From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org,
jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com,
viro@zeniv.linux.org.uk, simo@redhat.com,
Eric Paris <eparis@parisplace.org>,
serge@hallyn.com
Subject: Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records
Date: Wed, 18 Apr 2018 21:27:34 -0400 [thread overview]
Message-ID: <CAHC9VhQ-i5oA48sXXnN2fP06t5=9-NMoY0bKcGXorQw2k=CK0Q@mail.gmail.com> (raw)
In-Reply-To: <c34a7a95eb045a62e2443457979db9d7afbd9aee.1521179281.git.rgb@redhat.com>
On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Add container ID auxiliary records to configuration change, feature set change
> and user generated standalone records.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/audit.c | 50 ++++++++++++++++++++++++++++++++++++++++----------
> kernel/auditfilter.c | 5 ++++-
> 2 files changed, 44 insertions(+), 11 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b238be5..08662b4 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -400,8 +400,9 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
> {
> struct audit_buffer *ab;
> int rc = 0;
> + struct audit_context *context = audit_alloc_local();
We should be able to use current->audit_context here right? If we
can't for every caller, perhaps we pass an audit_context as an
argument and only allocate a local context when the passed
audit_context is NULL.
Also, if you're not comfortable always using current, just pass the
audit_context as you do with audit_log_common_recv_msg().
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return rc;
> audit_log_format(ab, "%s=%u old=%u", function_name, new, old);
> @@ -411,6 +412,8 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
> allow_changes = 0; /* Something weird, deny request */
> audit_log_format(ab, " res=%d", allow_changes);
> audit_log_end(ab);
> + audit_log_container_info(context, "config", audit_get_containerid(current));
> + audit_free_context(context);
> return rc;
> }
>
> @@ -1058,7 +1061,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> return err;
> }
>
> -static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> +static void audit_log_common_recv_msg(struct audit_context *context,
> + struct audit_buffer **ab, u16 msg_type)
> {
> uid_t uid = from_kuid(&init_user_ns, current_uid());
> pid_t pid = task_tgid_nr(current);
> @@ -1068,7 +1072,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> return;
> }
>
> - *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
> + *ab = audit_log_start(context, GFP_KERNEL, msg_type);
> if (unlikely(!*ab))
> return;
> audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
> @@ -1097,11 +1101,12 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
> u32 old_lock, u32 new_lock, int res)
> {
> struct audit_buffer *ab;
> + struct audit_context *context = audit_alloc_local();
So I know based on the other patch we are currently discussing that we
can use current here ...
> if (audit_enabled == AUDIT_OFF)
> return;
>
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
> if (!ab)
> return;
> audit_log_task_info(ab, current);
> @@ -1109,6 +1114,8 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
> audit_feature_names[which], !!old_feature, !!new_feature,
> !!old_lock, !!new_lock, res);
> audit_log_end(ab);
> + audit_log_container_info(context, "feature", audit_get_containerid(current));
> + audit_free_context(context);
> }
>
> static int audit_set_feature(struct sk_buff *skb)
> @@ -1337,13 +1344,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>
> err = audit_filter(msg_type, AUDIT_FILTER_USER);
> if (err == 1) { /* match or error */
> + struct audit_context *context = audit_alloc_local();
I'm pretty sure we can use current here.
> err = 0;
> if (msg_type == AUDIT_USER_TTY) {
> err = tty_audit_push();
> if (err)
> break;
> }
> - audit_log_common_recv_msg(&ab, msg_type);
> + audit_log_common_recv_msg(context, &ab, msg_type);
> if (msg_type != AUDIT_USER_TTY)
> audit_log_format(ab, " msg='%.*s'",
> AUDIT_MESSAGE_TEXT_MAX,
> @@ -1359,6 +1368,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> audit_log_n_untrustedstring(ab, data, size);
> }
> audit_log_end(ab);
> + audit_log_container_info(context, "user",
> + audit_get_containerid(current));
> + audit_free_context(context);
> }
> break;
> case AUDIT_ADD_RULE:
> @@ -1366,9 +1378,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
> return -EINVAL;
> if (audit_enabled == AUDIT_LOCKED) {
> - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
> + struct audit_context *context = audit_alloc_local();
Pretty sure current can be used here too. In fact I think everywhere
where we are processing commands from netlink we can use current as I
believe the entire netlink stack is processed in the context of the
caller.
> + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE);
> audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
> audit_log_end(ab);
> + audit_log_container_info(context, "config",
> + audit_get_containerid(current));
> + audit_free_context(context);
> return -EPERM;
> }
> err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh));
> @@ -1376,17 +1393,23 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> case AUDIT_LIST_RULES:
> err = audit_list_rules_send(skb, seq);
> break;
> - case AUDIT_TRIM:
> + case AUDIT_TRIM: {
> + struct audit_context *context = audit_alloc_local();
Same.
> audit_trim_trees();
> - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
> + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE);
> audit_log_format(ab, " op=trim res=1");
> audit_log_end(ab);
> + audit_log_container_info(context, "config",
> + audit_get_containerid(current));
> + audit_free_context(context);
> break;
> + }
> case AUDIT_MAKE_EQUIV: {
> void *bufp = data;
> u32 sizes[2];
> size_t msglen = nlmsg_len(nlh);
> char *old, *new;
> + struct audit_context *context = audit_alloc_local();
Same.
> err = -EINVAL;
> if (msglen < 2 * sizeof(u32))
> @@ -1408,7 +1431,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> /* OK, here comes... */
> err = audit_tag_tree(old, new);
>
> - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
> + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE);
>
> audit_log_format(ab, " op=make_equiv old=");
> audit_log_untrustedstring(ab, old);
> @@ -1418,6 +1441,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> audit_log_end(ab);
> kfree(old);
> kfree(new);
> + audit_log_container_info(context, "config",
> + audit_get_containerid(current));
> + audit_free_context(context);
> break;
> }
> case AUDIT_SIGNAL_INFO:
> @@ -1459,6 +1485,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> struct audit_tty_status s, old;
> struct audit_buffer *ab;
> unsigned int t;
> + struct audit_context *context = audit_alloc_local();
Same.
> memset(&s, 0, sizeof(s));
> /* guard against past and future API changes */
> @@ -1477,12 +1504,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> old.enabled = t & AUDIT_TTY_ENABLE;
> old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
>
> - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
> + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE);
> audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
> " old-log_passwd=%d new-log_passwd=%d res=%d",
> old.enabled, s.enabled, old.log_passwd,
> s.log_passwd, !err);
> audit_log_end(ab);
> + audit_log_container_info(context, "config",
> + audit_get_containerid(current));
> + audit_free_context(context);
> break;
> }
> default:
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index c4c8746..5f7f4d6 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1109,11 +1109,12 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
> struct audit_buffer *ab;
> uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
> unsigned int sessionid = audit_get_sessionid(current);
> + struct audit_context *context = audit_alloc_local();
>
> if (!audit_enabled)
> return;
Well, first I think we should be able to get rid of the local context,
but if for some reason we can't use current->audit_context then do the
allocation after the audit_enabled check.
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
> @@ -1122,6 +1123,8 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
> audit_log_key(ab, rule->filterkey);
> audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
> audit_log_end(ab);
> + audit_log_container_info(context, "config", audit_get_containerid(current));
> + audit_free_context(context);
> }
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2018-04-19 1:27 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 9:00 [RFC PATCH ghak32 V2 00/13] audit: implement container id Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 01/13] audit: add " Richard Guy Briggs
2018-03-28 18:39 ` Jonathan Corbet
[not found] ` <20180328123912.49b11c98-T1hC0tSOHrs@public.gmane.org>
2018-03-29 9:01 ` Richard Guy Briggs
2018-03-29 13:03 ` Jonathan Corbet
2018-03-30 5:06 ` Richard Guy Briggs
2018-04-18 23:47 ` Paul Moore
2018-04-19 0:41 ` Casey Schaufler
[not found] ` <32d3e7a6-36f0-571a-bb91-67f746c7eafa-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2018-04-19 0:46 ` Paul Moore
2018-04-19 1:15 ` Casey Schaufler
2018-04-21 14:34 ` Richard Guy Briggs
2018-04-23 23:15 ` Paul Moore
2018-04-24 2:02 ` Richard Guy Briggs
2018-04-24 19:01 ` Paul Moore
2018-04-25 0:40 ` Richard Guy Briggs
2018-04-26 22:47 ` Paul Moore
2018-05-06 16:51 ` Richard Guy Briggs
[not found] ` <e284617ad667ad8f17958dd8babb87fe1b4d7205.1521179281.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-05-17 21:00 ` Steve Grubb
2018-05-17 21:56 ` Richard Guy Briggs
[not found] ` <20180517215600.dyswlkvqdtgjwr5y-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-05-18 13:56 ` Steve Grubb
2018-05-18 15:21 ` Richard Guy Briggs
2018-05-18 15:38 ` Steve Grubb
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls Richard Guy Briggs
2018-05-17 21:09 ` Steve Grubb
2018-05-17 21:41 ` Richard Guy Briggs
2018-05-21 19:19 ` Steve Grubb
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering Richard Guy Briggs
2018-04-19 0:24 ` Paul Moore
2018-04-19 12:17 ` Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-04-19 0:39 ` Paul Moore
[not found] ` <CAHC9VhQbPbnrbxCD1fyTSxWgrXXXYnZw_=nbOhfMCO5Q5eSsWQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-04-20 1:23 ` Richard Guy Briggs
2018-04-20 16:21 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 08/13] audit: add containerid support for tty_audit Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records Richard Guy Briggs
2018-04-19 1:27 ` Paul Moore [this message]
2018-04-19 12:31 ` Richard Guy Briggs
2018-04-19 12:59 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces Richard Guy Briggs
2018-04-19 1:46 ` Paul Moore
2018-04-20 20:02 ` Richard Guy Briggs
2018-04-20 20:22 ` Paul Moore
2018-04-20 20:42 ` Richard Guy Briggs
[not found] ` <20180420204225.iik2lgtj6gx2ep4w-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-04-21 12:10 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2018-04-19 2:10 ` Paul Moore
2018-04-19 12:45 ` Richard Guy Briggs
[not found] ` <20180419124550.7uknp4oebvwoo67s-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-04-19 13:13 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process Richard Guy Briggs
2018-05-21 19:16 ` Steve Grubb
2018-05-21 19:19 ` Eric W. Biederman
2018-05-21 20:06 ` Paul Moore
[not found] ` <CAHC9VhQruN88t-R9Qo3e4hwCZ58RAyrmEmH1nY4RR6NZaiBzGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-05-22 17:35 ` Richard Guy Briggs
[not found] ` <20180522173541.slcdszumi7q6c4id-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-05-22 18:59 ` Paul Moore
[not found] ` <cover.1521179281.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid Richard Guy Briggs
[not found] ` <995b77557010b2f9aed0e10435f7b8536df7a5db.1521179281.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-04-19 0:11 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-04-19 0:32 ` Paul Moore
2018-04-20 1:03 ` Richard Guy Briggs
2018-04-20 16:13 ` Paul Moore
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark Richard Guy Briggs
2018-04-19 0:42 ` Paul Moore
2018-04-19 12:24 ` Richard Guy Briggs
2018-03-16 9:00 ` [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records Richard Guy Briggs
2018-04-19 1:31 ` Paul Moore
2018-04-20 0:42 ` Richard Guy Briggs
2018-04-20 16:11 ` Paul Moore
2018-05-30 13:20 ` [RFC PATCH ghak32 V2 00/13] audit: implement container id Steve Grubb
2018-05-30 17:33 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhQ-i5oA48sXXnN2fP06t5=9-NMoY0bKcGXorQw2k=CK0Q@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=carlos@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=simo@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).