ESC_SHELL", AUPARSE_ESC_SHELL);
     PyModule_AddIntConstant(m, "AUPARSE_ESC_SHELL_QUOTE", AUPARSE_ESC_SHELL_QUOTE);
+    PyModule_AddIntConstant(m, "AUPARSE_TYPE_CONTID", AUPARSE_TYPE_CONTID);
 
 #ifdef IS_PY3K
     return m;
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 06/12] libaudit: add support to get the task audit container identifier

[Richard Guy Briggs]

Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.

This is intended as a debug patch, not to be upstreamed.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 docs/Makefile.am             |  2 +-
 docs/audit_get_containerid.3 | 25 +++++++++++++++++++++++++
 lib/libaudit.c               | 29 +++++++++++++++++++++++++++++
 lib/libaudit.h               |  1 +
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 docs/audit_get_containerid.3

diff --git a/docs/Makefile.am b/docs/Makefile.am
index 8fb030c6e5e4..209789bb2051 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -28,7 +28,7 @@ man_MANS = audit_add_rule_data.3 audit_add_watch.3 auditctl.8 auditd.8 \
 auditd.conf.5 auditd-plugins.5 \
 audit_delete_rule_data.3 audit_detect_machine.3 \
 audit_encode_nv_string.3 audit_getloginuid.3 \
-audit_get_reply.3 audit_get_session.3 \
+audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 \
 audit_log_acct_message.3 audit_log_user_avc_message.3 \
 audit_log_user_command.3 audit_log_user_comm_message.3 \
 audit_log_user_message.3 audit_log_semanage_message.3 \
diff --git a/docs/audit_get_containerid.3 b/docs/audit_get_containerid.3
new file mode 100644
index 000000000000..ef62a25db970
--- /dev/null
+++ b/docs/audit_get_containerid.3
@@ -0,0 +1,25 @@
+.TH "AUDIT_GET_CONTAINERID" "3" "Feb 2018" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_get_containerid \- Get a program's container id value
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+uin64_t audit_get_containerid(void);
+
+.SH DESCRIPTION
+This function returns the task's audit container identifier attribute.
+
+.SH "RETURN VALUE"
+
+This function returns the audit container identifier value if it was set. It will return a \-1 if the audit container identifier is unset. However, since uint64_t is an unsigned type, you will see the converted value instead of \-1.
+
+.SH "ERRORS"
+
+This function returns \-2 on failure. Additionally, in the event of a real error, errno would be set. The function can set errno based on failures of open, read, or strtoull.
+
+.SH "SEE ALSO"
+
+.BR audit_getloginuid (3).
+
+.SH AUTHOR
+Richard Guy Briggs
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 7c6b82792b5a..92835a0b35d2 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -944,6 +944,35 @@ uint32_t audit_get_session(void)
 		return ses;
 }
 
+/*
+ * This function will retrieve the audit container identifier or -2 if
+ * there is an error.
+ */
+uint64_t audit_get_containerid(void)
+{
+	uint64_t containerid;
+	int len, in;
+	char buf[32];
+
+	errno = 0;
+	in = open("/proc/self/audit_containerid", O_NOFOLLOW|O_RDONLY);
+	if (in < 0)
+		return -2;
+	do {
+		len = read(in, buf, sizeof(buf));
+	} while (len < 0 && errno == EINTR);
+	close(in);
+	if (len < 0 || len >= sizeof(buf))
+		return -2;
+	buf[len] = 0;
+	errno = 0;
+	containerid = strtoull(buf, 0, 10);
+	if (errno)
+		return -2;
+	else
+		return containerid;
+}
+
 int audit_rule_syscall_data(struct audit_rule_data *rule, int scall)
 {
 	int word = AUDIT_WORD(scall);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index d263e44292ca..9ec37a80bada 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -589,6 +589,7 @@ extern int  audit_get_reply(int fd, struct audit_reply *rep, reply_t block,
 extern uid_t audit_getloginuid(void);
 extern int  audit_setloginuid(uid_t uid);
 extern uint32_t audit_get_session(void);
+extern uint64_t audit_get_containerid(void);
 extern int  audit_detect_machine(void);
 extern int audit_determine_machine(const char *arch);
 extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res);
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 07/12] signal_info: only print context if it is available.

[Richard Guy Briggs]

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 src/auditd-event.c    | 20 +++++++++++++++-----
 src/auditd-reconfig.c |  2 --
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/auditd-event.c b/src/auditd-event.c
index 1c93173fb30e..45f12fb31f01 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -1323,13 +1323,16 @@ static void reconfigure(struct auditd_event *e)
 	const char *ctx = nconf->sender_ctx;
 	struct timeval tv;
 	char txt[MAX_AUDIT_MESSAGE_LENGTH];
+	int txt_len;
 	char date[40];
 	unsigned int seq_num;
 	int need_size_check = 0, need_reopen = 0, need_space_check = 0;
 
-	snprintf(txt, sizeof(txt),
-		"config change requested by pid=%d auid=%u subj=%s",
-		pid, uid, ctx);
+	txt_len = snprintf(txt, sizeof(txt),
+		"config change requested by pid=%d auid=%u", pid, uid);
+	if (ctx)
+		snprintf(txt + txt_len, sizeof(txt) - txt_len,
+			 " subj=%s", ctx);
 	audit_msg(LOG_NOTICE, "%s", txt);
 
 	/* Do the reconfiguring. These are done in a specific
@@ -1578,8 +1581,15 @@ static void reconfigure(struct auditd_event *e)
 
 	e->reply.type = AUDIT_DAEMON_CONFIG;
 	e->reply.len = snprintf(e->reply.msg.data, MAX_AUDIT_MESSAGE_LENGTH-2, 
-	"%s: op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
-		date, uid, pid, ctx );
+				"%s: op=reconfigure state=changed auid=%u pid=%d",
+				date, uid, pid);
+	if (ctx)
+		e->reply.len += snprintf(e->reply.msg.data + e->reply.len,
+					 MAX_AUDIT_MESSAGE_LENGTH-2 - e->reply.len,
+					 " subj=%s", ctx);
+	e->reply.len += snprintf(e->reply.msg.data + e->reply.len,
+				 MAX_AUDIT_MESSAGE_LENGTH-2 - e->reply.len, 
+				 " res=success");
 	e->reply.message = e->reply.msg.data;
 	free((char *)ctx);
 }
diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
index f5b00e6d1dc7..1af402526c4e 100644
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -106,8 +106,6 @@ static void *config_thread_main(void *arg)
 		if (e->reply.len > 24)
 			new_config.sender_ctx = 
 				strdup(e->reply.signal_info->ctx);
-		else
-			new_config.sender_ctx = strdup("?"); 
 		memcpy(e->reply.msg.data, &new_config, sizeof(new_config));
 		e->reply.conf = (struct daemon_conf *)e->reply.msg.data;
 		e->reply.type = AUDIT_DAEMON_RECONFIG;
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 08/12] add support for audit_signal_info2

[Richard Guy Briggs]

Since a process in a container could potentially signal the audit daemon
(reconfig, terminate, roll log, resume), that audit container identifier
information should be made available to the audit daemon to report the
full provenance of the signal.  It is not possible to add it to the
existing audit_signal_info struct without causing a kABI change.
Introduce a new audit message type AUDIT_SIGNAL_INFO2 using a new
audit_sig_info2 struct to be able to transfer this information from
kernel to userspace.

struct audit_sig_info2 {
       uid_t           uid;
       pid_t           pid;
       uint64_t        cid;
       char            ctx[0];
};

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 auparse/auditd-config.c          |  1 +
 docs/audit_request_signal_info.3 |  1 +
 lib/libaudit.c                   | 49 +++++++++++++++++++++++++++++++++-------
 lib/libaudit.h                   | 14 ++++++++++++
 lib/msg_typetab.h                |  1 +
 lib/netlink.c                    |  4 ++++
 src/auditd-config.c              |  1 +
 src/auditd-config.h              |  1 +
 src/auditd-event.c               | 10 +++++++-
 src/auditd-reconfig.c            | 23 ++++++++++++++-----
 src/auditd.c                     |  3 ++-
 11 files changed, 92 insertions(+), 16 deletions(-)

diff --git a/auparse/auditd-config.c b/auparse/auditd-config.c
index 59984b47bd5a..b328f3523c02 100644
--- a/auparse/auditd-config.c
+++ b/auparse/auditd-config.c
@@ -77,6 +77,7 @@ void clear_config(struct daemon_conf *config)
 	config->sender_uid = 0;
 	config->sender_pid = 0;
 	config->sender_ctx = NULL;
+	config->sender_cid = 0;
 	config->write_logs = 1;
 	config->log_file = strdup("/var/log/audit/audit.log");
 	config->log_format = LF_RAW;
diff --git a/docs/audit_request_signal_info.3 b/docs/audit_request_signal_info.3
index b68d7bbefeed..2461940f6622 100644
--- a/docs/audit_request_signal_info.3
+++ b/docs/audit_request_signal_info.3
@@ -14,6 +14,7 @@ audit_request_signal_info requests that the kernel send information about the se
 struct audit_sig_info {
         uid_t           uid;
         pid_t           pid;
+        uint64_t        cid;
         char            ctx[0];
 };
 .fi
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 92835a0b35d2..c142a60c52a2 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -25,6 +25,7 @@
 #include "config.h"
 #include <stdio.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <string.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -667,7 +668,11 @@ int audit_request_rules_list_data(int fd)
 
 int audit_request_signal_info(int fd)
 {
-	int rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0);
+	int rc;
+	if (audit_get_containerid() == (long long)-2)
+		rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0);
+	else
+		rc = audit_send(fd, AUDIT_SIGNAL_INFO2, NULL, 0);
 	if (rc < 0)
 		audit_msg(LOG_WARNING,
 			"Error sending signal_info request (%s)",
@@ -675,15 +680,43 @@ int audit_request_signal_info(int fd)
 	return rc;
 }
 
+bool audit_signal_info_has_ctx(struct audit_reply *rep)
+{
+	if (rep->type == AUDIT_SIGNAL_INFO) {
+		if (rep->len == 24)
+			return true;
+	} else {
+		if(rep->len == 24 + sizeof(uint64_t))
+			return true;
+	}
+	return false;
+}
+
 char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res)
 {
-	if (rep->len == 24)
-		snprintf(buf, len, "op=%s auid=%u pid=%d res=%s", op,
-		 	rep->signal_info->uid, rep->signal_info->pid, res);
-	else
-		snprintf(buf, len, "op=%s auid=%u pid=%d subj=%s res=%s",
-		 	op, rep->signal_info->uid, rep->signal_info->pid,
-		 	rep->signal_info->ctx, res);
+	int c = 0;
+	if (rep->type == AUDIT_SIGNAL_INFO) {
+		c += snprintf(buf + c, len - c, "op=%s auid=%u pid=%d",
+			      op,
+			      rep->signal_info->uid, 
+	 		      rep->signal_info->pid);
+		if (audit_signal_info_has_ctx(rep))
+			c += snprintf(buf + c, len - c, " subj=%s",
+				      rep->signal_info->ctx);
+		c += snprintf(buf + c, len - c, " res=%s", res);
+	} else {
+		c += snprintf(buf + c, len - c, "op=%s auid=%u pid=%d",
+			      op,
+			      rep->signal_info2->uid, 
+	 		      rep->signal_info2->pid);
+		if (audit_signal_info_has_ctx(rep))
+			c += snprintf(buf + c, len - c, " subj=%s",
+				      rep->signal_info2->ctx);
+		c += snprintf(buf + c, len - c, " res=%s", res);
+		if (rep->signal_info2->cid == (uint64_t)-1)
+			c += snprintf(buf + c, len - c, " contid=%llu",
+	 			      rep->signal_info2->cid);
+	}
 	return buf;
 }
 
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 9ec37a80bada..29e61c876e4c 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -34,6 +34,7 @@ extern "C" {
 #include <linux/netlink.h>
 #include <linux/audit.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <syslog.h>
 
 
@@ -250,6 +251,10 @@ extern "C" {
 #define AUDIT_CONTAINER_OP	1020    /* Container creation notice */
 #endif
 
+#ifndef AUDIT_SIGNAL_INFO2
+#define AUDIT_SIGNAL_INFO2	1021    /* auditd signal sender info */
+#endif
+
 #ifndef AUDIT_MMAP
 #define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
 #endif
@@ -490,6 +495,13 @@ struct audit_sig_info {
 	char		ctx[0];
 };
 
+struct audit_sig_info2 {
+	uid_t		uid;
+	pid_t		pid;
+	uint64_t	cid;
+	char		ctx[0];
+};
+
 /* defines for audit subsystem */
 #define MAX_AUDIT_MESSAGE_LENGTH    8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
 struct audit_message {
@@ -515,6 +527,7 @@ struct audit_reply {
 	char                    *message;
 	struct nlmsgerr         *error;
 	struct audit_sig_info   *signal_info;
+	struct audit_sig_info2  *signal_info2;
 	struct daemon_conf      *conf;
 #ifdef AUDIT_FEATURE_BITMAP_ALL
 	struct audit_features	*features;
@@ -592,6 +605,7 @@ extern uint32_t audit_get_session(void);
 extern uint64_t audit_get_containerid(void);
 extern int  audit_detect_machine(void);
 extern int audit_determine_machine(const char *arch);
+extern bool audit_signal_info_has_ctx(struct audit_reply *rep);
 extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res);
 
 /* Translation functions */
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 54fca1193a30..6c786933b63e 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -44,6 +44,7 @@ _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_TTY_SET,                    "TTY_SET"                       )
 //_S(AUDIT_SET_FEATURE,                "SET_FEATURE"                   )
 //_S(AUDIT_GET_FEATURE,                "GET_FEATURE"                   )
+//_S(AUDIT_SIGNAL_INFO2,               "SIGNAL_INFO2"                  )
 _S(AUDIT_CONTAINER_OP,               "CONTAINER_OP"                  )
 _S(AUDIT_USER_AUTH,                  "USER_AUTH"                     )
 _S(AUDIT_USER_ACCT,                  "USER_ACCT"                     )
diff --git a/lib/netlink.c b/lib/netlink.c
index caa963b1ddb2..66a3a3b7e83c 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -146,6 +146,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
 	rep->message  = NULL;
 	rep->error    = NULL;
 	rep->signal_info = NULL;
+	rep->signal_info2 = NULL;
 	rep->conf     = NULL;
 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
     defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
@@ -194,6 +195,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
 		case AUDIT_SIGNAL_INFO:
 			rep->signal_info = NLMSG_DATA(rep->nlh);
 			break;
+		case AUDIT_SIGNAL_INFO2:
+			rep->signal_info2 = NLMSG_DATA(rep->nlh);
+			break;
 	}
 	return len;
 }
diff --git a/src/auditd-config.c b/src/auditd-config.c
index ce260de5025a..931bbed22199 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -307,6 +307,7 @@ void clear_config(struct daemon_conf *config)
 	config->sender_uid = 0;
 	config->sender_pid = 0;
 	config->sender_ctx = NULL;
+	config->sender_cid = 0;
 	config->write_logs = 1;
 	config->log_file = strdup("/var/log/audit/audit.log");
 	config->log_format = LF_ENRICHED;
diff --git a/src/auditd-config.h b/src/auditd-config.h
index 50ed3507d34c..c3f8941713e2 100644
--- a/src/auditd-config.h
+++ b/src/auditd-config.h
@@ -49,6 +49,7 @@ struct daemon_conf
 	uid_t sender_uid;	/* the uid for sender of sighup */
 	pid_t sender_pid;	/* the pid for sender of sighup */
 	const char *sender_ctx;	/* the context for the sender of sighup */
+	uint64_t sender_cid;		/* the contid for sender of sighup */
 	unsigned int write_logs;
 	const char *log_file;
 	logging_formats log_format;
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 45f12fb31f01..16a51b24f42f 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -1321,6 +1321,7 @@ static void reconfigure(struct auditd_event *e)
 	uid_t uid = nconf->sender_uid;
 	pid_t pid = nconf->sender_pid;
 	const char *ctx = nconf->sender_ctx;
+	uint64_t cid = nconf->sender_cid;
 	struct timeval tv;
 	char txt[MAX_AUDIT_MESSAGE_LENGTH];
 	int txt_len;
@@ -1331,8 +1332,11 @@ static void reconfigure(struct auditd_event *e)
 	txt_len = snprintf(txt, sizeof(txt),
 		"config change requested by pid=%d auid=%u", pid, uid);
 	if (ctx)
+		txt_len += snprintf(txt + txt_len, sizeof(txt) - txt_len,
+				    " subj=%s", ctx);
+	if (cid != -1)
 		snprintf(txt + txt_len, sizeof(txt) - txt_len,
-			 " subj=%s", ctx);
+			 " contid=%llu", (unsigned long long)cid);
 	audit_msg(LOG_NOTICE, "%s", txt);
 
 	/* Do the reconfiguring. These are done in a specific
@@ -1590,6 +1594,10 @@ static void reconfigure(struct auditd_event *e)
 	e->reply.len += snprintf(e->reply.msg.data + e->reply.len,
 				 MAX_AUDIT_MESSAGE_LENGTH-2 - e->reply.len, 
 				 " res=success");
+	if (cid != -1)
+		e->reply.len += snprintf(e->reply.msg.data + e->reply.len,
+					 MAX_AUDIT_MESSAGE_LENGTH-2 - e->reply.len, 
+					 "contid=%llu", (unsigned long long)cid);
 	e->reply.message = e->reply.msg.data;
 	free((char *)ctx);
 }
diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
index 1af402526c4e..5d8e4627ddeb 100644
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -101,11 +101,23 @@ static void *config_thread_main(void *arg)
 
 	if (load_config(&new_config, TEST_AUDITD) == 0) {
 		/* We will re-use the current reply */
-		new_config.sender_uid = e->reply.signal_info->uid;
-		new_config.sender_pid = e->reply.signal_info->pid;
-		if (e->reply.len > 24)
-			new_config.sender_ctx = 
-				strdup(e->reply.signal_info->ctx);
+		if (e->reply.type == AUDIT_SIGNAL_INFO) {
+			new_config.sender_uid = e->reply.signal_info->uid;
+			new_config.sender_pid = e->reply.signal_info->pid;
+			new_config.sender_cid = (uint64_t)-1;
+		} else {
+			new_config.sender_uid = e->reply.signal_info2->uid;
+			new_config.sender_pid = e->reply.signal_info2->pid;
+			new_config.sender_cid = e->reply.signal_info2->cid;
+		}
+		if (audit_signal_info_has_ctx(&e->reply)) {
+			if (e->reply.type == AUDIT_SIGNAL_INFO)
+				new_config.sender_ctx = 
+					strdup(e->reply.signal_info->ctx);
+			else
+				new_config.sender_ctx = 
+					strdup(e->reply.signal_info2->ctx);
+		}
 		memcpy(e->reply.msg.data, &new_config, sizeof(new_config));
 		e->reply.conf = (struct daemon_conf *)e->reply.msg.data;
 		e->reply.type = AUDIT_DAEMON_RECONFIG;
@@ -125,4 +137,3 @@ static void *config_thread_main(void *arg)
 	pthread_mutex_unlock(&config_lock);
 	return NULL;		
 }
-
diff --git a/src/auditd.c b/src/auditd.c
index ad8fe54f67b4..e027ac7b5d40 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -514,6 +514,7 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
 		case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON:
 			break;
 		case AUDIT_SIGNAL_INFO:
+		case AUDIT_SIGNAL_INFO2:
 			if (hup_info_requested) {
 				char hup[MAX_AUDIT_MESSAGE_LENGTH];
 				audit_msg(LOG_DEBUG,
@@ -1075,7 +1076,7 @@ static int get_reply(int fd, struct audit_reply *rep, int seq)
 				continue;
 
 			/* If its not what we are expecting, keep looping */
-			if (rep->type == AUDIT_SIGNAL_INFO)
+			if (rep->type == AUDIT_SIGNAL_INFO || rep->type == AUDIT_SIGNAL_INFO2)
 				return 1;
 
 			/* If we get done or error, break out */
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 09/12] contid: interpret correctly CONTAINER_ID contid field csv

[Richard Guy Briggs]

The CONTAINER_ID record contid field can contain comma-separated values
when accompanying a NETFILTER_PKT record.  Records appeared interpreted
as such:

Wrong:
	CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777 666,333
Right:
	CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777,666,333

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 src/ausearch-report.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/ausearch-report.c b/src/ausearch-report.c
index 416c2b13fa6a..82fa9579f972 100644
--- a/src/ausearch-report.c
+++ b/src/ausearch-report.c
@@ -279,7 +279,7 @@ no_print:
 			if (str && val && (str < val)) {
 			// Value side  has commas and another field exists
 			// Known: LABEL_LEVEL_CHANGE banners=none,none
-			// Known: ROLL_ASSIGN new-role=r,r
+			// Known: ROLE_ASSIGN new-role=r,r
 			// Known: any MAC LABEL can potentially have commas
 				int ftype = auparse_interp_adjust_type(n->type,
 								name, val);
@@ -293,9 +293,11 @@ no_print:
 			} else if (str && (val == NULL)) {
 			// Goes all the way to the end. Done parsing
 			// Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7
+			// Known: CONTAINER_ID contid can be a comma-separated list
 				int ftype = auparse_interp_adjust_type(n->type,
 								name, ptr);
-				if (ftype == AUPARSE_TYPE_MAC_LABEL)
+				if (ftype == AUPARSE_TYPE_MAC_LABEL
+				    || ftype == AUPARSE_TYPE_CONTID)
 					str = NULL;
 				else {
 					*str++ = 0;
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 10/12] contid: switch from /proc to netlink

[Richard Guy Briggs]

Add the ability to get and set the audit container identifier using an
audit netlink message using message types AUDIT_SET_CONTID 1023 and
AUDIT_GET_CONTID 1022 in addition to using the proc filesystem.  The
message format includes the data structure:

struct audit_contid_status {
	pid_t   pid;
	u64     id;
};

This switches over the audit_set_containerid() and
audit_get_containerid() to use this method if it exists.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 docs/Makefile.am             |  2 +-
 docs/audit_get_containerid.3 |  6 +--
 docs/audit_set_containerid.3 | 24 +++++++++++
 lib/libaudit.c               | 96 +++++++++++++++++++++++++++++++++++---------
 lib/libaudit.h               | 19 ++++++++-
 lib/msg_typetab.h            |  2 +
 lib/netlink.c                |  6 +++
 7 files changed, 130 insertions(+), 25 deletions(-)
 create mode 100644 docs/audit_set_containerid.3

diff --git a/docs/Makefile.am b/docs/Makefile.am
index 209789bb2051..821182315806 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -28,7 +28,7 @@ man_MANS = audit_add_rule_data.3 audit_add_watch.3 auditctl.8 auditd.8 \
 auditd.conf.5 auditd-plugins.5 \
 audit_delete_rule_data.3 audit_detect_machine.3 \
 audit_encode_nv_string.3 audit_getloginuid.3 \
-audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 \
+audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 audit_set_containerid.3 \
 audit_log_acct_message.3 audit_log_user_avc_message.3 \
 audit_log_user_command.3 audit_log_user_comm_message.3 \
 audit_log_user_message.3 audit_log_semanage_message.3 \
diff --git a/docs/audit_get_containerid.3 b/docs/audit_get_containerid.3
index ef62a25db970..5f485c987993 100644
--- a/docs/audit_get_containerid.3
+++ b/docs/audit_get_containerid.3
@@ -4,10 +4,10 @@ audit_get_containerid \- Get a program's container id value
 .SH SYNOPSIS
 .B #include <libaudit.h>
 .sp
-uin64_t audit_get_containerid(void);
+uin64_t audit_get_containerid(pid_t pid);
 
 .SH DESCRIPTION
-This function returns the task's audit container identifier attribute.
+This function returns the pid task's audit container identifier attribute.
 
 .SH "RETURN VALUE"
 
@@ -19,7 +19,7 @@ This function returns \-2 on failure. Additionally, in the event of a real error
 
 .SH "SEE ALSO"
 
-.BR audit_getloginuid (3).
+.BR audit_set_containerid (3).
 
 .SH AUTHOR
 Richard Guy Briggs
diff --git a/docs/audit_set_containerid.3 b/docs/audit_set_containerid.3
new file mode 100644
index 000000000000..e4e884eea4a9
--- /dev/null
+++ b/docs/audit_set_containerid.3
@@ -0,0 +1,24 @@
+.TH "AUDIT_SET_CONTAINERID" "4" "Aug 2019" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_set_containerid \- Set a program's container id value
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+int audit_set_containerid(pid_t pid, uin64_t contid);
+
+.SH "DESCRIPTION"
+
+This function sets the pid task's attribute audit_containerid with the value of contid. The audit_containerid value may only be set by programs with the CAP_AUDIT_CONTROL capability. This normally means the root account.
+.sp
+The audit_containerid value is part of the task structure and is inheritted by child processes. It is used to track in which container a task has been placed. All container orchestrator/engines should set this value right before launching a process after setting up its resources.
+
+.SH "RETURN VALUE"
+
+This function returns 0 on success and non-zero otherwise.
+
+.SH "SEE ALSO"
+
+.BR audit_get_containerid (3).
+
+.SH AUTHOR
+Richard Guy Briggs
diff --git a/lib/libaudit.c b/lib/libaudit.c
index c142a60c52a2..fdba6301e7f0 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -669,7 +669,7 @@ int audit_request_rules_list_data(int fd)
 int audit_request_signal_info(int fd)
 {
 	int rc;
-	if (audit_get_containerid() == (long long)-2)
+	if (audit_get_containerid(0) == (long long)-2)
 		rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0);
 	else
 		rc = audit_send(fd, AUDIT_SIGNAL_INFO2, NULL, 0);
@@ -981,29 +981,85 @@ uint32_t audit_get_session(void)
  * This function will retrieve the audit container identifier or -2 if
  * there is an error.
  */
-uint64_t audit_get_containerid(void)
+uint64_t audit_get_containerid(pid_t pid)
 {
-	uint64_t containerid;
-	int len, in;
-	char buf[32];
-
-	errno = 0;
-	in = open("/proc/self/audit_containerid", O_NOFOLLOW|O_RDONLY);
-	if (in < 0)
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
 		return -2;
-	do {
-		len = read(in, buf, sizeof(buf));
-	} while (len < 0 && errno == EINTR);
-	close(in);
-	if (len < 0 || len >= sizeof(buf))
+	} else {
+                struct audit_reply rep;
+                int i;
+                int timeout = 40; /* tenths of seconds */
+                struct pollfd pfd[1];
+                int fd = audit_open();
+		struct audit_cont_status cs;
+                int rc;
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning get contid req (%s)", strerror(-rc));
+			return -2;
+		}
+		cs.pid = pid;
+                rc = audit_send(fd, AUDIT_GET_CONTID, &cs, sizeof(cs));
+                if (rc < 0 && rc != -EINVAL) {
+			audit_close(fd);
+                        audit_msg(audit_priority(errno), "Error sending set contid req (%s)", strerror(-rc));
+                        return -2;
+                }
+                pfd[0].fd = fd;
+                pfd[0].events = POLLIN;
+
+                for (i = 0; i < timeout; i++) {
+                        do {
+                                rc = poll(pfd, 1, 100);
+                        } while (rc < 0 && errno == EINTR);
+                        rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0); 
+                        if (rc > 0) {
+                                /* If we get done or error, break out */
+                                if (rep.type == NLMSG_DONE ||
+                                        rep.type == NLMSG_ERROR)
+                                        break;
+
+                                /* If its not get_contid, keep looping */
+                                if (rep.type != AUDIT_GET_CONTID)
+                                        continue;
+
+                                /* Found it... */
+				audit_close(fd);
+				if (rep.cont->pid == pid)
+                                	return rep.cont->id;
+				else
+					return -2;
+			}
+		}
+		audit_close(fd);
 		return -2;
-	buf[len] = 0;
-	errno = 0;
-	containerid = strtoull(buf, 0, 10);
-	if (errno)
+	}
+}
+
+/*
+ * This function returns 0 on success and 1 on failure
+ */
+int audit_set_containerid(pid_t pid, uint64_t contid)
+{
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
 		return -2;
-	else
-		return containerid;
+	} else {
+		int rc;
+		int seq;
+                int fd = audit_open();
+		struct audit_cont_status cs = { pid, contid };
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning set audit_containerid req (%s)", strerror(-rc));
+			return 1;
+		}
+		rc = audit_send(fd, AUDIT_SET_CONTID, &cs, sizeof(cs));
+		if (rc < 0) {
+			audit_msg(audit_priority(errno), "Error sending set audit_containerid request (%s)", strerror(-rc));
+			return 1;
+		}
+		return 0;
+	}
 }
 
 int audit_rule_syscall_data(struct audit_rule_data *rule, int scall)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 29e61c876e4c..af58ef563987 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -255,6 +255,14 @@ extern "C" {
 #define AUDIT_SIGNAL_INFO2	1021    /* auditd signal sender info */
 #endif
 
+#ifndef AUDIT_GET_CONTID
+#define AUDIT_GET_CONTID	1022    /* get contid of specified pid */
+#endif
+
+#ifndef AUDIT_SET_CONTID
+#define AUDIT_SET_CONTID	1023    /* set contid of specified pid */
+#endif
+
 #ifndef AUDIT_MMAP
 #define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
 #endif
@@ -512,6 +520,11 @@ struct audit_message {
 // internal - forward declaration
 struct daemon_conf;
 
+struct audit_cont_status {
+	pid_t		pid;
+	uint64_t	id;
+};
+
 struct audit_reply {
 	int                      type;
 	int                      len;
@@ -532,6 +545,9 @@ struct audit_reply {
 #ifdef AUDIT_FEATURE_BITMAP_ALL
 	struct audit_features	*features;
 #endif
+#ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
+	struct audit_cont_status	*cont;
+#endif
 	};
 };
 
@@ -602,7 +618,8 @@ extern int  audit_get_reply(int fd, struct audit_reply *rep, reply_t block,
 extern uid_t audit_getloginuid(void);
 extern int  audit_setloginuid(uid_t uid);
 extern uint32_t audit_get_session(void);
-extern uint64_t audit_get_containerid(void);
+extern uint64_t audit_get_containerid(pid_t pid);
+extern int audit_set_containerid(pid_t pid, uint64_t);
 extern int  audit_detect_machine(void);
 extern int audit_determine_machine(const char *arch);
 extern bool audit_signal_info_has_ctx(struct audit_reply *rep);
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 6c786933b63e..e37070cd82e2 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -45,6 +45,8 @@ _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_SET_FEATURE,                "SET_FEATURE"                   )
 //_S(AUDIT_GET_FEATURE,                "GET_FEATURE"                   )
 //_S(AUDIT_SIGNAL_INFO2,               "SIGNAL_INFO2"                  )
+//_S(AUDIT_GET_CONTID,                 "GET_CONTID"                    )
+//_S(AUDIT_SET_CONTID,                 "SET_CONTID"                    )
 _S(AUDIT_CONTAINER_OP,               "CONTAINER_OP"                  )
 _S(AUDIT_USER_AUTH,                  "USER_AUTH"                     )
 _S(AUDIT_USER_ACCT,                  "USER_ACCT"                     )
diff --git a/lib/netlink.c b/lib/netlink.c
index 66a3a3b7e83c..d177b865a79e 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -152,6 +152,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
     defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
 	rep->features = NULL;
 #endif
+#ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
+	rep->cont     = NULL;
+#endif
 	if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
 		if (len == sizeof(rep->msg)) {
 			audit_msg(LOG_ERR, 
@@ -198,6 +201,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
 		case AUDIT_SIGNAL_INFO2:
 			rep->signal_info2 = NLMSG_DATA(rep->nlh);
 			break;
+		case AUDIT_GET_CONTID:
+			rep->cont = NLMSG_DATA(rep->nlh);
+			break;
 	}
 	return len;
 }
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 11/12] loginuid/sessionid: switch from /proc to netlink

[Richard Guy Briggs]

Add the ability to get and set the login uid and to get the session
id using an audit netlink message using message types AUDIT_GET_LOGINUID
1024, AUDIT_SET_LOGINUID 1025 and AUDIT_GET_SESSIONID 1026 in addition
to using the proc filesystem.

This switches over the audit_setloginuid(), audit_getloginuid() and
audit_get_session() functions to use the new audit netlink message
method if it exists rather than the /proc method.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 lib/libaudit.c    | 176 ++++++++++++++++++++++++++++++++++--------------------
 lib/libaudit.h    |  12 ++++
 lib/msg_typetab.h |   3 +
 3 files changed, 127 insertions(+), 64 deletions(-)

diff --git a/lib/libaudit.c b/lib/libaudit.c
index fdba6301e7f0..62e1a2a64ee5 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -890,27 +890,42 @@ int audit_make_equivalent(int fd, const char *mount_point,
  */
 uid_t audit_getloginuid(void)
 {
-	uid_t uid;
-	int len, in;
-	char buf[16];
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		uid_t uid;
+		int len, in;
+		char buf[16];
+
+		errno = 0;
+		in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+		if (in < 0)
+			return -1;
+		do {
+			len = read(in, buf, sizeof(buf));
+		} while (len < 0 && errno == EINTR);
+		close(in);
+		if (len < 0 || len >= sizeof(buf))
+			return -1;
+		buf[len] = 0;
+		errno = 0;
+		uid = strtol(buf, 0, 10);
+		if (errno)
+			return -1;
+		else
+			return uid;
+	} else {
+		int rc;
+		int seq;
+                int fd = audit_open();
 
-	errno = 0;
-	in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
-	if (in < 0)
-		return -1;
-	do {
-		len = read(in, buf, sizeof(buf));
-	} while (len < 0 && errno == EINTR);
-	close(in);
-	if (len < 0 || len >= sizeof(buf))
-		return -1;
-	buf[len] = 0;
-	errno = 0;
-	uid = strtol(buf, 0, 10);
-	if (errno)
-		return -1;
-	else
-		return uid;
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning get loginuid req (%s)", strerror(-rc));
+			return -2;
+		}
+		rc = __audit_send(fd, AUDIT_GET_LOGINUID, NULL, 0, &seq);
+		if (rc < 0)
+			audit_msg(audit_priority(errno), "Error sending get loginuid request (%s)", strerror(-rc));
+		return rc;
+	}
 }
 
 /*
@@ -918,34 +933,52 @@ uid_t audit_getloginuid(void)
  */
 int audit_setloginuid(uid_t uid)
 {
-	char loginuid[16];
-	int o, count, rc = 0;
-
-	errno = 0;
-	count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
-	o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
-	if (o >= 0) {
-		int block, offset = 0;
-
-		while (count > 0) {
-			block = write(o, &loginuid[offset], (unsigned)count);
-
-			if (block < 0) {
-				if (errno == EINTR)
-					continue;
-				audit_msg(LOG_ERR, "Error writing loginuid");
-				close(o);
-				return 1;
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		char loginuid[16];
+		int o, count, rc = 0;
+	
+		errno = 0;
+		count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
+		o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+		if (o >= 0) {
+			int block, offset = 0;
+	
+			while (count > 0) {
+				block = write(o, &loginuid[offset], (unsigned)count);
+	
+				if (block < 0) {
+					if (errno == EINTR)
+						continue;
+					audit_msg(LOG_ERR, "Error writing loginuid");
+					close(o);
+					return 1;
+				}
+				offset += block;
+				count -= block;
 			}
-			offset += block;
-			count -= block;
+			close(o);
+		} else {
+			audit_msg(LOG_ERR, "Error opening /proc/self/loginuid");
+			rc = 1;
 		}
-		close(o);
+		return rc;
 	} else {
-		audit_msg(LOG_ERR, "Error opening /proc/self/loginuid");
-		rc = 1;
+		int rc;
+		int seq;
+                int fd = audit_open();
+		struct audit_loginuid_status { uid_t uid; } ls = { uid };
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning set loginuid req (%s)", strerror(-rc));
+			return 1;
+		}
+		rc = audit_send(fd, AUDIT_SET_LOGINUID, &ls, sizeof(ls));
+		if (rc < 0) {
+			audit_msg(audit_priority(errno), "Error sending set loginuid request (%s)", strerror(-rc));
+			return 1;
+		}
+		return 0;
 	}
-	return rc;
 }
 
 /*
@@ -954,27 +987,42 @@ int audit_setloginuid(uid_t uid)
  */
 uint32_t audit_get_session(void)
 {
-	uint32_t ses;
-	int len, in;
-	char buf[16];
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		uint32_t ses;
+		int len, in;
+		char buf[16];
 
-	errno = 0;
-	in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
-	if (in < 0)
-		return -2;
-	do {
-		len = read(in, buf, sizeof(buf));
-	} while (len < 0 && errno == EINTR);
-	close(in);
-	if (len < 0 || len >= sizeof(buf))
-		return -2;
-	buf[len] = 0;
-	errno = 0;
-	ses = strtoul(buf, 0, 10);
-	if (errno)
-		return -2;
-	else
-		return ses;
+		errno = 0;
+		in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
+		if (in < 0)
+			return -2;
+		do {
+			len = read(in, buf, sizeof(buf));
+		} while (len < 0 && errno == EINTR);
+		close(in);
+		if (len < 0 || len >= sizeof(buf))
+			return -2;
+		buf[len] = 0;
+		errno = 0;
+		ses = strtoul(buf, 0, 10);
+		if (errno)
+			return -2;
+		else
+			return ses;
+	} else {
+		int rc;
+		int seq;
+                int fd = audit_open();
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning set contid req (%s)", strerror(-rc));
+			return -2;
+		}
+		rc = __audit_send(fd, AUDIT_GET_SESSIONID, NULL, 0, &seq);
+		if (rc < 0)
+			audit_msg(audit_priority(errno), "Error sending get session request (%s)", strerror(-rc));
+		return rc;
+	}
 }
 
 /*
diff --git a/lib/libaudit.h b/lib/libaudit.h
index af58ef563987..717724e8fbbb 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -263,6 +263,18 @@ extern "C" {
 #define AUDIT_SET_CONTID	1023    /* set contid of specified pid */
 #endif
 
+#ifndef AUDIT_GET_LOGINUID
+#define AUDIT_GET_LOGINUID	1024    /* get current process loginuid */
+#endif
+
+#ifndef AUDIT_SET_LOGINUID
+#define AUDIT_SET_LOGINUID	1025    /* get current process loginuid */
+#endif
+
+#ifndef AUDIT_GET_SESSIONID
+#define AUDIT_GET_SESSIONID	1026    /* get current process sessionid */
+#endif
+
 #ifndef AUDIT_MMAP
 #define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
 #endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index e37070cd82e2..9f2b137dc7f8 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -47,6 +47,9 @@ _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_SIGNAL_INFO2,               "SIGNAL_INFO2"                  )
 //_S(AUDIT_GET_CONTID,                 "GET_CONTID"                    )
 //_S(AUDIT_SET_CONTID,                 "SET_CONTID"                    )
+//_S(AUDIT_GET_LOGINUID,               "GET_LOGINUID"                  )
+//_S(AUDIT_SET_LOGINUID,               "SET_LOGINUID"                  )
+//_S(AUDIT_GET_SESSIONID,              "GET_SESSIONID"                 )
 _S(AUDIT_CONTAINER_OP,               "CONTAINER_OP"                  )
 _S(AUDIT_USER_AUTH,                  "USER_AUTH"                     )
 _S(AUDIT_USER_ACCT,                  "USER_ACCT"                     )
-- 
1.8.3.1

[PATCH ghau51/ghau40 v7 12/12] libaudit: add support to get and set capcontid on a task

[Richard Guy Briggs]

Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 docs/Makefile.am  |  1 +
 lib/libaudit.c    | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/libaudit.h    | 14 +++++++++
 lib/msg_typetab.h |  2 ++
 lib/netlink.c     |  4 +++
 5 files changed, 106 insertions(+)

diff --git a/docs/Makefile.am b/docs/Makefile.am
index 821182315806..8b0e5c2c3730 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -29,6 +29,7 @@ auditd.conf.5 auditd-plugins.5 \
 audit_delete_rule_data.3 audit_detect_machine.3 \
 audit_encode_nv_string.3 audit_getloginuid.3 \
 audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 audit_set_containerid.3 \
+audit_get_capcontid.3 audit_set_capcontid.3 \
 audit_log_acct_message.3 audit_log_user_avc_message.3 \
 audit_log_user_command.3 audit_log_user_comm_message.3 \
 audit_log_user_message.3 audit_log_semanage_message.3 \
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 62e1a2a64ee5..08998610c66a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1026,6 +1026,91 @@ uint32_t audit_get_session(void)
 }
 
 /*
+ * This function will retrieve the capability container identifier or -2 if
+ * there is an error.
+ */
+uint32_t audit_get_capcontid(pid_t pid)
+{
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		return -2;
+	} else {
+                struct audit_reply rep;
+                int i;
+                int timeout = 40; /* tenths of seconds */
+                struct pollfd pfd[1];
+                int fd = audit_open();
+		struct audit_capcontid_status cs;
+                int rc;
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning get capcontid req (%s)", strerror(-rc));
+			return -2;
+		}
+		cs.pid = pid;
+                rc = audit_send(fd, AUDIT_GET_CONTID, &cs, sizeof(cs));
+                if (rc < 0 && rc != -EINVAL) {
+			audit_close(fd);
+                        audit_msg(audit_priority(errno), "Error sending set capcontid req (%s)", strerror(-rc));
+                        return -2;
+                }
+                pfd[0].fd = fd;
+                pfd[0].events = POLLIN;
+
+                for (i = 0; i < timeout; i++) {
+                        do {
+                                rc = poll(pfd, 1, 100);
+                        } while (rc < 0 && errno == EINTR);
+                        rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0); 
+                        if (rc > 0) {
+                                /* If we get done or error, break out */
+                                if (rep.type == NLMSG_DONE ||
+                                        rep.type == NLMSG_ERROR)
+                                        break;
+
+                                /* If its not get_contid, keep looping */
+                                if (rep.type != AUDIT_GET_CAPCONTID)
+                                        continue;
+
+                                /* Found it... */
+				audit_close(fd);
+				if (rep.capcontid->pid == pid)
+                                	return rep.capcontid->cap;
+				else
+					return -2;
+			}
+		}
+		audit_close(fd);
+		return -2;
+	}
+}
+
+/*
+ * This function returns 0 on success and 1 on failure
+ */
+int audit_set_capcontid(pid_t pid, uint32_t capcontid)
+{
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		return -2;
+	} else {
+		int rc;
+		int seq;
+                int fd = audit_open();
+		struct audit_capcontid_status cs = { pid, capcontid };
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning set capcontid req (%s)", strerror(-rc));
+			return 1;
+		}
+		rc = audit_send(fd, AUDIT_SET_CAPCONTID, &cs, sizeof(cs));
+		if (rc < 0) {
+			audit_msg(audit_priority(errno), "Error sending set capcontid request (%s)", strerror(-rc));
+			return 1;
+		}
+		return 0;
+	}
+}
+
+/*
  * This function will retrieve the audit container identifier or -2 if
  * there is an error.
  */
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 717724e8fbbb..8067ef30f427 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -275,6 +275,14 @@ extern "C" {
 #define AUDIT_GET_SESSIONID	1026    /* get current process sessionid */
 #endif
 
+#ifndef AUDIT_GET_CAPCONTID
+#define AUDIT_GET_CAPCONTID	1027    /* get contid of specified pid */
+#endif
+
+#ifndef AUDIT_SET_CAPCONTID
+#define AUDIT_SET_CAPCONTID	1028    /* set contid of specified pid */
+#endif
+
 #ifndef AUDIT_MMAP
 #define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
 #endif
@@ -532,6 +540,11 @@ struct audit_message {
 // internal - forward declaration
 struct daemon_conf;
 
+struct audit_capcontid_status {
+	pid_t		pid;
+	uint32_t	cap;
+};
+
 struct audit_cont_status {
 	pid_t		pid;
 	uint64_t	id;
@@ -559,6 +572,7 @@ struct audit_reply {
 #endif
 #ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
 	struct audit_cont_status	*cont;
+	struct audit_capcontid_status	*capcontid;
 #endif
 	};
 };
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 9f2b137dc7f8..f510e9790ea4 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -50,6 +50,8 @@ _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_GET_LOGINUID,               "GET_LOGINUID"                  )
 //_S(AUDIT_SET_LOGINUID,               "SET_LOGINUID"                  )
 //_S(AUDIT_GET_SESSIONID,              "GET_SESSIONID"                 )
+//_S(AUDIT_GET_CAPCONTID,              "GET_CAPCONTID"                 )
+_S(AUDIT_SET_CAPCONTID,              "SET_CAPCONTID"                 )
 _S(AUDIT_CONTAINER_OP,               "CONTAINER_OP"                  )
 _S(AUDIT_USER_AUTH,                  "USER_AUTH"                     )
 _S(AUDIT_USER_ACCT,                  "USER_ACCT"                     )
diff --git a/lib/netlink.c b/lib/netlink.c
index d177b865a79e..d378b32e0ff6 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -154,6 +154,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
 #endif
 #ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
 	rep->cont     = NULL;
+	rep->capcontid = NULL;
 #endif
 	if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
 		if (len == sizeof(rep->msg)) {
@@ -201,6 +202,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
 		case AUDIT_SIGNAL_INFO2:
 			rep->signal_info2 = NLMSG_DATA(rep->nlh);
 			break;
+		case AUDIT_GET_CAPCONTID:
+			rep->capcontid = NLMSG_DATA(rep->nlh);
+			break;
 		case AUDIT_GET_CONTID:
 			rep->cont = NLMSG_DATA(rep->nlh);
 			break;
-- 
1.8.3.1

Re: [PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier

[Richard Guy Briggs]

On 2019-09-18 21:27, Richard Guy Briggs wrote:
> Add support for audit kernel container identifiers to userspace tools.
> 
> The first and second add new record types.  The third adds filter
> support.  The fourth and 5th start to add search support.
> 
> The 6th is to read the calling process' audit container identifier from
> the /proc filesystem matching the kernel /proc read patch.
> 
> The 7th is to fix signal support and the 8th is to learn the audit
> container identifier of the process that signals the audit daemon.
> 
> The 9th is a touch up to allow the contid field to be interpreted as a
> CSV list.
> 
> The 10th and 11th add audit netlink support for setting and getting
> contid, loginuid and sessionid preparing to deprecate the /proc
> interface.
> 
> The last adds audit library support to allow a process to give
> permission to a container orchestrator in a non-init user namespace via
> audit netlink messages.
> 
> See: https://github.com/linux-audit/audit-userspace/issues/51
> See: https://github.com/linux-audit/audit-userspace/issues/40
> See: https://github.com/linux-audit/audit-kernel/issues/90
> See: https://github.com/linux-audit/audit-kernel/issues/91
> See: https://github.com/linux-audit/audit-testsuite/issues/64
> See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Here's my working tree:
        https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghau40-containerid-filter.v7.0
And a test rpms:
        http://people.redhat.com/~rbriggs/ghak90/git-247fe71

> Changelog:
> v7
> - rebase on ghau90 and touchup
> - rebase on ghak10 support (change AUDIT_CONTAINER_ID to 1334)
> - render type contid as a CSV
> - switch from /proc to audit netlink to set/get contid, auid/sessionid
> - add support for capcontid
> 
> v6
> - auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
>   request and record
> - swap CONTAINER_OP contid/old-contid to ease parsing
> - add to auparse
> 
> v5
> - updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
> - add AUDIT_CONTAINER_ID to normalization
> - rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD
> 
> v4
> - change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
> - change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to
>   AUDIT_FEATURE_BITMAP_CONTAINERID
> - change from event_container_id to event_contid internally
> - change from container_id to contid and event_container_id to
>   event_contid internally
> - change command line option from --container-id to --contid
> 
> v3
> - change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
> - change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER
> - change from AUDIT_CONTAINERID to AUDIT_CONTID
> - update github issue refs
> - add audit_get_containerid
> - change event_container_id default value
> - add --containerid to ausearch options help text
> - update ausearch parser and error codes
> 
> v2
> - rebase on UINT_MAX patch
> - add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
>   normalization
> 
> Richard Guy Briggs (12):
>   AUDIT_CONTAINER_OP message type basic support
>   AUDIT_CONTAINER_ID message type basic support
>   auditctl: add support for AUDIT_CONTID filter
>   add ausearch containerid support
>   start normalization containerid support
>   libaudit: add support to get the task audit container identifier
>   signal_info: only print context if it is available.
>   add support for audit_signal_info2
>   contid: interpret correctly CONTAINER_ID contid field csv
>   contid: switch from /proc to netlink
>   loginuid/sessionid: switch from /proc to netlink
>   libaudit: add support to get and set capcontid on a task
> 
>  auparse/auditd-config.c          |   1 +
>  auparse/auparse-defs.h           |   3 +-
>  auparse/interpret.c              |  10 +
>  auparse/normalize_record_map.h   |   2 +
>  auparse/typetab.h                |   2 +
>  bindings/python/auparse_python.c |   1 +
>  docs/Makefile.am                 |   3 +-
>  docs/audit_get_containerid.3     |  25 +++
>  docs/audit_request_signal_info.3 |   1 +
>  docs/audit_set_containerid.3     |  24 +++
>  docs/auditctl.8                  |   3 +
>  lib/fieldtab.h                   |   1 +
>  lib/libaudit.c                   | 425 ++++++++++++++++++++++++++++++++-------
>  lib/libaudit.h                   |  73 +++++++
>  lib/msg_typetab.h                |  10 +
>  lib/netlink.c                    |  15 ++
>  src/auditctl-listing.c           |  21 ++
>  src/auditd-config.c              |   1 +
>  src/auditd-config.h              |   1 +
>  src/auditd-event.c               |  28 ++-
>  src/auditd-reconfig.c            |  25 ++-
>  src/auditd.c                     |   3 +-
>  src/aureport-options.c           |   1 +
>  src/ausearch-llist.c             |   2 +
>  src/ausearch-llist.h             |   1 +
>  src/ausearch-match.c             |   3 +
>  src/ausearch-options.c           |  47 ++++-
>  src/ausearch-options.h           |   1 +
>  src/ausearch-parse.c             | 197 ++++++++++++++++++
>  src/ausearch-report.c            |   6 +-
>  30 files changed, 848 insertions(+), 88 deletions(-)
>  create mode 100644 docs/audit_get_containerid.3
>  create mode 100644 docs/audit_set_containerid.3
> 
> -- 
> 1.8.3.1
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH ghau51/ghau40 v7 04/12] add ausearch containerid support

[Richard Guy Briggs]

On 2019-09-18 21:27, Richard Guy Briggs wrote:
> Add support to ausearch for searching on the containerid field in
> records.

Steve, I'm expecting that you may be able to help here on ausearch.  The
problem is I've modelled this search code on expecting only one value to
be delivered in the contid= field in CONTAINER_OP and CONTAINER_ID
records.  In the case of the latter type of record, the value could
either be a CSV list or a nested list (separated by ^), so the value
stored in "s->contid" (or l->s.contid) would need to be more complex and
the check against it no longer a simple equality check but rather a
parse and check of each listed value for a match.

Do you have a way to do that already in other fields that I could use as
a current best practice, or shall I work on a method myself?

The CSV search will be necessary to support network namespace container
events and the nesting will be necessary only if the nesting feature and
reporting method are accepted.

> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  src/aureport-options.c |   1 +
>  src/ausearch-llist.c   |   2 +
>  src/ausearch-llist.h   |   1 +
>  src/ausearch-match.c   |   3 +
>  src/ausearch-options.c |  47 +++++++++++-
>  src/ausearch-options.h |   1 +
>  src/ausearch-parse.c   | 197 +++++++++++++++++++++++++++++++++++++++++++++++++
>  7 files changed, 251 insertions(+), 1 deletion(-)
> 
> diff --git a/src/aureport-options.c b/src/aureport-options.c
> index bd847d7d57f0..679c36c00985 100644
> --- a/src/aureport-options.c
> +++ b/src/aureport-options.c
> @@ -62,6 +62,7 @@ const char *event_vmname = NULL;
>  long long event_exit = 0;
>  int event_exit_is_set = 0;
>  int event_ppid = -1, event_session_id = -2;
> +unsigned long long int event_contid = -1;
>  int event_debug = 0, event_machine = -1;
>  
>  /* These are used by aureport */
> diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c
> index ef5503c34fd9..ade727a9e102 100644
> --- a/src/ausearch-llist.c
> +++ b/src/ausearch-llist.c
> @@ -60,6 +60,7 @@ void list_create(llist *l)
>  	l->s.arch = 0;
>  	l->s.syscall = 0;
>  	l->s.session_id = -2;
> +	l->s.contid = -1;
>  	l->s.uuid = NULL;
>  	l->s.vmname = NULL;
>  	l->s.tuid = NULL;
> @@ -211,6 +212,7 @@ void list_clear(llist* l)
>  	l->s.arch = 0;
>  	l->s.syscall = 0;
>  	l->s.session_id = -2;
> +	l->s.contid = -1;
>  	free(l->s.uuid);
>  	l->s.uuid = NULL;
>  	free(l->s.vmname);
> diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h
> index 64e4ee1f3694..2d1f52237ce6 100644
> --- a/src/ausearch-llist.h
> +++ b/src/ausearch-llist.h
> @@ -56,6 +56,7 @@ typedef struct
>    int arch;             // arch
>    int syscall;          // syscall
>    uint32_t session_id;  // Login session id
> +  __u64 contid;         // Container id
>    long long exit;       // Syscall exit code
>    int exit_is_set;      // Syscall exit code is valid
>    char *hostname;       // remote hostname
> diff --git a/src/ausearch-match.c b/src/ausearch-match.c
> index 61a11d30a09b..47c12581a963 100644
> --- a/src/ausearch-match.c
> +++ b/src/ausearch-match.c
> @@ -113,6 +113,9 @@ int match(llist *l)
>  				if ((event_session_id != -2) &&
>  					(event_session_id != l->s.session_id))
>  					return 0;
> +				if ((event_contid != -1) &&
> +					(event_contid != l->s.contid))
> +					return 0;
>  				if (event_exit_is_set) {
>  					if (l->s.exit_is_set == 0)
>  						return 0;
> diff --git a/src/ausearch-options.c b/src/ausearch-options.c
> index eb483e670957..609718657775 100644
> --- a/src/ausearch-options.c
> +++ b/src/ausearch-options.c
> @@ -60,6 +60,7 @@ int event_syscall = -1, event_machine = -1;
>  int event_ua = 0, event_ga = 0, event_se = 0;
>  int just_one = 0;
>  uint32_t event_session_id = -2;
> +unsigned long long int event_contid = -1;
>  long long event_exit = 0;
>  int event_exit_is_set = 0;
>  int line_buffered = 0;
> @@ -88,7 +89,7 @@ struct nv_pair {
>  
>  enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
>  S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
> -S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
> +S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_CONTID,
>  S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
>  S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
>  S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_FORMAT,
> @@ -100,6 +101,7 @@ static struct nv_pair optiontab[] = {
>  	{ S_EVENT, "--event" },
>  	{ S_COMM, "-c" },
>  	{ S_COMM, "--comm" },
> +	{ S_CONTID, "--contid" },
>  	{ S_CHECKPOINT, "--checkpoint" },
>  	{ S_DEBUG, "--debug" },
>  	{ S_EXIT, "-e" },
> @@ -197,6 +199,7 @@ static void usage(void)
>  	"\t-a,--event <Audit event id>\tsearch based on audit event id\n"
>  	"\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n"
>  	"\t-c,--comm  <Comm name>\t\tsearch based on command line name\n"
> +	"\t--contid <audit container id>\tsearch based on the task's audit container id\n"
>  	"\t--checkpoint <checkpoint file>\tsearch from last complete event\n"
>  	"\t--debug\t\t\tWrite malformed events that are skipped to stderr\n"
>  	"\t-e,--exit  <Exit code or errno>\tsearch based on syscall exit code\n"
> @@ -1182,6 +1185,48 @@ int check_params(int count, char *vars[])
>  			}
>  			c++;
>  			break;
> +		case S_CONTID:
> +			if (!optarg) {
> +				if ((c+1 < count) && vars[c+1])
> +					optarg = vars[c+1];
> +				else {
> +					fprintf(stderr,
> +						"Argument is required for %s\n",
> +						vars[c]);
> +					retval = -1;
> +					break;
> +				}
> +			}
> +			{
> +			size_t len = strlen(optarg);
> +			if (isdigit(optarg[0])) {
> +				errno = 0;
> +				event_contid = strtoull(optarg,NULL,0);
> +				if (errno) {
> +					fprintf(stderr, 
> +			"Numeric container ID conversion error (%s) for %s\n",
> +						strerror(errno), optarg);
> +					retval = -1;
> +				}
> +			} else if (len >= 2 && *(optarg)=='-' &&
> +					(isdigit(optarg[1]))) {
> +				errno = 0;
> +				event_contid = strtoll(optarg, NULL, 0);
> +				if (errno) {
> +					retval = -1;
> +					fprintf(stderr, "Error converting %s\n",
> +						optarg);
> +				}
> +			} else {
> +				fprintf(stderr, 
> +			"Container ID is non-numeric and unknown (%s)\n",
> +						optarg);
> +				retval = -1;
> +				break;
> +			}
> +			}
> +			c++;
> +			break;
>  		case S_UUID:
>  			if (!optarg) {
>  				fprintf(stderr,
> diff --git a/src/ausearch-options.h b/src/ausearch-options.h
> index 1372762b4b3e..c03256e36495 100644
> --- a/src/ausearch-options.h
> +++ b/src/ausearch-options.h
> @@ -40,6 +40,7 @@ extern int line_buffered;
>  extern int event_debug;
>  extern pid_t event_ppid;
>  extern uint32_t event_session_id;
> +extern unsigned long long int event_contid;
>  extern ilist *event_type;
>  
>  /* Data type to govern output format */
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 497306dde070..4d48d59caa0f 100644
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -52,6 +52,8 @@ static int parse_path(const lnode *n, search_items *s);
>  static int parse_user(const lnode *n, search_items *s, anode *avc);
>  static int parse_obj(const lnode *n, search_items *s);
>  static int parse_login(const lnode *n, search_items *s);
> +static int parse_container_op(const lnode *n, search_items *s);
> +static int parse_container_id(const lnode *n, search_items *s);
>  static int parse_daemon1(const lnode *n, search_items *s);
>  static int parse_daemon2(const lnode *n, search_items *s);
>  static int parse_sockaddr(const lnode *n, search_items *s);
> @@ -113,6 +115,9 @@ int extract_search_items(llist *l)
>  			case AUDIT_LOGIN:
>  				ret = parse_login(n, s);
>  				break;
> +			case AUDIT_CONTAINER_OP:
> +				ret = parse_container_op(n, s);
> +				break;
>  			case AUDIT_IPC:
>  			case AUDIT_OBJ_PID:
>  				ret = parse_obj(n, s);
> @@ -179,6 +184,9 @@ int extract_search_items(llist *l)
>  			case AUDIT_TTY:
>  				ret = parse_tty(n, s);
>  				break;
> +			case AUDIT_CONTAINER_ID:
> +				ret = parse_container_id(n, s);
> +				break;
>  			default:
>  				if (event_debug)
>  					fprintf(stderr,
> @@ -1444,6 +1452,195 @@ static int parse_login(const lnode *n, search_items *s)
>  	return 0;
>  }
>  
> +static int parse_container_op(const lnode *n, search_items *s)
> +{
> +	char *ptr, *str, *term = n->message;
> +
> +	// skip op
> +	// skip opid
> +	// get contid
> +	if (event_contid != -1) {
> +		str = strstr(term, "contid=");
> +		if (str == NULL)
> +			return 45;
> +		ptr = str + 7;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 46;
> +		*term = 0;
> +		errno = 0;
> +		s->contid = strtoull(ptr, NULL, 10);
> +		if (errno)
> +			return 47;
> +		*term = ' ';
> +	}
> +	// skip old-contid
> +	// get pid
> +	if (event_pid != -1) {
> +		str = strstr(term, "pid=");
> +		if (str == NULL)
> +			return 48;
> +		ptr = str + 4;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 49;
> +		*term = 0;
> +		errno = 0;
> +		s->pid = strtoul(ptr, NULL, 10);
> +		if (errno)
> +			return 50;
> +		*term = ' ';
> +	}
> +	// get loginuid
> +	if (event_loginuid != -2 || event_tauid) {
> +		str = strstr(term, "auid=");
> +		if (str == NULL) {
> +			return 51;
> +		} else
> +			ptr = str + 5;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 52;
> +		*term = 0;
> +		errno = 0;
> +		s->loginuid = strtoul(ptr, NULL, 10);
> +		if (errno)
> +			return 53;
> +		*term = ' ';
> +		s->tauid = lookup_uid("auid", s->loginuid);
> +	}
> +	// get uid
> +	if (event_uid != -1 || event_tuid) {
> +		str = strstr(term, "uid=");
> +		if (str == NULL)
> +			return 54;
> +		ptr = str + 4;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 55;
> +		*term = 0;
> +		errno = 0;
> +		s->uid = strtoul(ptr, NULL, 10);
> +		if (errno)
> +			return 56;
> +		*term = ' ';
> +		s->tuid = lookup_uid("uid", s->uid);
> +	}
> +	// skip tty
> +	// ses
> +	if (event_session_id != -2 ) {
> +		str = strstr(term, "ses=");
> +		if (str == NULL)
> +			return 57;
> +		else
> +			ptr = str + 4;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 58;
> +		*term = 0;
> +		errno = 0;
> +		s->session_id = strtoul(ptr, NULL, 10);
> +		if (errno)
> +			return 59;
> +		*term = ' ';
> +	}
> +	// get subj
> +	if (event_subject) {
> +		str = strstr(term, "subj=");
> +		if (str == NULL)
> +			return 60;
> +		ptr = str + 5;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 61;
> +		*term = 0;
> +		if (audit_avc_init(s) == 0) {
> +			anode an;
> +
> +			anode_init(&an);
> +			an.scontext = strdup(str);
> +			alist_append(s->avc, &an);
> +			*term = ' ';
> +		} else
> +			return 62;
> +		*term = ' ';
> +	}
> +	// get comm
> +	if (event_comm) {
> +		str = strstr(ptr, "comm=");
> +		if (str == NULL)
> +			return 63;
> +		str += 5;
> +		if (*str == '"') {
> +			str++;
> +			term = strchr(str, '"');
> +			if (term == NULL)
> +				return 64;
> +			*term = 0;
> +			s->comm = strdup(str);
> +			*term = '"';
> +		} else 
> +			s->comm = unescape(str);
> +	}
> +	// get exe
> +	if (event_exe) {
> +		str = strstr(term, "exe=");
> +		if (str == NULL)
> +			return 65;
> +		str += 4;
> +		if (*str == '"') {
> +			str++;
> +			term = strchr(str, '"');
> +			if (term == NULL)
> +				return 66;
> +			*term = 0;
> +			s->exe = strdup(str);
> +			*term = '"';
> +		} else 
> +			s->exe = unescape(str);
> +	}
> +	// success
> +	if (event_success != S_UNSET) {
> +		str = strstr(term, "res=");
> +		if (str == NULL)
> +			return 67;
> +		ptr = str + 4;
> +		term = strchr(ptr, ' ');
> +		if (term)
> +			return 68;
> +		*term = 0;
> +		errno = 0;
> +		s->success = strtoul(ptr, NULL, 10);
> +		if (errno)
> +			return 69;
> +		*term = ' ';
> +	}
> +	return 0;
> +}
> +
> +static int parse_container_id(const lnode *n, search_items *s)
> +{
> +	char *ptr, *str, *term = n->message;
> +
> +	// get contid
> +	if (event_contid != -1) {
> +		str = strstr(term, "contid=");
> +		if (str == NULL)
> +			return 70;
> +		ptr = str + 7;
> +		term = strchr(ptr, ' ');
> +		if (term == NULL)
> +			return 71;
> +		*term = 0;
> +		errno = 0;
> +		s->contid = strtoull(ptr, NULL, 10);
> +		if (errno)
> +			return 72;
> +		*term = ' ';
> +	}
> +	return 0;
> +}
> +
>  static int parse_daemon1(const lnode *n, search_items *s)
>  {
>  	char *ptr, *str, *term, saved, *mptr;
> -- 
> 1.8.3.1
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635