Received: by 10.192.165.156 with SMTP id m28csp658035imm; Thu, 19 Apr 2018 05:32:12 -0700 (PDT) X-Google-Smtp-Source: AIpwx48/jjfXdrwqKxSalCR73LjrW9fgj7tRKEqBQZzRNVLXnHtzrTFkg5nVeWBpbOgjlwLp20Ok X-Received: by 2002:a17:902:5785:: with SMTP id l5-v6mr5838398pli.379.1524141132002; Thu, 19 Apr 2018 05:32:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524141131; cv=none; d=google.com; s=arc-20160816; b=yFrnGzKMGkWv0sPD3dKwMQkplQzU13LQQZyzoDE2LXyiddexvwLOrv8caAAZqkLzy9 WphjJTOuXGAgm4PIj+L5IGgNBGKgqDSCDZuzkvZGkZoTmapX0LPmsfoWF7z7HJ1ZKYb1 NZGoo1s3TiRDlmNt7/pfjGv1f6UKi5C4sDwuQdWDZjiQo9y7PgNGPTcXIHPuydPye1TJ PDfzZLBZp8K0BRN2C+ytC85oiSm0sxu/6Mdz117e/eqU05wVkO4a3KFEx5RAnQVqREG+ cOTHy0fWSY5iyr5gNDefjrs8zJPLCLnsyMB6pcD+uKegzEB2t5fyoxiTIEWUKUMRoMzY 1k3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=zy/NXmAFTzP5yDpqzAQEgAKYOdq1e18SIoVOcBtv8Jo=; b=nA3O2E4yerRhptxy/71i4JwhrsDIusCFAZLAZM6koMd5ktqTbpwv+Lah9zY7zBMRKZ FXmlJjtHi4StDgZp0DwvU0/YzIIrMMZdWCheiCb10nBntkfK5ckT8rNopj9hA1byWGhR o7q7Q2Jog57+8wmuTvU9tnC0D05VK5sNrbM5nUQttvEnENwaEBZzrdTYQ1yv5fDCkiAX qf8/6Cu/WyThZdwRCJJfaqFnjDnPYjff3NAzqZjSM9z92e4/QJyYBaRjAIlwNc2EeGfU omU+UAV+QeiN5hTJWFFPSS2XogmBPGMMfu3VtAec9OWCUnKJ/tNG4/vj22cfWEXTk6jm 8b0Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m18si2852985pgv.360.2018.04.19.05.31.57; Thu, 19 Apr 2018 05:32:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752766AbeDSMap (ORCPT + 99 others); Thu, 19 Apr 2018 08:30:45 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:52992 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752028AbeDSMan (ORCPT ); Thu, 19 Apr 2018 08:30:43 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 084EBEAEAB; Thu, 19 Apr 2018 12:30:43 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6A927202660D; Thu, 19 Apr 2018 12:30:39 +0000 (UTC) Date: Thu, 19 Apr 2018 08:24:45 -0400 From: Richard Guy Briggs To: Paul Moore Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, simo@redhat.com, Eric Paris , serge@hallyn.com Subject: Re: [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark Message-ID: <20180419122445.7dkmk5qh7ak3ona6@madcap2.tricolour.ca> References: <737f914a88d048b9985984c0ce1f946c30ca374c.1521179281.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171027 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 19 Apr 2018 12:30:43 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 19 Apr 2018 12:30:43 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-04-18 20:42, Paul Moore wrote: > On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > > Add container ID auxiliary record to mark, watch and tree rule > > configuration standalone records. > > > > Signed-off-by: Richard Guy Briggs > > --- > > kernel/audit_fsnotify.c | 5 ++++- > > kernel/audit_tree.c | 5 ++++- > > kernel/audit_watch.c | 33 +++++++++++++++++++-------------- > > 3 files changed, 27 insertions(+), 16 deletions(-) > > > > diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c > > index 52f368b..18c110d 100644 > > --- a/kernel/audit_fsnotify.c > > +++ b/kernel/audit_fsnotify.c > > @@ -124,10 +124,11 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c > > { > > struct audit_buffer *ab; > > struct audit_krule *rule = audit_mark->rule; > > + struct audit_context *context = audit_alloc_local(); > > > > if (!audit_enabled) > > return; > > Move the audit_alloc_local() after the audit_enabled check. Already fixed in V3 as previously warned, by making all AUDIT_CONFIG_CHANGE records SYSCALL auxiliary records. > > - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); > > + ab = audit_log_start(context, GFP_NOFS, AUDIT_CONFIG_CHANGE); > > if (unlikely(!ab)) > > return; > > audit_log_format(ab, "auid=%u ses=%u op=%s", > > @@ -138,6 +139,8 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c > > audit_log_key(ab, rule->filterkey); > > audit_log_format(ab, " list=%d res=1", rule->listnr); > > audit_log_end(ab); > > + audit_log_container_info(context, "config", audit_get_containerid(current)); > > + audit_free_context(context); > > } > > > > void audit_remove_mark(struct audit_fsnotify_mark *audit_mark) > > diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c > > index 67e6956..7c085be 100644 > > --- a/kernel/audit_tree.c > > +++ b/kernel/audit_tree.c > > @@ -496,8 +496,9 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) > > static void audit_tree_log_remove_rule(struct audit_krule *rule) > > { > > struct audit_buffer *ab; > > + struct audit_context *context = audit_alloc_local(); > > Sort of independent of the audit container ID work, but shouldn't we > have an audit_enabled check here? Same. > > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); > > if (unlikely(!ab)) > > return; > > audit_log_format(ab, "op=remove_rule"); > > @@ -506,6 +507,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) > > audit_log_key(ab, rule->filterkey); > > audit_log_format(ab, " list=%d res=1", rule->listnr); > > audit_log_end(ab); > > + audit_log_container_info(context, "config", audit_get_containerid(current)); > > + audit_free_context(context); > > } > > > > static void kill_rules(struct audit_tree *tree) > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > > index 9eb8b35..60d75a2 100644 > > --- a/kernel/audit_watch.c > > +++ b/kernel/audit_watch.c > > @@ -238,20 +238,25 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old) > > > > static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) > > { > > - if (audit_enabled) { > > - struct audit_buffer *ab; > > - ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); > > - if (unlikely(!ab)) > > - return; > > - audit_log_format(ab, "auid=%u ses=%u op=%s", > > - from_kuid(&init_user_ns, audit_get_loginuid(current)), > > - audit_get_sessionid(current), op); > > - audit_log_format(ab, " path="); > > - audit_log_untrustedstring(ab, w->path); > > - audit_log_key(ab, r->filterkey); > > - audit_log_format(ab, " list=%d res=1", r->listnr); > > - audit_log_end(ab); > > - } > > + struct audit_buffer *ab; > > + struct audit_context *context = audit_alloc_local(); > > + > > + if (!audit_enabled) > > + return; > > Same as above, do the allocation after the audit_enabled check. Same. > > + ab = audit_log_start(context, GFP_NOFS, AUDIT_CONFIG_CHANGE); > > + if (unlikely(!ab)) > > + return; > > + audit_log_format(ab, "auid=%u ses=%u op=%s", > > + from_kuid(&init_user_ns, audit_get_loginuid(current)), > > + audit_get_sessionid(current), op); > > + audit_log_format(ab, " path="); > > + audit_log_untrustedstring(ab, w->path); > > + audit_log_key(ab, r->filterkey); > > + audit_log_format(ab, " list=%d res=1", r->listnr); > > + audit_log_end(ab); > > + audit_log_container_info(context, "config", audit_get_containerid(current)); > > + audit_free_context(context); > > } > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635