Received: by 10.192.165.156 with SMTP id m28csp116238imm; Wed, 18 Apr 2018 18:29:02 -0700 (PDT) X-Google-Smtp-Source: AIpwx48k1B040kL3R0lFOHLJRi5W86M7IPhQsYPrR5Blqnrt1EC8TEfzvr57ozgfB52vMxXyfdz9 X-Received: by 2002:a17:902:4303:: with SMTP id i3-v6mr4293774pld.394.1524101342425; Wed, 18 Apr 2018 18:29:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524101342; cv=none; d=google.com; s=arc-20160816; b=0zEow2u5iNrld7Tu4xkvsx1poYuXaDV3kKAf10Ub/0Q6WjM+9rVK8uEVJbN3RfPGaI RBxti0UpHhHUIUMl/0WlENTwPmMlHr07gAORx8PPbPqi1b5wSSh/1UViYFCWWjadeIZD 9orKOzb8VKA+HYudLTz8HaUWnU63q0xZS0nkCReuA45fVuPPZU+Tqh9YOcIKD80ZZzlD J8xSqQ4BITVdOUH+mpov/k7fwsa8V++Dp0bW0aZZvxpwRtdvZD0xvylqZBN8o/+gEQGv H+OAAtWxLa2bX3wkLf79QugeeeBxJmtDO1B4ExETZcSCHiV+qBxda+TV2kk9O1CpnTPg 1Aow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=jtsTVKxEtiumDExCcQZ4Hv+FmQSIdBGVJIGaKZnYxtw=; b=SRg5WMhP9hiPFo9nrmXgMX+FahLjvFl5W9yYJRzneahokYQ/Ii/Dr/aHevolSLRIAc SNe3kUFTAYwPu0qXxdk0Ww2XAo5LVQWUa8XEnEatSUAjNpkRiENnLZjISlNp+mzppQrw //coqtOh5wzxIsljUp+JXdlo/4LugY/GLKdgsHBMkoS1UWmIae4pTrwhtWtxyytXoNru EcXbCuP3kxn2wQp2rGQmcY7UIdkr5nn2ClomeZVW3+pctV7JbtltROlMm4rbLjZy+7I+ 7V5qqDsha8LMqf5RLDrox7YPrZ1QWEyIkSPI16rjR+u/hnDpnwgOOdM6fOOxPOqoD9iw 8HUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BOKgBd1z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j184si1640353pfg.15.2018.04.18.18.28.47; Wed, 18 Apr 2018 18:29:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BOKgBd1z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752744AbeDSB1k (ORCPT + 99 others); Wed, 18 Apr 2018 21:27:40 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:44082 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752407AbeDSB1h (ORCPT ); Wed, 18 Apr 2018 21:27:37 -0400 Received: by mail-lf0-f68.google.com with SMTP id g203-v6so5333718lfg.11 for ; Wed, 18 Apr 2018 18:27:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jtsTVKxEtiumDExCcQZ4Hv+FmQSIdBGVJIGaKZnYxtw=; b=BOKgBd1zsxRRdzHbv4o2bvylJsOUeIpXNKxv913EcfBHwdzm30C/a4juqJXHllMhTZ KeOVwgflZ4ELZ50fRc48liYl9AL2NC0qTsiiY0uxAqDiGtDTJrYqPNRzWm2rJXGwYf53 halHFRQKA1fypc/SMEJL/WbvUc0Q8jisqjyAJfGVEnJ1F3PotIUV15U/n6f2C1k6gaPi T2ih3pqQHE4e3OeFIgJ53rSxtY08vZ91g8dODUxYw5V3LUUC+yLGks5zrFhwT1ckLYQ1 UNdnEaPV4EW+oMAMNULsTATNHQBu9w2cSYHYMVg6zFF2Ohl9XruZiBlZBzHv3k+Bw9d9 jaog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jtsTVKxEtiumDExCcQZ4Hv+FmQSIdBGVJIGaKZnYxtw=; b=K3RXSKL5gkCnoX8nS9YpyLIuhCMZ+7EIE2J4YNyH+BXrI43V+8QUV1amM4trnwsOxM H4wgZ6kMNBLfdLliyApa/Aqve5nsSUaKlreSBWrzCqibLxVNWIRl9fWKnJY09vACK5Xx wRakUJdsWmRj7ddrEG0pa7m/tgw/7+mFtCBwFjzf9Q3Si+kwGiU5v0U6+F1MkuQJDpt8 Gw8Tu1HN5bUFv8/RpqNL5lKvC9f8Z3tLsokN6sdSEB8qL+hyn8Rw4c0p7PoimhpsLWdm vtXsQL32o4e5tarEvKJ4iiXw1ulfIBF0SlRQXWV5rq7AUPXpvJlU/UfNxQLVMAeQXQel u71Q== X-Gm-Message-State: ALQs6tBJbe2eZjuPqsGOovbpAWNZYO5n3I6jwZ5l+mTEmlbwk65xdquy WGX1XdHlq7mRPrXW1upTMpr20gSKBu1k2cgZCkPj X-Received: by 2002:a19:8e8e:: with SMTP id a14-v6mr2935448lfl.145.1524101255183; Wed, 18 Apr 2018 18:27:35 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a5c3:0:0:0:0:0 with HTTP; Wed, 18 Apr 2018 18:27:34 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: References: From: Paul Moore Date: Wed, 18 Apr 2018 21:27:34 -0400 Message-ID: Subject: Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records To: Richard Guy Briggs Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, simo@redhat.com, Eric Paris , serge@hallyn.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Add container ID auxiliary records to configuration change, feature set change > and user generated standalone records. > > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 50 ++++++++++++++++++++++++++++++++++++++++---------- > kernel/auditfilter.c | 5 ++++- > 2 files changed, 44 insertions(+), 11 deletions(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index b238be5..08662b4 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -400,8 +400,9 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, > { > struct audit_buffer *ab; > int rc = 0; > + struct audit_context *context = audit_alloc_local(); We should be able to use current->audit_context here right? If we can't for every caller, perhaps we pass an audit_context as an argument and only allocate a local context when the passed audit_context is NULL. Also, if you're not comfortable always using current, just pass the audit_context as you do with audit_log_common_recv_msg(). > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > if (unlikely(!ab)) > return rc; > audit_log_format(ab, "%s=%u old=%u", function_name, new, old); > @@ -411,6 +412,8 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, > allow_changes = 0; /* Something weird, deny request */ > audit_log_format(ab, " res=%d", allow_changes); > audit_log_end(ab); > + audit_log_container_info(context, "config", audit_get_containerid(current)); > + audit_free_context(context); > return rc; > } > > @@ -1058,7 +1061,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) > return err; > } > > -static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) > +static void audit_log_common_recv_msg(struct audit_context *context, > + struct audit_buffer **ab, u16 msg_type) > { > uid_t uid = from_kuid(&init_user_ns, current_uid()); > pid_t pid = task_tgid_nr(current); > @@ -1068,7 +1072,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) > return; > } > > - *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); > + *ab = audit_log_start(context, GFP_KERNEL, msg_type); > if (unlikely(!*ab)) > return; > audit_log_format(*ab, "pid=%d uid=%u", pid, uid); > @@ -1097,11 +1101,12 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature > u32 old_lock, u32 new_lock, int res) > { > struct audit_buffer *ab; > + struct audit_context *context = audit_alloc_local(); So I know based on the other patch we are currently discussing that we can use current here ... > if (audit_enabled == AUDIT_OFF) > return; > > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_FEATURE_CHANGE); > if (!ab) > return; > audit_log_task_info(ab, current); > @@ -1109,6 +1114,8 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature > audit_feature_names[which], !!old_feature, !!new_feature, > !!old_lock, !!new_lock, res); > audit_log_end(ab); > + audit_log_container_info(context, "feature", audit_get_containerid(current)); > + audit_free_context(context); > } > > static int audit_set_feature(struct sk_buff *skb) > @@ -1337,13 +1344,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > > err = audit_filter(msg_type, AUDIT_FILTER_USER); > if (err == 1) { /* match or error */ > + struct audit_context *context = audit_alloc_local(); I'm pretty sure we can use current here. > err = 0; > if (msg_type == AUDIT_USER_TTY) { > err = tty_audit_push(); > if (err) > break; > } > - audit_log_common_recv_msg(&ab, msg_type); > + audit_log_common_recv_msg(context, &ab, msg_type); > if (msg_type != AUDIT_USER_TTY) > audit_log_format(ab, " msg='%.*s'", > AUDIT_MESSAGE_TEXT_MAX, > @@ -1359,6 +1368,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > audit_log_n_untrustedstring(ab, data, size); > } > audit_log_end(ab); > + audit_log_container_info(context, "user", > + audit_get_containerid(current)); > + audit_free_context(context); > } > break; > case AUDIT_ADD_RULE: > @@ -1366,9 +1378,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) > return -EINVAL; > if (audit_enabled == AUDIT_LOCKED) { > - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); > + struct audit_context *context = audit_alloc_local(); Pretty sure current can be used here too. In fact I think everywhere where we are processing commands from netlink we can use current as I believe the entire netlink stack is processed in the context of the caller. > + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE); > audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled); > audit_log_end(ab); > + audit_log_container_info(context, "config", > + audit_get_containerid(current)); > + audit_free_context(context); > return -EPERM; > } > err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh)); > @@ -1376,17 +1393,23 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > case AUDIT_LIST_RULES: > err = audit_list_rules_send(skb, seq); > break; > - case AUDIT_TRIM: > + case AUDIT_TRIM: { > + struct audit_context *context = audit_alloc_local(); Same. > audit_trim_trees(); > - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); > + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE); > audit_log_format(ab, " op=trim res=1"); > audit_log_end(ab); > + audit_log_container_info(context, "config", > + audit_get_containerid(current)); > + audit_free_context(context); > break; > + } > case AUDIT_MAKE_EQUIV: { > void *bufp = data; > u32 sizes[2]; > size_t msglen = nlmsg_len(nlh); > char *old, *new; > + struct audit_context *context = audit_alloc_local(); Same. > err = -EINVAL; > if (msglen < 2 * sizeof(u32)) > @@ -1408,7 +1431,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > /* OK, here comes... */ > err = audit_tag_tree(old, new); > > - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); > + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE); > > audit_log_format(ab, " op=make_equiv old="); > audit_log_untrustedstring(ab, old); > @@ -1418,6 +1441,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > audit_log_end(ab); > kfree(old); > kfree(new); > + audit_log_container_info(context, "config", > + audit_get_containerid(current)); > + audit_free_context(context); > break; > } > case AUDIT_SIGNAL_INFO: > @@ -1459,6 +1485,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > struct audit_tty_status s, old; > struct audit_buffer *ab; > unsigned int t; > + struct audit_context *context = audit_alloc_local(); Same. > memset(&s, 0, sizeof(s)); > /* guard against past and future API changes */ > @@ -1477,12 +1504,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > old.enabled = t & AUDIT_TTY_ENABLE; > old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); > > - audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); > + audit_log_common_recv_msg(context, &ab, AUDIT_CONFIG_CHANGE); > audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" > " old-log_passwd=%d new-log_passwd=%d res=%d", > old.enabled, s.enabled, old.log_passwd, > s.log_passwd, !err); > audit_log_end(ab); > + audit_log_container_info(context, "config", > + audit_get_containerid(current)); > + audit_free_context(context); > break; > } > default: > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index c4c8746..5f7f4d6 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -1109,11 +1109,12 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re > struct audit_buffer *ab; > uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); > unsigned int sessionid = audit_get_sessionid(current); > + struct audit_context *context = audit_alloc_local(); > > if (!audit_enabled) > return; Well, first I think we should be able to get rid of the local context, but if for some reason we can't use current->audit_context then do the allocation after the audit_enabled check. > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > if (!ab) > return; > audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); > @@ -1122,6 +1123,8 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re > audit_log_key(ab, rule->filterkey); > audit_log_format(ab, " list=%d res=%d", rule->listnr, res); > audit_log_end(ab); > + audit_log_container_info(context, "config", audit_get_containerid(current)); > + audit_free_context(context); > } -- paul moore www.paul-moore.com