Received: by 10.223.185.116 with SMTP id b49csp7825287wrg; Thu, 1 Mar 2018 11:47:22 -0800 (PST) X-Google-Smtp-Source: AG47ELv3ea0r6A+YP0qVzjqgK1/CjSSnYcPt1Xg4qkAD1ppBDGC7WMLtZLvtl/itW/Gbasa2coUn X-Received: by 10.99.128.195 with SMTP id j186mr2429188pgd.15.1519933642875; Thu, 01 Mar 2018 11:47:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519933642; cv=none; d=google.com; s=arc-20160816; b=eBo1Lz9gIB/vmb3FGD64U9yzKbBF0GddH5NckaH9FIYB7mN3iiYs4DttBL0a+vIOrp 0b65o/iZsWUQwRsaUFKs0F+TgDUGlQEozuC+8gHSUErtcFYedC5b0jxLSwEe9wIJcF4m vmzoULuKVBaCbpF7JvD5afY58cxL/9aihfVSYswqZNjt5cjx3wB4QAwPr3KRlJhN4sO+ KV58q3zaoMzQhk8AaJf4wUWAPyL50pBZZEHalkHSy1v+QpKDFELKVqkMQ2VrSixjMsTK KQ7xopOcofh2lSXX3qgYPIT023oEKGDJmaMoLzPMxCpu6bUoyqchC20Ns76b6O4RC0De phQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SLk4CEFn4V70WmGxaPHDo8SaJgxc5U5TMNk/SNOa43w=; b=Th2dSDwCN8BGa2RJ57a1S4QJ+l+lGtq6jz141iEY+r39Bc0k0wTbiXeZRBj75pLmZW fY9GQOkCtqkpaR3ocfxjt9zU7lHx42M6rDH5ztce7RhHNMr0+Dp31AjW2T8tgtChm8UF rnIfga8qZIKLnFHmGBHkBzfPMbZJGi0VVnUl4IvvDlOrICB4DlSCT9zRDCPMsFxdh4zq GwCqT2auieNoEKpkWu7MkPgYRyvWSdCZyReyw14LRrmxsqz+LfcjbZDGlTdK7ac636Ex mJFE5ufRWBwoePOb+oDsY6aFCagmUZoQQbLQ9pPsq8LQzgTaQQRoCr1KH12bMtf1filF D2og== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m186si3467709pfm.25.2018.03.01.11.47.06; Thu, 01 Mar 2018 11:47:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161426AbeCATqV (ORCPT + 99 others); Thu, 1 Mar 2018 14:46:21 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43600 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1161343AbeCATqT (ORCPT ); Thu, 1 Mar 2018 14:46:19 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2E1D840744D0; Thu, 1 Mar 2018 19:46:18 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id DA5989C070; Thu, 1 Mar 2018 19:46:06 +0000 (UTC) From: Richard Guy Briggs To: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org Cc: mszeredi@redhat.com, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, viro@zeniv.linux.org.uk, dhowells@redhat.com, simo@redhat.com, trondmy@primarydata.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, madzcar@gmail.com, Richard Guy Briggs Subject: [RFC PATCH V1 00/12] audit: implement container id Date: Thu, 1 Mar 2018 14:41:03 -0500 Message-Id: X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 01 Mar 2018 19:46:18 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 01 Mar 2018 19:46:18 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Implement audit kernel container ID. This patchset is a preliminary RFC based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch implements the proc fs write to set the audit container ID of a process, emitting an AUDIT_CONTAINER record. The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO if a container ID is present on a task. The third adds filtering to the exit, exclude and user lists. The 4th, implements reading the container ID from the proc filesystem for debugging. This isn't planned for upstream inclusion. The 5th adds signal and ptrace support. The 6th attempts to create a local audit context to be able to bind a standalone record with the container ID record. The 7th, 8th, 9th, 10th patches add container ID records to standalone records. Some of these may end up being syscall auxiliary records and won't need this specific support since they'll be supported via syscalls. The 11th is a temporary workaround due to the AUDIT_CONTAINER records not showing up as do AUDIT_LOGIN records. I suspect this is due to its range (1000 vs 1300), but the intent is to solve it. The 12th adds debug information not intended for upstream for those brave souls wanting to tinker with it in this early state. Feedback please! Here's a quick and dirty test script: echo 123455 > /proc/$$/containerid; echo $? sleep 4& child=$!; sleep 1 echo 18446744073709551615 > /proc/$child/containerid; echo $? echo 123456 > /proc/$child/containerid; echo $? echo 123457 > /proc/$child/containerid; echo $? sleep 1 ausearch -ts recent |grep " contid=18446744073709551615"; echo $? ausearch -ts recent |grep " contid=123456"; echo $? ausearch -ts recent |grep " contid=123457"; echo $? echo self:$$ contid:$( cat /proc/$$/containerid) echo child:$child contid:$( cat /proc/$child/containerid) containerid=123458 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule bash -c "sleep 1; echo test > /tmp/$key"& child=$! echo $containerid > /proc/$child/containerid sleep 2 rm -f /tmp/$key ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule See: https://github.com/linux-audit/audit-kernel/issues/32 https://github.com/linux-audit/audit-userspace/issues/40 https://github.com/linux-audit/audit-testsuite/issues/64 Richard Guy Briggs (12): audit: add container id audit: log container info of syscalls audit: add containerid filtering audit: read container ID of a process audit: add containerid support for ptrace and signals audit: add support for non-syscall auxiliary records audit: add container aux record to watch/tree/mark audit: add containerid support for tty_audit audit: add containerid support for config/feature/user records audit: add containerid support for seccomp and anom_abend records debug audit: add container id debug! audit: add container id drivers/tty/tty_audit.c | 5 +- fs/proc/base.c | 63 +++++++++++++++++++ include/linux/audit.h | 36 +++++++++++ include/linux/init_task.h | 4 +- include/linux/sched.h | 1 + include/uapi/linux/audit.h | 9 ++- kernel/audit.c | 74 +++++++++++++++++++--- kernel/audit.h | 3 + kernel/audit_fsnotify.c | 5 +- kernel/audit_tree.c | 5 +- kernel/audit_watch.c | 33 +++++----- kernel/auditfilter.c | 52 ++++++++++++++- kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++-- 13 files changed, 408 insertions(+), 36 deletions(-) -- 1.8.3.1